Winfixer 2005, log HijackThis |
||
---|---|---|
#0
| ||
13.09.2005, 12:44
...neu hier
Beiträge: 2 |
||
|
||
13.09.2005, 14:51
Ehrenmitglied
Beiträge: 29434 |
#2
Hallo@yvesalthaus
arbeite bitte alle zwei Durchgaenge ab und poste die 2 Logs hier ins Forum http://virus-protect.org/L2mfix.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.09.2005, 14:56
Ehrenmitglied
Beiträge: 29434 |
#3
Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor.
Oder unter Start/Programme/Zubehör/Editor 2. kopiere den Code rein: echo ** This batch was originally written by OSC ** cd C:\WINDOWS\java\trustlib\ if exist C:\contents.txt del C:\contents.txt echo ************************************>> C:\contents.txt echo **These are the hidden files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt echo **These are the system files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:s >> C:\contents.txt attrib /d /s -s -r -h -a start notepad c:\contents.txt exit 3. Speichere die Datei als find.bat auf dem Desktop 4. Doppel klick auf diese Datei findtheother.bat ((abkopieren und posten) ----------------------------------------------------------------------- Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor. Oder unter Start/Programme/Zubehör/Editor 2. kopiere den Code rein: echo ** This batch was originally written by OSC ** cd C:\WINDOWS\java\ if exist C:\contents.txt del C:\contents.txt echo ************************************>> C:\contents.txt echo **These are the hidden files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt echo **These are the system files found**>> C:\contents.txt echo ************************************>> C:\contents.txt dir /a:s >> C:\contents.txt attrib /d /s -s -r -h -a start notepad c:\contents.txt exit 3. Speichere die Datei als findtheother.bat auf dem Desktop 4. Doppel klick auf diese Datei findtheother.bat ((abkopieren und posten) ______________________________________________________________________________________ __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.09.2005, 15:48
...neu hier
Themenstarter Beiträge: 2 |
#4
L2MFIX find log 1.04a
These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binacc] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\SERVIC~1\\binacc.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binw] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\java\\trustlib\\binw.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- Jeder (ID-NI) ALLOW Read VORDEFINIERT\Benutzer (ID-IO) ALLOW Read VORDEFINIERT\Benutzer (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren (ID-IO) ALLOW Full access VORDEFINIERT\Administratoren (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access ERSTELLER-BESITZER ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Eigenschaften fr Multimediadatei" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite fr Dokumente" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen fr Freigaben" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Grafikkarten" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Bildschirme" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Anzeigeverschiebung" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung fr Datentr„gerkopien" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen fr Microsoft Windows-Netzwerkobjekte" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen fr die Dateikomprimierung" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung fr Webdrucker" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen fr die Verschlsselung" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung fr HyperTerminal-Icons" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen fr Freigaben" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen" "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen fr Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverknpfung" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausfhren..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst" "{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begráungsbildschirm" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abzgen ber das Internet" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverknpfung" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu" "{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{A5110426-177D-4e08-AB3F-785F10B4439C}"="Eigene Telefone" "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes" "{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 130C-10DF Verzeichnis von C:\WINDOWS\System32 26.08.2005 06:55 26'112 awvvs.dll 12.08.2004 17:39 32 {082EA48B-20C0-40E0-8D91-54CA1A3F683F}.dat 12.08.2004 17:39 32 {B2DCD59F-2652-4E2F-AD32-37E286AE7CF0}.dat 12.08.2004 17:38 32 {A2E7FC8F-3F64-429F-97FA-42BB52E99196}.dat 12.08.2004 17:36 32 {D3817918-299A-494D-9DC9-1B5DBBB33DDB}.dat 12.08.2004 17:36 32 {CCF85063-319B-4F8C-8A30-BC37E5816A81}.dat 12.08.2004 17:36 32 {3780A806-87C8-4BE3-9C84-C3AB8B1CC00C}.dat 12.08.2004 17:35 32 {5C1971DE-E120-4C45-AD5A-600F2F201DBE}.dat 11.01.2003 00:53 <DIR> Microsoft 11.01.2003 00:31 <DIR> dllcache 8 Datei(en) 26'336 Bytes 2 Verzeichnis(se), 5'017'894'912 Bytes frei und C:\ Setting Directory C:\ C:\ System Rebooted! Running From: C:\ killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1988 'explorer.exe' Killing PID 1988 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 316 'rundll32.exe' Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Desktop.ini sucessfully removed Zipping up files for submission: adding: mfc70.dll (deflated 51%) adding: mfc70u.dll (deflated 51%) adding: clear.reg (deflated 2%) adding: desktop.ini (stored 0%) adding: contents.txt (deflated 67%) adding: lo2.txt (deflated 54%) adding: test2.txt (stored 0%) adding: test3.txt (stored 0%) adding: test5.txt (stored 0%) adding: test.txt (stored 0%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for predefined group "Administrators" Inherited ACE can not be revoked here! Inherited ACE can not be revoked here! Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- Jeder (ID-NI) ALLOW Read VORDEFINIERT\Benutzer (ID-IO) ALLOW Read VORDEFINIERT\Benutzer (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren (ID-IO) ALLOW Full access VORDEFINIERT\Administratoren (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access ERSTELLER-BESITZER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332 Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binacc] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\SERVIC~1\\binacc.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binw] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\java\\trustlib\\binw.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} **************************************************************************** hier noch der 2. hijack log Logfile of HijackThis v1.99.1 Scan saved at 15:51:02, on 13.09.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Programme\Prime95\prime95.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Programme\Internet Explorer\iexplore.exe C:\Dokumente und Einstellungen\Yves Althaus\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tele2.ch/startpage/adsl/de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\SERVIC~1\binacc.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [NetPumper] "C:\Programme\NetPumper\NetPumperIEProxy.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programme\Messenger Plus! 3\MsgPlus1.exe" /WinStart O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programme\eMule0_44b\emule.exe -AutoStart O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Steam] C:\Programme\Valve\Steam\\Steam.exe -silent O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: HP Image Zone Schnellstart.lnk = C:\Programme\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/ O16 - DPF: Contains - O16 - DPF: DownloadInformation - O16 - DPF: InstalledVersion - O16 - DPF: {14b87622-7e19-4ea8-93b3-97215f77a6bc} (MessengerStatsClient Class) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab O16 - DPF: {30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/099a225952c28f9df515/netzip/RdxIE601_de.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O20 - Winlogon Notify: binacc - C:\WINDOWS\SERVIC~1\binacc.dll O20 - Winlogon Notify: binw - C:\WINDOWS\java\trustlib\binw.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Prime95 Service - Unknown owner - C:\Programme\Prime95\prime95.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe Dieser Beitrag wurde am 13.09.2005 um 15:52 Uhr von yvesalthaus editiert.
|
|
|
||
13.09.2005, 15:58
Ehrenmitglied
Beiträge: 29434 |
#5
Zitat Sabina postete __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.09.2005, 16:10
Ehrenmitglied
Beiträge: 29434 |
#6
C:\WINDOWS\SERVIC~1\binacc.dll ???
Start-->Ausfuehren--> regedit schreibe mir den vollstaendigen pfad bitte: C:\\WINDOWS\SERVIC~1\binacc.dll" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binacc] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\SERVIC~1\\binacc.dll" -------------------------------------------------------------------------------------- suche (in der mitte ungefaehr VundoFix.exe und lade http://www.geekstogo.com/forum/index.php?showtopic=61817 Zitat Please download VundoFix.exe to your desktop.Lade und auf dem Desktop entpacken * boote in den abgesicherten Modus (F8 druecken, wenn er PC hochfaehrt * Double-click VundoFix.exe * Klicke KillVundo.bat * nun wird folgendes angezeigt: -kopiere rein: C:\WINDOWS\java\trustlib\binw.dll -druecke Enter, und dann die F6 Taste, dann wieder Enter * dann wird sich HijackThis oeffnen: * In HiJackThis, ein Haekchen vor die folgenden Eintraege setzen + click FIX CHECKED: O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\SERVIC~1\binacc.dll O16 - DPF: Contains - O16 - DPF: DownloadInformation - O16 - DPF: InstalledVersion - O16 - DPF: {14b87622-7e19-4ea8-93b3-97215f77a6bc} (MessengerStatsClient Class) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab O16 - DPF: {30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2} - O20 - Winlogon Notify: binacc - C:\WINDOWS\SERVIC~1\binacc.dll O20 - Winlogon Notify: binw - C:\WINDOWS\java\trustlib\binw.dll * danach starte den PC neu * es wird ein "Blue Screen of Death" sein, das ist normal ...... ----------------------------------------------------------------------------------------------- oben im Browser: Datei -- Seite speichern unter.. -- wähle "Desktop" -- speichern --> dann erscheint eine vundo.reg auf dem Desktop http://virus-protect.org/reg/vundo.reg Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "vundo.reg" auf dem Desktop doppelklicken und bestaetigen, dass sie der Registry beigefuegt wird Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken ------------------------------------------------------------------------------------------------------- installiere CleanUp! CleanUp40.exe http://www.zdnet.de/downloads/prg/i/9/de000NI9-wc.html -Click "Options..." -Custom CleanUp! * Empty Recycle Bins * Delete Cookies * Delete Prefetch files * Cleanup! All Users - Click OK - Press the CleanUp! - nicht neustarten CWShredder http://www.trendmicro.com/ftp/products/online-tools/cwshredder scanne mit ewido und poste mir den scanreport http://virus-protect.org/ewido.html + das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.09.2005, 17:06
...neu hier
Beiträge: 9 |
#7
Hi,
wenn ich das hier alles so sehe wird mir ganz anders, also folgendes problem ist bei mir aufgetaucht ich hoffe bin hier nun richtig ... habe seit 2 tagen dieses progi WinFixer2005 auf meinem Desktop .. einen Pfad zur exe habe ich nicht gefunden bzw wird nicht angezeigt und immer wenn der PC neugestartet wird dann öffnet sich ein fenster wo draufsteht das das programm gedownloadet wird .. der timer läuft aber nichts passiert .. ich kann es auch nicht schliessen dann tauch in der taskleiste ein icon auf was aussieht wie ein kreis ... weiss und orange umrandet ich kann es nur durch " Task Beenden" wirklich schliessen ... und auch so kommen ständig fenster wo ich eine spyware downloaden soll .. ich habe auch diesen hijackthis log gemacht und ich kopiere den einfach mal hier rein (dreisterweise) : Logfile of HijackThis v1.99.1 Scan saved at 16:33:18, on 14.09.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Programme\Ahead\InCD\InCDsrv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\SOUNDMAN.EXE D:\Programme\ICQLite\ICQLite.exe D:\Program Files\webHancer\Programs\whSurvey.exe D:\Programme\QuickTime\qttask.exe D:\Programme\0190_und_0900 Warner\w0svc.exe D:\PROGRA~1\Save\Save.exe D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe D:\Programme\Ahead\InCD\InCD.exe D:\Programme\Real\RealPlayer\RealPlay.exe D:\Programme\Virenschutz\AVKService.exe D:\Programme\Virenschutz\AVKWCtl.exe D:\Program Files\webHancer\Programs\whAgent.exe D:\Programme\AVPersonal\AVGNT.EXE D:\Programme\AVPersonal\AVWUPSRV.EXE D:\WINDOWS\System32\nvsvc32.exe D:\WINDOWS\System32\svchost.exe D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe D:\WINDOWS\wxxrquu.exe D:\Programme\Winamp\winampa.exe D:\WINDOWS\System32\RUNDLL32.EXE D:\programme\aim95\aim.exe D:\Programme\AOL 9.0a\aoltray.exe D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo0000c090.exe D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe D:\Programme\AOL 9.0a\waol.exe D:\Programme\AOL 9.0a\shellmon.exe D:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe D:\Programme\ISTsvc\istsvc.exe D:\Programme\WinRAR\WinRAR.exe D:\DOKUME~1\Ich2\LOKALE~1\Temp\Rar$EX09.625\HijackThis.exe D:\Programme\BullsEye Network\bin\bargains.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.aol.de R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - D:\WINDOWS\systb.dll (file missing) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - D:\WINDOWS\wsem303.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programme\google\googletoolbar1.dll O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - D:\Program Files\webHancer\programs\whiehlpr.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - D:\WINDOWS\System32\msbe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Programme\ICQToolbar\toolbaru.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - D:\Programme\YourSiteBar\ysb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programme\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe O4 - HKLM\..\Run: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [WebRebates0] "D:\Programme\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [webHancer Survey Companion] "D:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WhenUSave] D:\PROGRA~1\Save\Save.exe O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] D:\Programme\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [RealTray] D:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\Programme\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\Programme\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [webHancer Agent] "D:\Program Files\webHancer\Programs\whAgent.exe" O4 - HKLM\..\Run: [AVGCtrl] "D:\Programme\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [AOLDialer] D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [wOaBEdJ3] D:\WINDOWS\wxxrquu.exe O4 - HKLM\..\Run: [BullsEye Network] D:\Programme\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [WinampAgent] D:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [NI.UWFX5U] "D:\WINDOWS\Downloaded Program Files\UWFX5UNetInstaller.exe" O4 - HKLM\..\Run: [IST Service] D:\Programme\ISTsvc\ O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [AIM] D:\programme\aim95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [LDM] D:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -trayboot O4 - Startup: Reminder-hpc41003.lnk = D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = D:\Programme\AOL 9.0a\aoltray.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Ulead Kalendar Checker 4.0 SE.lnk = D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe O8 - Extra context menu item: &Google Search - res://D:\Programme\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O8 - Extra context menu item: Backward &Links - res://D:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Programme\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://D:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Web Rebates - file://D:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\programme\aim95\aim.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {54B21599-6962-4DB7-B9EB-343C25A403F8} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {54B21599-6962-4DB7-B9EB-343C25A403F8} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O12 - Plugin for .spop: D:\Programme\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.one2bill.de/soft/ieloader.cab O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game17.zylomgames.com/activex/zylomgamesplayer.cab O16 - DPF: {DA511858-B44C-439E-A0EA-704ED20035E7} (EphoxEditLive4.EditLive) - http://www.beepworld.de/hp/activexeditor/editlive4.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{22C325C3-389F-44E2-BA63-E718CF16BEBC}: NameServer = 205.188.146.145 O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - D:\Programme\0190_und_0900 Warner\w0svc.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe O23 - Service: AVK Service (AVKService) - Unknown owner - D:\Programme\Virenschutz\AVKService.exe O23 - Service: G DATA Virenschutz Wächter (AVKWCtl) - Unknown owner - D:\Programme\Virenschutz\AVKWCtl.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Programme\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\DOKUME~1\ICH2\LOKALE~1\TEMP\_VWUPSRV.EXE ja alles chinesisch für mich gebe ich ehrlich zu .. aber wäre dankbar wenn ich das problem irgendwie gelöst kriege danke Zim-Zum |
|
|
||
14.09.2005, 17:56
Ehrenmitglied
Beiträge: 29434 |
#8
Hallo@Zim-Zum
ich gebe dir weitere Anweisungen fuer die Reinigung, aber erst heute Abend, mittlerweile mache folgendes: Gehe in die Registry start-->Ausfuehren--> regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow<--loeschen •LSPfix.exe http://www.spychecker.com/program/lspfix.html hake an: "I know what Im doing"-->Remove und loesche die whiehlpr.dll (eventuell musst du die dll von links nach rechts bringen) --------------------------------------------- #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - D:\WINDOWS\systb.dll (file missing) O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - D:\WINDOWS\wsem303.dll (file missing) O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - D:\Program Files\webHancer\programs\whiehlpr.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - D:\WINDOWS\System32\msbe.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - D:\Programme\YourSiteBar\ysb.dll O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe O4 - HKLM\..\Run: [WebRebates0] "D:\Programme\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [webHancer Survey Companion] "D:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [WhenUSave] D:\PROGRA~1\Save\Save.exe O4 - HKLM\..\Run: [webHancer Agent] "D:\Program Files\webHancer\Programs\whAgent.exe" O4 - HKLM\..\Run: [wOaBEdJ3] D:\WINDOWS\wxxrquu.exe O4 - HKLM\..\Run: [BullsEye Network] D:\Programme\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [NI.UWFX5U] "D:\WINDOWS\Downloaded Program Files\UWFX5UNetInstaller.exe" O4 - HKLM\..\Run: [IST Service] D:\Programme\ISTsvc\ O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.one2bill.de/soft/ieloader.cab O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game17.zylomgames.com/activex/zylomgamesplayer.cab PC neustarten deinstalliere WebHancer BullsEye Network WhenUSave WebRebates YourSiteBar ISTsvc loeschen: D:\WINDOWS\Downloaded Program Files\UWFX5UNetInstaller.exe D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo0000c090.exe unten findest du das Removaltool fuer:ISTsvc (laden + scannen) http://virus-protect.org/spyware2.html#Trojan-Downloader.Win32.IstBar CCleaner--> loesche alle *temp-Datein--> hake alles an http://virus-protect.org/temp.html Ad-aware SE Personal http://virus-protect.org/antispywaretools.html Laden-->Konfigurieren http://virus-protect.org/adaware.html waehrend des Scanvorganges müssen ALLE sonstige Anwendungen beendet werden und alle Browserfenster müssen geschlossen sein! scannen-->PC neustarten--> noch mal scannen--> poste das Log vom Scann scanne mit ewido und poste mir den scanreport http://virus-protect.org/ewido.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.09.2005, 19:18
...neu hier
Beiträge: 9 |
#9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow<--loeschen
^^ habe ich nicht gefunden hake an: "I know what Im doing"-->Remove und loesche die whiehlpr.dll (eventuell musst du die dll von links nach rechts bringen) sollte es mir sorgen machen wenn die nicht dabei steht? ist nur: mswsock.dll , winrnr.dll , webhdll.dll , rsvpsp.dll ok .. danke erstmal .. für den anfang .. dann mache ich das hijackthis - dings |
|
|
||
14.09.2005, 22:56
Ehrenmitglied
Beiträge: 29434 |
||
|
||
15.09.2005, 15:39
...neu hier
Beiträge: 9 |
#11
hier der ad aware scan-log:
Ad-Aware SE Build 1.06r1 Logfile Created ononnerstag, 15. September 2005 15:12:33 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R66 14.09.2005 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 180Solutions(TAC index:6):2 total references Alexa(TAC index:5):3 total references BargainBuddy(TAC index:8):25 total references DyFuCA(TAC index:3):18 total references ImIServer IEPlugin(TAC index:5):28 total references istbar(TAC index:7):7 total references MicroGaming(TAC index:4):1 total references MRU List(TAC index:0):12 total references Possible Browser Hijack attempt(TAC index:3):2 total references Powerscan(TAC index:5):1 total references Roings(TAC index:8):3 total references SahAgent(TAC index:9):4 total references SideFind(TAC index:5):2 total references TopMoxie(TAC index:3):9 total references Tracking Cookie(TAC index:3):2 total references WebHancer(TAC index:9):15 total references WhenU(TAC index:3):45 total references Windows(TAC index:3):1 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Definition File: ========================= Definitions File Loaded: Reference Number : SE1R66 14.09.2005 Internal build : 77 File location : D:\Programme\Lavasoft\Ad-Aware SE Personal\defs.ref File size : 522778 Bytes Total size : 1570907 Bytes Signature data size : 1537712 Bytes Reference data size : 32683 Bytes Signatures total : 43686 CSI Fingerprints total : 1045 CSI data size : 37239 Bytes Target categories : 15 Target families : 746 Memory + processor status: ========================== Number of processors : 1 Processor architecture : Intel Pentium III Memory available:65 % Total physical memory:523760 kb Available physical memory:338204 kb Total page file size:1280524 kb Available on page file:1116380 kb Total virtual memory:2097024 kb Available virtual memory:2049356 kb OS:Microsoft Windows XP Professional Service Pack 1 (Build 2600) Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan within archives Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Obtain command line of scanned processes Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Write-protect system files after repair (Hosts file, etc.) Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 15.09.2005 15:12:33 - Scan started. (Custom mode) Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] ModuleName : \SystemRoot\System32\smss.exe Command Line : n/a ProcessID : 584 ThreadCreationTime : 15.09.2005 13:11:29 BasePriority : Normal #:2 [csrss.exe] ModuleName : \??\D:\WINDOWS\system32\csrss.exe Command Line : D:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh ProcessID : 660 ThreadCreationTime : 15.09.2005 13:11:32 BasePriority : Normal #:3 [winlogon.exe] ModuleName : \??\D:\WINDOWS\system32\winlogon.exe Command Line : winlogon.exe ProcessID : 684 ThreadCreationTime : 15.09.2005 13:11:34 BasePriority : High #:4 [services.exe] ModuleName : D:\WINDOWS\system32\services.exe Command Line : D:\WINDOWS\system32\services.exe ProcessID : 728 ThreadCreationTime : 15.09.2005 13:11:35 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Anwendung für Dienste und Controller InternalName : services.exe LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : services.exe #:5 [lsass.exe] ModuleName : D:\WINDOWS\system32\lsass.exe Command Line : D:\WINDOWS\system32\lsass.exe ProcessID : 740 ThreadCreationTime : 15.09.2005 13:11:35 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] ModuleName : D:\WINDOWS\system32\svchost.exe Command Line : D:\WINDOWS\system32\svchost -k rpcss ProcessID : 916 ThreadCreationTime : 15.09.2005 13:11:35 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] ModuleName : D:\WINDOWS\System32\svchost.exe Command Line : D:\WINDOWS\System32\svchost.exe -k netsvcs ProcessID : 1020 ThreadCreationTime : 15.09.2005 13:11:35 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [incdsrv.exe] ModuleName : D:\Programme\Ahead\InCD\InCDsrv.exe Command Line : D:\Programme\Ahead\InCD\InCDsrv.exe ProcessID : 1044 ThreadCreationTime : 15.09.2005 13:11:36 BasePriority : Normal FileVersion : 4, 2, 4, 2 ProductVersion : 4, 2, 4, 2 ProductName : Ahead Software AG incdsrv CompanyName : Ahead Software AG FileDescription : incdsrv InternalName : incdsrv LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved. LegalTrademarks : InCD is a trademark of Ahead Software AG OriginalFilename : incdsrv.exe #:9 [svchost.exe] ModuleName : D:\WINDOWS\System32\svchost.exe Command Line : D:\WINDOWS\System32\svchost.exe -k NetworkService ProcessID : 1288 ThreadCreationTime : 15.09.2005 13:11:37 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [svchost.exe] ModuleName : D:\WINDOWS\System32\svchost.exe Command Line : D:\WINDOWS\System32\svchost.exe -k LocalService ProcessID : 1320 ThreadCreationTime : 15.09.2005 13:11:37 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:11 [explorer.exe] ModuleName : D:\WINDOWS\Explorer.EXE Command Line : D:\WINDOWS\Explorer.EXE ProcessID : 1452 ThreadCreationTime : 15.09.2005 13:11:37 BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : EXPLORER.EXE #:12 [spoolsv.exe] ModuleName : D:\WINDOWS\system32\spoolsv.exe Command Line : D:\WINDOWS\system32\spoolsv.exe ProcessID : 1528 ThreadCreationTime : 15.09.2005 13:11:38 BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:13 [soundman.exe] ModuleName : D:\WINDOWS\SOUNDMAN.EXE Command Line : "D:\WINDOWS\SOUNDMAN.EXE" ProcessID : 1704 ThreadCreationTime : 15.09.2005 13:11:40 BasePriority : Normal FileVersion : 5.1.0.21 ProductVersion : 5.1.0.21 ProductName : Realtek Sound Manager CompanyName : Realtek Semiconductor Corp. FileDescription : Realtek Sound Manager InternalName : ALSMTray LegalCopyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp. OriginalFilename : ALSMTray.exe Comments : Realtek AC97 Audio Sound Manager #:14 [icqlite.exe] ModuleName : D:\Programme\ICQLite\ICQLite.exe Command Line : "D:\Programme\ICQLite\ICQLite.exe" -minimize ProcessID : 1756 ThreadCreationTime : 15.09.2005 13:11:42 BasePriority : Normal FileVersion : 20, 34, 2321, 0 ProductVersion : 20, 34, 2321, 0 ProductName : ICQLite CompanyName : ICQ Ltd. FileDescription : ICQLite InternalName : ICQ Lite LegalCopyright : Copyright (C) 2002 OriginalFilename : ICQLite.exe #:15 [qttask.exe] ModuleName : D:\Programme\QuickTime\qttask.exe Command Line : "D:\Programme\QuickTime\qttask.exe" -atboottime ProcessID : 1764 ThreadCreationTime : 15.09.2005 13:11:43 BasePriority : Normal FileVersion : 6.5 ProductVersion : QuickTime 6.5 ProductName : QuickTime CompanyName : Apple Computer, Inc. InternalName : QuickTime Task LegalCopyright : © Apple Computer, Inc. 2001-2004 OriginalFilename : QTTask.exe #:16 [w0svc.exe] ModuleName : D:\Programme\0190_und_0900 Warner\w0svc.exe Command Line : "D:\Programme\0190_und_0900 Warner\w0svc.exe" ProcessID : 1876 ThreadCreationTime : 15.09.2005 13:11:44 BasePriority : Normal FileVersion : 4.0.0.22 ProductVersion : 4.0 ProductName : 0190/0900 Warner CompanyName : Mirko Böer FileDescription : 0190/0900 Warner Service InternalName : w0svc LegalCopyright : Copyright © 2003-2004 Mirko Böer OriginalFilename : w0svc.exe #:17 [aolacsd.exe] ModuleName : D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe Command Line : "D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe" ProcessID : 1892 ThreadCreationTime : 15.09.2005 13:11:44 BasePriority : Normal #:18 [incd.exe] ModuleName : D:\Programme\Ahead\InCD\InCD.exe Command Line : "D:\Programme\Ahead\InCD\InCD.exe" ProcessID : 1908 ThreadCreationTime : 15.09.2005 13:11:44 BasePriority : Normal FileVersion : 4, 2, 4, 2 ProductVersion : 4, 2, 4, 2 ProductName : Ahead Software AG InCD CompanyName : Ahead Software AG FileDescription : InCD InternalName : InCD LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved. LegalTrademarks : InCD is a trademark of Ahead Software AG OriginalFilename : InCD.exe #:19 [realplay.exe] ModuleName : D:\Programme\Real\RealPlayer\RealPlay.exe Command Line : "D:\Programme\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER ProcessID : 1936 ThreadCreationTime : 15.09.2005 13:11:45 BasePriority : Normal FileVersion : 6.0.9.584 ProductVersion : 6.0.9.584 ProductName : RealPlayer (32-bit) CompanyName : RealNetworks, Inc. FileDescription : RealPlayer InternalName : REALPLAY LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000 LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc. OriginalFilename : REALPLAY.EXE #:20 [avkservice.exe] ModuleName : D:\Programme\Virenschutz\AVKService.exe Command Line : D:\Programme\Virenschutz\AVKService.exe ProcessID : 1972 ThreadCreationTime : 15.09.2005 13:11:47 BasePriority : Normal FileVersion : 1, 0, 0, 3 ProductVersion : 11, 0, 0, 0 ProductName : AVKService Module FileDescription : AVKService Module InternalName : AVKService LegalCopyright : Copyright G DATA Software AG 2001-2003 OriginalFilename : AVKService.EXE #:21 [avgnt.exe] ModuleName : D:\Programme\AVPersonal\AVGNT.EXE Command Line : "D:\Programme\AVPersonal\AVGNT.EXE" /min ProcessID : 1980 ThreadCreationTime : 15.09.2005 13:11:47 BasePriority : Normal #:22 [avkwctl.exe] ModuleName : D:\Programme\Virenschutz\AVKWCtl.exe Command Line : D:\Programme\Virenschutz\AVKWCtl.exe ProcessID : 1996 ThreadCreationTime : 15.09.2005 13:11:48 BasePriority : Normal FileVersion : 16, 0, 0, 8 ProductVersion : 12, 0, 0, 0 ProductName : AVK FileDescription : AVKWCtl Monitor Service InternalName : AVKWCtl OriginalFilename : AVKWCtl.EXE #:23 [aoldial.exe] ModuleName : D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe Command Line : "D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe" ProcessID : 2032 ThreadCreationTime : 15.09.2005 13:11:49 BasePriority : Normal FileVersion : 2.6.6.3.DE.55 ProductVersion : 2.6.6.3.DE.55 ProductName : AOL Connectivity Service CompanyName : America Online, Inc FileDescription : AOL Connectivity Service Dialer LegalCopyright : Copyright © 2003 America Online, Inc. OriginalFilename : AOLDial.exe #:24 [avwupsrv.exe] ModuleName : D:\Programme\AVPersonal\AVWUPSRV.EXE Command Line : "D:\Programme\AVPersonal\AVWUPSRV.EXE" ProcessID : 196 ThreadCreationTime : 15.09.2005 13:11:50 BasePriority : Normal #:25 [winampa.exe] ModuleName : D:\Programme\Winamp\winampa.exe Command Line : "D:\Programme\Winamp\winampa.exe" ProcessID : 200 ThreadCreationTime : 15.09.2005 13:11:50 BasePriority : Normal #:26 [rundll32.exe] ModuleName : D:\WINDOWS\System32\RUNDLL32.EXE Command Line : "D:\WINDOWS\System32\RUNDLL32.EXE" D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit ProcessID : 208 ThreadCreationTime : 15.09.2005 13:11:50 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Eine DLL-Datei als Anwendung ausführen InternalName : rundll LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : RUNDLL.EXE #:27 [nvsvc32.exe] ModuleName : D:\WINDOWS\System32\nvsvc32.exe Command Line : D:\WINDOWS\System32\nvsvc32.exe ProcessID : 240 ThreadCreationTime : 15.09.2005 13:11:50 BasePriority : Normal FileVersion : 6.14.10.5216 ProductVersion : 6.14.10.5216 ProductName : NVIDIA Driver Helper Service, Version 52.16 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 52.16 InternalName : NVSVC LegalCopyright : (C) NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:28 [svchost.exe] ModuleName : D:\WINDOWS\System32\svchost.exe Command Line : D:\WINDOWS\System32\svchost.exe -k imgsvc ProcessID : 300 ThreadCreationTime : 15.09.2005 13:11:50 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:29 [aim.exe] ModuleName : D:\programme\aim95\aim.exe Command Line : "D:\programme\aim95\aim.exe" -cnetwait.odl ProcessID : 404 ThreadCreationTime : 15.09.2005 13:11:50 BasePriority : Normal FileVersion : 5.1.3036 ProductVersion : 5.1.3036 ProductName : AOL Instant Messenger CompanyName : America Online, Inc. FileDescription : AOL Instant Messenger InternalName : AIM LegalCopyright : Copyright © 1996-2002 America Online, Inc. OriginalFilename : AIM.EXE #:30 [wdfmgr.exe] ModuleName : D:\WINDOWS\System32\wdfmgr.exe Command Line : D:\WINDOWS\System32\wdfmgr.exe ProcessID : 444 ThreadCreationTime : 15.09.2005 13:11:51 BasePriority : Normal FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act) ProductVersion : 5.2.3790.1230 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows User Mode Driver Manager InternalName : WdfMgr LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : WdfMgr.exe #:31 [aoltray.exe] ModuleName : D:\Programme\AOL 9.0a\aoltray.exe Command Line : "D:\Programme\AOL 9.0a\aoltray.exe" -check ProcessID : 792 ThreadCreationTime : 15.09.2005 13:11:54 BasePriority : Normal FileVersion : 9.00.001 ProductVersion : 9.00.001 ProductName : America Online CompanyName : America Online, Inc. FileDescription : AOL Tray Icon InternalName : AolTray LegalCopyright : Copyright (C) America Online, Inc. 1999 - 2004 #:32 [calcheck.exe] ModuleName : D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe Command Line : "D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe" ProcessID : 1632 ThreadCreationTime : 15.09.2005 13:11:56 BasePriority : Normal FileVersion : 4, 0, 0, 0 ProductVersion : 1, 0, 0, 1 ProductName : Calendar Checker Application CompanyName : Ulead Systems, Inc. FileDescription : Photo Express -- Calendar Checker InternalName : CalCheck LegalCopyright : Copyright (C) 1992-1999.Ulead Systems, Inc. LegalTrademarks : Ulead Systems, MediaStudio, PhotoImpact and Photo Express are registered trademarks of Ulead Systems, Inc. OriginalFilename : CalCheck.EXE #:33 [remind32.exe] ModuleName : D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe Command Line : "D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe" ProcessID : 1644 ThreadCreationTime : 15.09.2005 13:11:57 BasePriority : Normal #:34 [bwgo000099ee.exe] ModuleName : D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo000099ee.exe Command Line : "D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo000099ee.exe" 476 1.1 "D:\Programme\Logitech\Desktop Messenger\8876480\enabled.txt" "" -restart ProcessID : 1224 ThreadCreationTime : 15.09.2005 13:12:00 BasePriority : Normal #:35 [wmiprvse.exe] ModuleName : D:\WINDOWS\System32\wbem\wmiprvse.exe Command Line : D:\WINDOWS\System32\wbem\wmiprvse.exe -Embedding ProcessID : 2404 ThreadCreationTime : 15.09.2005 13:12:05 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : WMI InternalName : Wmiprvse.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : Wmiprvse.exe #:36 [ad-aware.exe] ModuleName : D:\Programme\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe Command Line : "D:\Programme\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" ProcessID : 2524 ThreadCreationTime : 15.09.2005 13:12:19 BasePriority : Normal FileVersion : 6.2.0.236 ProductVersion : SE 106 ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft AB Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 0 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» BargainBuddy Object Recognized! Type : Regkey Data : TAC Rating : 8 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : adp.urlcatcher BargainBuddy Object Recognized! Type : Regkey Data : TAC Rating : 8 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : adp.urlcatcher.1 BargainBuddy Object Recognized! Type : Regkey Data : TAC Rating : 8 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{8eee58d5-130e-4cbd-9c83-35a0564e5678} BargainBuddy Object Recognized! Type : Regkey Data : TAC Rating : 8 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{c6906a23-4717-4e1f-b6fd-f06ebed15678} BargainBuddy Object Recognized! Type : Regkey Data : TAC Rating : 8 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3} DyFuCA Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{0be10b0d-b4db-4693-9b1f-9aead54d17dc} DyFuCA Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : dyfuca_bh.sinkobj.1 DyFuCA Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : dyfuca_bh.sinkobj DyFuCA Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{cea206e8-8057-4a04-ace9-ff0d69a92297} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{1c896551-8b92-4907-8c06-15db2d1f874a} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{f3155057-4c2c-4078-8576-50486693fd49} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : imitoolbar.bottomframe ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : imitoolbar.bottomframe.1 ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : imitoolbar.leftframe ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : imitoolbar.leftframe.1 ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : imitoolbar.popupbrowser ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : imitoolbar.popupbrowser.1 ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : imitoolbar.popupwindow ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : imitoolbar.popupwindow.1 ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{3e589169-86ad-44fe-b426-f0bf105d5582} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{98b2ddba-6da2-4421-af2b-814e98f53649} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{e4458b4a-6149-4450-84f2-864adb7e8c52} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9} ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : wbho.band ImIServer IEPlugin Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : wbho.band.1 istbar Object Recognized! Type : Regkey Data : TAC Rating : 7 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429} istbar Object Recognized! Type : Regkey Data : TAC Rating : 7 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{0985c112-2562-46f2-8da6-92648ba4630f} istbar Object Recognized! Type : Regkey Data : TAC Rating : 7 Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686} WhenU Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : wusn.1 TopMoxie Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer\menuext\web rebates TopMoxie Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer\menuext\web rebates Value : Contexts WhenU Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_USERS Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\whenu MicroGaming Object Recognized! Type : Regkey Data : TAC Rating : 4 Category : Malware Comment : Rootkey : HKEY_USERS Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microgaming TopMoxie Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\untopr1150 TopMoxie Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\untopr1150 Value : DisplayName TopMoxie Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\untopr1150 Value : UninstallString WebHancer Object Recognized! Type : Regkey Data : TAC Rating : 9 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\webhancer WebHancer Object Recognized! Type : RegValue Data : TAC Rating : 9 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\webhancer Value : BaseDir WhenU Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : db_script_update WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : InstallDir WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : pats_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : pat_chunks_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : script_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : update_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : ver_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : InstallTime WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : Partner WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : ccode WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : PartnerDesc WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : FullDBTime WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : HeartbeatTime WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : extra_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : extraver_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : ziptomsa_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : UpdateTime WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : TotalPartner WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : PartnerB WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : brandskin_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : brandstrip_rs WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : brandstrip_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : himp_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : iptomsa_url WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : maxPopups_rs WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : timedDBUpdate_rs WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : uninstalltag_rs WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : db_stamp_rs WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : db_server_update WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : MSA WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : IPToMsaTime_rs WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : TotalPopup WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : Version WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : bstat_rs WhenU Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\whenusave Value : UrlChangeCount Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} istbar Object Recognized! Type : RegValue Data : TAC Rating : 7 Category : Malware Comment : "{86227D9C-0EFE-4f8a-AA55-30386A3F5686}" Rootkey : HKEY_USERS Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer\toolbar\webbrowser Value : {86227D9C-0EFE-4f8a-AA55-30386A3F5686} Roings Object Recognized! Type : RegValue Data : TAC Rating : 8 Category : Malware Comment : "Date" Rootkey : HKEY_USERS Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\intexp Value : Date Windows Object Recognized! Type : RegData Data : "%1" /s "%3" TAC Rating : 3 Category : Vulnerability Comment : Possible virus infection, SCR file extension compromised Rootkey : HKEY_CLASSES_ROOT Object : scrfile\shell\open\command Value : Data : "%1" /s "%3" Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 85 Objects found so far: 85 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Possible Browser Hijack attempt : {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab) Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : TAC Rating : 3 Category : Vulnerability Comment : Possible Browser Hijack attempt : http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab Rootkey : HKEY_LOCAL_MACHINE Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : TAC Rating : 3 Category : Vulnerability Comment : Possible Browser Hijack attempt : http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab Rootkey : HKEY_LOCAL_MACHINE Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} Value : Installer Possible Browser Hijack attempt : {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab) Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 2 Objects found so far: 87 MRU List Object Recognized! Location: : D:\Dokumente und Einstellungen\Ich2\recent Description : list of recently opened documents MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\mediaplayer\medialibraryui Description : last selected node in the microsoft windows media player media library MRU List Object Recognized! Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\mediaplayer\player\settings Description : last open directory used in jasc paint shop pro MRU List Object Recognized! Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\ntbackup\log files Description : list of recent logfiles in microsoft backup MRU List Object Recognized! Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\smartftp\connection data Description : list of recently accessed servers using smartftp MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\windows media\wmsdk\general Description : windows media sdk Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : ich2@2o7[2].txt TAC Rating : 3 Category : Data Miner Comment : Hits:7 Value : Cookie:ich2@2o7.net/ Expires : 14.09.2010 14:40:02 LastSync : Hits:7 UseCount : 0 Hits : 7 Tracking Cookie Object Recognized! Type : IECache Entry Data : ich2@mediaplex[1].txt TAC Rating : 3 Category : Data Miner Comment : Hits:1 Value : Cookie:ich2@mediaplex.com/ Expires : 22.06.2009 02:00:00 LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 2 Objects found so far: 101 Deep scanning and examining files (C »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 101 Deep scanning and examining files (D »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» BargainBuddy Object Recognized! Type : File Data : backup-20050914-203239-219.dll TAC Rating : 8 Category : Malware Comment : Object : D:\Dokumente und Einstellungen\Ich2\Eigene Dateien\download\HiJackthis\backups\ FileVersion : 8, 0, 3, 6 ProductVersion : 8, 0, 3, 6 ProductName : ADP Module CompanyName : eXact Advertising FileDescription : ADP Module InternalName : apuc LegalCopyright : Copyright © 2003-2005 eXact Advertising, LLC. All Rights Reserved. OriginalFilename : apuc.DLL 180Solutions Object Recognized! Type : File Data : sais.exe TAC Rating : 6 Category : Data Miner Comment : Object : D:\Programme\180searchassistant\ FileVersion : 6, 9, 95, 0 ProductVersion : 6, 9, 95, 0 ProductName : Search Assistant CompanyName : 180solutions, Inc. FileDescription : Search Assistant LegalCopyright : Copyright © 2005, 180solutions Inc. DyFuCA Object Recognized! Type : File Data : optimize.VIR TAC Rating : 3 Category : Malware Comment : Object : D:\Programme\AVPersonal\INFECTED\ WhenU Object Recognized! Type : File Data : Save.exe TAC Rating : 3 Category : Misc Comment : Object : D:\Programme\Save\ FileVersion : 2, 6, 4, 7 ProductVersion : 2, 6, 4, 7 ProductName : Save! CompanyName : WhenU.com, Inc. FileDescription : Save! InternalName : WhenUSave LegalCopyright : Copyright 2001 OriginalFilename : Save.exe WhenU Object Recognized! Type : File Data : SaveUninst.exe TAC Rating : 3 Category : Misc Comment : Object : D:\Programme\Save\ FileVersion : 2, 6, 4, 7 ProductVersion : 2, 6, 4, 7 ProductName : Save! Uninstall CompanyName : WhenU.com, Inc. FileDescription : Save! Uninstall InternalName : SaveUninst LegalCopyright : Copyright 2001 OriginalFilename : SaveUninst.exe SideFind Object Recognized! Type : File Data : sfbho.dll TAC Rating : 5 Category : Malware Comment : Object : D:\Programme\SideFind\ FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1 ProductName : BrowserHelperObject Module FileDescription : BrowserHelperObject Module InternalName : BrowserHelperObject LegalCopyright : Copyright 2003 OriginalFilename : BrowserHelperObject.DLL TopMoxie Object Recognized! Type : File Data : disp1150.exe TAC Rating : 3 Category : Data Miner Comment : Object : D:\Programme\Web_Rebates\ TopMoxie Object Recognized! Type : File Data : WebRebates1.exe TAC Rating : 3 Category : Data Miner Comment : Object : D:\Programme\Web_Rebates\ WebHancer Object Recognized! Type : File Data : A0082518.exe TAC Rating : 9 Category : Data Miner Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\ FileVersion : 3.7.0 ProductVersion : 3.7.0 ProductName : webHancer Customer Companion CompanyName : webHancer Corporation FileDescription : webHancer Customer Companion InternalName : whAgent LegalCopyright : Copyright © 1999-2005 webHancer Corporation OriginalFilename : whAgent.exe WebHancer Object Recognized! Type : File Data : A0082519.dll TAC Rating : 9 Category : Data Miner Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\ FileVersion : 3.7.0 ProductVersion : 3.7.0 ProductName : webHancer Customer Companion CompanyName : webHancer Corporation FileDescription : webHancer IE Helper Module InternalName : WhIeHelper LegalCopyright : Copyright © 1999-2005 webHancer Corporation OriginalFilename : whiehlpr.dll WebHancer Object Recognized! Type : File Data : A0082520.exe TAC Rating : 9 Category : Data Miner Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\ FileVersion : 3.7.0 ProductVersion : 3.7.0 ProductName : webHancer Survey Companion CompanyName : webHancer Corporation FileDescription : webHancer Survey Companion InternalName : whSurvey LegalCopyright : Copyright © 1999-2005 webHancer Corporation OriginalFilename : whSurvey.exe WebHancer Object Recognized! Type : File Data : A0082521.dll TAC Rating : 9 Category : Data Miner Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\ FileVersion : 3.7.0 ProductVersion : 3.7.0 ProductName : webHancer Customer Companion CompanyName : webHancer Corporation FileDescription : webHancer Winsock2 SPI InternalName : webhdll LegalCopyright : Copyright © 1999-2005 webHancer Corporation OriginalFilename : webhdll.dll WebHancer Object Recognized! Type : File Data : A0082522.exe TAC Rating : 9 Category : Data Miner Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\ FileVersion : 3.7.0 ProductVersion : 3.7.0 ProductName : webHancer Customer Companion CompanyName : webHancer Corporation FileDescription : webHancer Installer InternalName : whInstaller LegalCopyright : Copyright © 1999-2005 webHancer Corporation OriginalFilename : whInstaller.exe WebHancer Object Recognized! Type : File Data : A0082531.exe TAC Rating : 9 Category : Data Miner Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\ FileVersion : 3.7.0 ProductVersion : 3.7.0 ProductName : webHancer Customer Companion CompanyName : webHancer Corporation FileDescription : webHancer Customer Companion InternalName : whAgent LegalCopyright : Copyright © 1999-2005 webHancer Corporation OriginalFilename : whAgent.exe WebHancer Object Recognized! Type : File Data : A0082532.dll TAC Rating : 9 Category : Data Miner Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\ FileVersion : 3.7.0 ProductVersion : 3.7.0 ProductName : webHancer Customer Companion CompanyName : webHancer Corporation FileDescription : webHancer IE Helper Module InternalName : WhIeHelper LegalCopyright : Copyright © 1999-2005 webHancer Corporation OriginalFilename : whiehlpr.dll WebHancer Object Recognized! Type : File Data : A0082533.exe TAC Rating : 9 Category : Data Miner Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\ FileVersion : 3.7.0 ProductVersion : 3.7.0 ProductName : webHancer Survey Companion CompanyName : webHancer Corporation FileDescription : webHancer Survey Companion InternalName : whSurvey LegalCopyright : Copyright © 1999-2005 webHancer Corporation OriginalFilename : whSurvey.exe WebHancer Object Recognized! Type : File Data : A0082534.dll TAC Rating : 9 Category : Data Miner Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\ FileVersion : 3.7.0 ProductVersion : 3.7.0 ProductName : webHancer Customer Companion CompanyName : webHancer Corporation FileDescription : webHancer Winsock2 SPI InternalName : webhdll LegalCopyright : Copyright © 1999-2005 webHancer Corporation OriginalFilename : webhdll.dll BargainBuddy Object Recognized! Type : File Data : A0088952.exe TAC Rating : 8 Category : Malware Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP35\ FileVersion : 1, 0, 0, 2 ProductVersion : 1, 0, 0, 2 ProductName : Upload Module CompanyName : eXact Advertising FileDescription : Upload Module InternalName : Upload Utility LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved. OriginalFilename : exul.exe BargainBuddy Object Recognized! Type : File Data : A0089019.exe TAC Rating : 8 Category : Malware Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP35\ FileVersion : 1, 0, 0, 2 ProductVersion : 1, 0, 0, 2 ProductName : Upload Module CompanyName : eXact Advertising FileDescription : Upload Module InternalName : Upload Utility LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved. OriginalFilename : exul.exe BargainBuddy Object Recognized! Type : File Data : A0091160.exe TAC Rating : 8 Category : Malware Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP35\ FileVersion : 1, 0, 0, 2 ProductVersion : 1, 0, 0, 2 ProductName : Upload Module CompanyName : eXact Advertising FileDescription : Upload Module InternalName : Upload Utility LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved. OriginalFilename : exul.exe BargainBuddy Object Recognized! Type : File Data : A0091296.exe TAC Rating : 8 Category : Malware Comment : Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP35\ File |
|
|
||
15.09.2005, 15:46
Ehrenmitglied
Beiträge: 29434 |
#12
Hallo@Zim-Zum
nun poste bitte den Rest vom Log /Adaware) , das Scanlog vom Ewido und das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
15.09.2005, 15:53
...neu hier
Beiträge: 9 |
#13
oh .. em huch ja das speichert sich nicht irgendwo oder? ... naja hier ist erst einmal der von ewido ...
ewido security suite - Scan Report --------------------------------------------------------- + Erstellt am: 15:47:56, 15.09.2005 + Report-Checksumme: 3D91BD45 + Scanergebnis: HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Spyware.BargainBuddy : Gesäubert mit Backup HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Spyware.BargainBuddy : Gesäubert mit Backup HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Gesäubert mit Backup HKLM\SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297} -> Spyware.SafeSurfing : Gesäubert mit Backup HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj -> Spyware.MoneyTree : Gesäubert mit Backup HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CLSID -> Spyware.MoneyTree : Gesäubert mit Backup HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CurVer -> Spyware.MoneyTree : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F} -> Spyware.ISTBar : Gesäubert mit Backup HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} -> Spyware.BargainBuddy : Gesäubert mit Backup HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Gesäubert mit Backup HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} -> Spyware.BargainBuddy : Gesäubert mit Backup HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Gesäubert mit Backup HKLM\SOFTWARE\Classes\TypeLib\{0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC} -> Spyware.SafeSurfing : Gesäubert mit Backup HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} -> Spyware.NaviSearch : Gesäubert mit Backup HKLM\SOFTWARE\Classes\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429} -> Spyware.ISTBar : Gesäubert mit Backup HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Gesäubert mit Backup HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Gesäubert mit Backup HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Gesäubert mit Backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Gesäubert mit Backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Gesäubert mit Backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\untopr1150 -> Spyware.WebRebates : Gesäubert mit Backup HKLM\SOFTWARE\webHancer -> Spyware.Webhancer : Gesäubert mit Backup HKLM\SOFTWARE\webHancer\CC -> Spyware.Webhancer : Gesäubert mit Backup HKLM\SOFTWARE\WhenUSave -> Spyware.SaveNow : Gesäubert mit Backup HKLM\SOFTWARE\WhenUSave\Partners -> Spyware.SaveNow : Gesäubert mit Backup HKLM\SOFTWARE\WhenUSave\Partners\VIDG -> Spyware.SaveNow : Gesäubert mit Backup HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\intexp -> Spyware.IEPlugin : Gesäubert mit Backup HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\intexp\Config -> Spyware.IEPlugin : Gesäubert mit Backup HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Gesäubert mit Backup HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\Microsoft\Internet Explorer\MenuExt\Web Rebates -> Spyware.WebRebates : Gesäubert mit Backup HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Gesäubert mit Backup HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\WhenU -> Spyware.SaveNow : Gesäubert mit Backup D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@2o7[2].txt -> Spyware.Cookie.2o7 : Gesäubert mit Backup D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@advertising[1].txt -> Spyware.Cookie.Advertising : Gesäubert mit Backup D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Gesäubert mit Backup D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Gesäubert mit Backup D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Gesäubert mit Backup D:\Dokumente und Einstellungen\Ich2\Eigene Dateien\download\HiJackthis\backups\backup-20050914-203239-219.dll -> Spyware.BargainBuddy : Gesäubert mit Backup D:\Dokumente und Einstellungen\Ich2\Eigene Dateien\download\HiJackthis\backups\backup-20050914-203240-940.dll -> Spyware.180Solutions : Gesäubert mit Backup D:\Programme\180searchassistant\sais.exe -> Spyware.180Solutions : Gesäubert mit Backup D:\Programme\AVPersonal\INFECTED\Dtpj.VIR -> Trojan.Small.cy : Gesäubert mit Backup D:\Programme\AVPersonal\INFECTED\optimize.VIR -> TrojanDownloader.Dyfuca.ei : Gesäubert mit Backup D:\Programme\AVPersonal\INFECTED\pxckdla.VIR -> TrojanDownloader.OneClickNetSearch.i : Gesäubert mit Backup D:\Programme\GDivX Zenith Player\SaveInstWm.exe -> Adware.SaveNow : Gesäubert mit Backup D:\Programme\Save\Save.exe -> Adware.SaveNow : Gesäubert mit Backup D:\Programme\SideFind\sfbho.dll -> Spyware.SideFind : Gesäubert mit Backup D:\Programme\Web_Rebates -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Ap1150 -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Da1150 -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Da1150\administrator -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Da1150\Ich2 -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\disp1150.exe -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Sy1150 -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Sy1150\Html -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Sy1150\Images -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Sy1150\Sy1150 -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Sy1150\Tp1150 -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\Sy1150\Tp1150\log.txt -> Spyware.WebRebates : Gesäubert mit Backup D:\Programme\Web_Rebates\WebRebates1.exe -> Spyware.WebRebates : Gesäubert mit Backup D:\WINDOWS\LastGood\webhdll.dll -> Spyware.WebHancer : Gesäubert mit Backup D:\WINDOWS\LastGood\whInstaller.exe -> Spyware.WebHancer : Gesäubert mit Backup D:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet : Gesäubert mit Backup D:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Gesäubert mit Backup D:\WINDOWS\pxckdlauninstall.exe -> Spyware.NoName : Gesäubert mit Backup D:\WINDOWS\wxxrquu.exe -> TrojanDownloader.IstBar.ij : Gesäubert mit Backup ::Report Ende |
|
|
||
15.09.2005, 15:56
Ehrenmitglied
Beiträge: 29434 |
#14
kopiere bitte alle 4 logs hier in deinen Thread
http://virus-protect.org/datfindbat.html und das neue Log vom HijackThis bitte posten __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
15.09.2005, 16:03
...neu hier
Beiträge: 9 |
#15
Logfile of HijackThis v1.99.1
Scan saved at 16:05:03, on 15.09.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Programme\Ahead\InCD\InCDsrv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\SOUNDMAN.EXE D:\Programme\ICQLite\ICQLite.exe D:\Programme\QuickTime\qttask.exe D:\Programme\0190_und_0900 Warner\w0svc.exe D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe D:\Programme\Ahead\InCD\InCD.exe D:\Programme\Real\RealPlayer\RealPlay.exe D:\Programme\Virenschutz\AVKService.exe D:\Programme\AVPersonal\AVGNT.EXE D:\Programme\Virenschutz\AVKWCtl.exe D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe D:\Programme\AVPersonal\AVWUPSRV.EXE D:\Programme\Winamp\winampa.exe D:\WINDOWS\System32\RUNDLL32.EXE D:\WINDOWS\System32\nvsvc32.exe D:\WINDOWS\System32\svchost.exe D:\programme\aim95\aim.exe D:\Programme\AOL 9.0a\aoltray.exe D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo000099ee.exe D:\Programme\AOL 9.0a\waol.exe D:\Programme\AOL 9.0a\shellmon.exe D:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe D:\Programme\ewido\security suite\ewidoguard.exe D:\Programme\ewido\security suite\ewidoctrl.exe D:\Programme\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe D:\Dokumente und Einstellungen\Ich2\Eigene Dateien\download\HiJackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.aol.de O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programme\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Programme\ICQToolbar\toolbaru.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programme\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] D:\Programme\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [RealTray] D:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\Programme\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\Programme\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [AVGCtrl] "D:\Programme\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [AOLDialer] D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [WinampAgent] D:\Programme\Winamp\winampa.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [AIM] D:\programme\aim95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [LDM] D:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -trayboot O4 - Startup: Reminder-hpc41003.lnk = D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = D:\Programme\AOL 9.0a\aoltray.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Ulead Kalendar Checker 4.0 SE.lnk = D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe O8 - Extra context menu item: &Google Search - res://D:\Programme\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O8 - Extra context menu item: Backward &Links - res://D:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Programme\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://D:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\programme\aim95\aim.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {54B21599-6962-4DB7-B9EB-343C25A403F8} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {54B21599-6962-4DB7-B9EB-343C25A403F8} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O12 - Plugin for .spop: D:\Programme\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab O16 - DPF: {DA511858-B44C-439E-A0EA-704ED20035E7} (EphoxEditLive4.EditLive) - http://www.beepworld.de/hp/activexeditor/editlive4.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{22C325C3-389F-44E2-BA63-E718CF16BEBC}: NameServer = 205.188.146.145 O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - D:\Programme\0190_und_0900 Warner\w0svc.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe O23 - Service: AVK Service (AVKService) - Unknown owner - D:\Programme\Virenschutz\AVKService.exe O23 - Service: G DATA Virenschutz Wächter (AVKWCtl) - Unknown owner - D:\Programme\Virenschutz\AVKWCtl.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: ewido security suite control - ewido networks - D:\Programme\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - D:\Programme\ewido\security suite\ewidoguard.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Programme\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe O23 - Service: AntiVir Update Temp (TmpUpSrv) - Unknown owner - D:\DOKUME~1\ICH2\LOKALE~1\TEMP\_VWUPSRV.EXE (file missing) -------------------- Verzeichnis von D:\WINDOWS\system32 02.09.2005 13:59 2.206 wpa.dbl 10.08.2005 00:13 831.488 libeay32.dll 10.08.2005 00:13 159.744 ssleay32.dll 10.08.2005 00:12 3.596.288 qt-dx331.dll 10.08.2005 00:12 3.136 dtu_de.qm 13.07.2005 14:08 331.776 RWX20.DLL 13.07.2005 14:08 339.968 RWDX8D20.DLL 13.07.2005 14:08 423.424 RWDX6D20.DLL 11.07.2005 08:43 288.496 FNTCACHE.DAT 13.06.2005 22:16 2.778 qtplugin.log 30.05.2005 21:10 877.303 My Pet Skeleton.scr 14.05.2005 14:04 4.102 lvcoinst.log 19.04.2005 14:55 372.736 TidyAtl.dll 19.04.2005 14:55 66.848 filter.exe 19.04.2005 14:55 279.800 FTPX.dll 19.04.2005 14:55 53.248 SSubTmr6.dll 31.03.2005 18:21 316.594 perfh007.dat 31.03.2005 18:21 311.604 perfh009.dat 31.03.2005 18:21 39.992 perfc009.dat 31.03.2005 18:21 48.156 perfc007.dat 31.03.2005 18:21 723.744 PerfStringBackup.INI 12.03.2005 00:48 108.544 pxcpyi64.exe 12.03.2005 00:48 56.320 pxinsa64.exe 12.03.2005 00:48 109.568 pxinsi64.exe 12.03.2005 00:48 56.832 pxcpya64.exe 12.03.2005 00:48 61.440 pxhpinst.exe 12.03.2005 00:28 151.552 pxwma.dll 12.03.2005 00:28 339.968 pxwave.dll 12.03.2005 00:28 28.672 vxblock.dll 12.03.2005 00:28 405.504 pxdrv.dll 12.03.2005 00:28 172.032 pxmas.dll 12.03.2005 00:28 339.968 px.dll 27.11.2004 19:02 16.832 amcompat.tlb 27.11.2004 19:02 23.392 nscompat.tlb 09.11.2004 21:36 225.280 AOLDial.dll 04.09.2004 22:37 33.505 HDMPATH.INI 04.09.2004 22:36 463 WHDM.INI 03.09.2004 17:00 47.610 interceptor.sys 29.08.2004 19:16 2.272 w95inf16.dll 29.08.2004 19:16 4.608 w95inf32.dll 29.08.2004 13:57 157.696 rmoc3260.dll 29.08.2004 13:57 25.088 prefscpl.cpl 29.08.2004 13:57 6.656 pndx5016.dll 29.08.2004 13:57 5.632 pndx5032.dll 29.08.2004 13:57 278.528 pncrt.dll 11.08.2004 21:45 228.352 wmerror.dll 11.08.2004 21:45 9.216 asferror.dll 11.08.2004 21:45 3.407.872 wmploc.dll 11.08.2004 21:45 86.016 wmpshell.dll 11.08.2004 21:45 311.808 MSWMDM.dll 11.08.2004 21:45 482.816 Audiodev.dll 11.08.2004 02:39 2.362.104 wmvcore.dll 11.08.2004 02:39 773.368 wmsdmod.dll 11.08.2004 02:38 871.160 wmvdmod.dll 11.08.2004 02:38 1.181.944 wmvadvd.dll 11.08.2004 02:38 531.192 wmspdmod.dll 11.08.2004 02:38 380.144 wmadmod.dll 11.08.2004 02:38 360.176 MSSCP.dll 11.08.2004 02:38 253.688 drmclien.dll 11.08.2004 02:37 290.816 WMDRMNet.dll 11.08.2004 02:37 344.064 WMDRMdev.dll 11.08.2004 02:36 527.360 drmv2clt.dll 11.08.2004 02:36 233.472 blackbox.dll 11.08.2004 02:36 141.312 msnetobj.dll 11.08.2004 02:36 95.232 drmstor.dll 11.08.2004 01:45 221.184 qasf.dll 11.08.2004 01:45 1.509.376 WMVADVE.DLL 11.08.2004 01:45 161.792 cewmdm.dll 11.08.2004 01:45 25.088 MsPMSNSv.dll 11.08.2004 01:45 712.704 wmadmoe.dll 11.08.2004 01:45 30.208 WMDMLOG.dll 11.08.2004 01:45 282.624 wmpdxm.dll 11.08.2004 01:45 34.304 WMDMPS.dll 11.08.2004 01:45 169.472 MsPMSP.dll 11.08.2004 01:45 135.168 wmpasf.dll 11.08.2004 01:45 1.589.760 wmpencen.dll 11.08.2004 01:45 999.424 wmvdmoe2.dll 11.08.2004 01:45 1.116.160 wmsdmoe2.dll 11.08.2004 01:45 936.960 wmspdmoe.dll 11.08.2004 01:45 175.104 wmpsrcwp.dll 11.08.2004 01:41 5.550.080 wmp.dll 11.08.2004 01:41 1.027.072 wmnetmgr.dll 11.08.2004 01:41 229.376 wmasf.dll 10.08.2004 23:07 150.016 wmidx.dll 10.08.2004 23:07 6.656 laprxy.dll 10.08.2004 23:05 38.912 wpd_ci.dll 10.08.2004 23:05 327.680 wpdsp.dll 10.08.2004 23:05 331.776 wpdmtpdr.dll 10.08.2004 23:05 114.176 wpdmtp.dll 10.08.2004 23:05 66.560 wpdmtpus.dll 10.08.2004 23:05 61.952 wpdconns.dll 10.08.2004 23:05 10.752 wpdtrace.dll 10.08.2004 23:05 47.104 uwdf.exe 10.08.2004 23:05 38.912 wdfmgr.exe 10.08.2004 23:05 15.872 wdfapi.dll 10.08.2004 22:52 360.448 l3codecp.acm 10.08.2004 22:52 20.480 setb2.tmp 10.08.2004 22:52 20.480 wmp.ocx 10.08.2004 22:52 20.480 wmpcore.dll 10.08.2004 22:52 20.480 wmpcd.dll 10.08.2004 22:52 20.480 wmpui.dll 10.08.2004 22:46 96.768 logagent.exe |
|
|
||
Scan saved at 21:09:16, on 12.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Prime95\prime95.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\NetPumper\NetPumperIEProxy.exe
C:\Programme\BearShare\BearShare.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Valve\Steam\Steam.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Program Files\mIRC\mirc.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\iTunes\iTunes.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Dokumente und Einstellungen\Yves Althaus\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tele2.ch/startpage/adsl/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\SERVIC~1\binacc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NetPumper] "C:\Programme\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [second] C:\Downloads\l2mfix\second.bat
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programme\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programme\eMule0_44b\emule.exe -AutoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Programme\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Image Zone Schnellstart.lnk = C:\Programme\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: Contains -
O16 - DPF: DownloadInformation -
O16 - DPF: InstalledVersion -
O16 - DPF: {14b87622-7e19-4ea8-93b3-97215f77a6bc} (MessengerStatsClient Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/099a225952c28f9df515/netzip/RdxIE601_de.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: binacc - C:\WINDOWS\SERVIC~1\binacc.dll
O20 - Winlogon Notify: binw - C:\WINDOWS\java\trustlib\binw.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Programme\Prime95\prime95.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe