Home » Viren, Trojaner & Malware Forum » Ich züchte Trojaner :( » Themenansicht

Ich züchte Trojaner :(
#0
17.10.2005, 18:19
magicalforge
...neu hier

Beiträge: 2
#1 Ich züchte Trojaner ;)

- Click.AG.dj.13 A
system32/intmon.exe

- Click.Agen.cr11
system32/hhk.dll
system32/msole32.exe

- Favadd.aj.4
system32/ole32vbs.exe

Antivir hat sie gefunden, und ich habe versucht sie im abgesicherten modus mit der kill-box zu.. öhmm.. killlen..
die biester kommen aber wieder ;)

und nu?

Hier direkt mal das Logfile.

---------schnipp---------

Logfile of HijackThis v1.99.1
Scan saved at 18:10:04, on 17.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\D-Tools\daemon.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\Programme\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Programme\FRITZ!\FriFax32.exe
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\Programme\SpeedProject\SpeedCommander VI\SpeedCommander.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Programme\Gemeinsame Dateien\ReGet Shared\Catcher.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Programme\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [HDInspector.exe] C:\Programme\Festplatten-Inspektor\HDInspector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Programme\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: FRITZ!fax.lnk = C:\Programme\FRITZ!\FriFax32.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: A&lles mit ReGet Deluxe herunterladen - C:\Programme\Gemeinsame Dateien\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Herunterladen mit Re&Get Deluxe - C:\Programme\Gemeinsame Dateien\ReGet Shared\CC_Link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
Seitenanfang Seitenende
18.10.2005, 14:42
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Hallo@magicalforge

CCleaner (loesche alle temp-Dateien)
http://virus-protect.org/temp.html

ich brauche folgende Logs:

Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next
nun findet man eine Textdatei auf dem Desktop: kopiere sie in deinen Thread

Datfinbad - abarbeiten und alle 4 Logs in den Thread kopieren (mit Pfad)
http://virus-protect.org/datfindbat.html

Winpfind
http://virus-protect.org/winpfind.html

Silentrunners
http://virus-protect.org/silentrunner.html
klicke: output file is in text format. --> Doppelklick und es oeffnet sich der Editor -- und poste alles, was angezeigt wird.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.10.2005, 17:23
magicalforge
...neu hier

Themenstarter

Beiträge: 2
#3 CCleaner > erledigt

f-secure-Beta Trial - Log
10/18/05 17:09:38 [Info]: BlackLight Engine 1.0.23 initialized
10/18/05 17:09:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/18/05 17:09:39 [Note]: 4019 4
10/18/05 17:09:39 [Note]: 4005 0
10/18/05 17:09:41 [Note]: 4006 0
10/18/05 17:09:41 [Note]: 4011 1348
10/18/05 17:09:42 [Note]: FSRAW library version 1.7.1011
10/18/05 17:10:35 [Note]: 4007 0

Datfinbad Log 1
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: E4F5-2A2F

Verzeichnis von C:\WINDOWS\system32

17.10.2005 00:04 13.070 wpa.dbl
08.10.2005 01:26 3.741 jupdate-1.5.0_04-b05.log
22.09.2005 14:10 5 AuxDrv32ds_g.ods
22.09.2005 14:10 5 SndDrv32ds_g.ods
22.09.2005 00:04 4.286 ot.ico
22.09.2005 00:04 4.286 ts.ico
20.09.2005 18:10 166.712 FNTCACHE.DAT
09.09.2005 08:30 176.167 rmoc3260.dll
09.09.2005 08:30 5.632 pndx5032.dll
09.09.2005 08:30 6.656 pndx5016.dll
09.09.2005 08:30 278.528 pncrt.dll
07.09.2005 20:44 311.740 perfh009.dat
07.09.2005 20:44 40.128 perfc009.dat
07.09.2005 20:44 316.924 perfh007.dat
07.09.2005 20:44 48.354 perfc007.dat
07.09.2005 20:44 723.744 PerfStringBackup.INI
07.09.2005 20:32 251 spupdwxp.log
05.09.2005 11:27 0 h323log.txt
05.09.2005 10:50 13.048 wpa.bak
05.09.2005 10:46 25.065 wmpscheme.xml
05.09.2005 10:41 261 $winnt$.inf
05.09.2005 10:37 2.951 CONFIG.NT
05.09.2005 10:37 16.832 amcompat.tlb
05.09.2005 10:37 23.392 nscompat.tlb
05.09.2005 10:35 488 WindowsLogon.manifest
05.09.2005 10:35 488 logonui.exe.manifest
05.09.2005 10:35 749 cdplayer.exe.manifest
05.09.2005 10:35 749 wuaucpl.cpl.manifest
05.09.2005 10:35 749 sapi.cpl.manifest
05.09.2005 10:35 749 nwc.cpl.manifest
05.09.2005 10:35 749 ncpa.cpl.manifest
05.09.2005 10:32 21.740 emptyregdb.dat
13.08.2005 21:41 118.784 sirenacm.dll
04.08.2005 18:54 1.457.496 MRT.exe
17.06.2005 00:18 81.920 ac3acm.acm

Datfinbad Log 2
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: E4F5-2A2F

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp

18.10.2005 16:30 512 ~DF138.tmp
1 Datei(en) 512 Bytes
0 Verzeichnis(se), 25.021.100.032 Bytes frei

Datfinbad Log 3
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: E4F5-2A2F

Verzeichnis von C:\WINDOWS

18.10.2005 08:02 159 wiadebug.log
18.10.2005 08:02 50 wiaservc.log
18.10.2005 08:02 257.781 WindowsUpdate.log
18.10.2005 08:02 2.048 bootstat.dat
17.10.2005 17:53 13.722 SchedLgU.Txt
16.10.2005 20:51 1.125 winamp.ini
13.10.2005 14:54 49 NeroDigital.ini
13.10.2005 12:06 50.038 ACD Wallpaper.bmp
09.10.2005 10:52 124 cdplayer.ini
08.10.2005 21:31 737.280 iun6002.exe
02.10.2005 21:40 48 scmate.ini
02.10.2005 21:38 406 NEST_.INI
23.09.2005 17:17 848 win.ini
23.09.2005 14:51 316.640 WMSysPr9.prx
22.09.2005 11:28 356 system.ini
06.09.2005 08:36 8.192 o2cLicStore.bin
06.09.2005 08:15 4.161 ODBCINST.INI
05.09.2005 22:20 992 WaveRec.ini
05.09.2005 12:31 400 ODBC.INI
05.09.2005 11:25 0 Sti_Trace.log
05.09.2005 11:05 25 SpeedCommander.INI
05.09.2005 10:42 8.192 REGLOCS.OLD
05.09.2005 10:37 0 control.ini
05.09.2005 10:37 299.552 WMSysPrx.prx
05.09.2005 10:35 749 WindowsShell.Manifest
05.09.2005 10:32 36 vb.ini
05.09.2005 10:32 37 vbaddin.ini
04.08.2004 09:58 288.768 winhlp32.exe
04.08.2004 09:58 32.866 slrundll.exe
04.08.2004 09:58 153.600 regedit.exe
04.08.2004 09:58 153.600 REGEDIT.COM
04.08.2004 09:58 153.600 R.COM
04.08.2004 09:58 70.144 notepad.exe
04.08.2004 09:57 10.752 hh.exe
04.08.2004 09:57 1.035.264 explorer.exe
04.08.2004 09:57 50.688 twain_32.dll
23.04.2004 14:18 167.936 snui.exe

Datfinbad Log 4
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: E4F5-2A2F

Verzeichnis von C:\

18.10.2005 17:12 0 sys.txt
18.10.2005 17:12 3.604 system.txt
18.10.2005 17:12 294 systemtemp.txt
18.10.2005 17:11 103.252 system32.txt
18.10.2005 08:03 0 palsound.txt
18.10.2005 08:02 536.379.392 hiberfil.sys
18.10.2005 08:02 805.306.368 pagefile.sys
13.10.2005 17:56 858 Flash Fun - http--bambusratte_com - http--crazi_de.htm
30.09.2005 10:08 9.728 Thumbs.db
14.09.2005 08:57 286 msgpart
07.09.2005 20:24 211 boot.ini
07.09.2005 20:07 47.564 NTDETECT.COM
07.09.2005 20:07 251.184 ntldr
05.09.2005 10:37 0 IO.SYS
05.09.2005 10:37 0 CONFIG.SYS
05.09.2005 10:37 0 AUTOEXEC.BAT
05.09.2005 10:37 0 MSDOS.SYS
18.08.2001 14:00 4.952 bootfont.bin
18 Datei(en) 1.342.107.693 Bytes
0 Verzeichnis(se), 25.021.100.032 Bytes frei

Winpfind - Log
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 02.10.2003 02:20:48 61952 C:\WINDOWS\daemon.dll

Checking %System% folder...
aspack 26.05.2005 15:34:52 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
PEC2 18.08.2001 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 15.05.2004 16:10:42 75264 C:\WINDOWS\SYSTEM32\MACDec.dll
UPX! 19.06.2004 18:28:44 177152 C:\WINDOWS\SYSTEM32\MonkeySource.ax
PECompact2 04.08.2005 18:54:06 1457496 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2005 18:54:06 1457496 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2004 09:57:08 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 29.01.2003 11:10:06 7168 C:\WINDOWS\SYSTEM32\ogg.dll
Umonitor 04.08.2004 09:57:32 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 11.03.2003 12:56:36 23040 C:\WINDOWS\SYSTEM32\ThriXXX010104Z.dll
UPX! 11.03.2003 12:56:52 51200 C:\WINDOWS\SYSTEM32\ThriXXX010205PNG.dll
UPX! 11.03.2003 12:56:24 56832 C:\WINDOWS\SYSTEM32\ThriXXX015003JP2.dll
UPX! 29.01.2003 11:10:06 46592 C:\WINDOWS\SYSTEM32\vorbis.dll
winsync 18.08.2001 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 04.08.2004 07:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
18.10.2005 08:02:44 S 2048 C:\WINDOWS\bootstat.dat
06.09.2005 08:36:38 HS 8192 C:\WINDOWS\o2cLicStore.bin
05.09.2005 10:35:24 RH 749 C:\WINDOWS\WindowsShell.Manifest
05.09.2005 10:35:34 H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
05.09.2005 10:36:44 HS 67 C:\WINDOWS\Fonts\desktop.ini
05.09.2005 10:54:02 H 0 C:\WINDOWS\inf\oem0.inf
05.09.2005 10:35:34 H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
05.09.2005 10:36:08 RHS 243468 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
05.09.2005 10:36:08 RHS 20293 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
05.09.2005 10:36:08 RHS 765 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
07.09.2005 20:24:22 RHS 333502 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
05.09.2005 10:37:32 H 237568 C:\WINDOWS\repair\ntuser.dat
22.09.2005 14:10:54 HS 5 C:\WINDOWS\system32\AuxDrv32ds_g.ods
05.09.2005 10:35:24 RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
05.09.2005 10:35:34 RH 488 C:\WINDOWS\system32\logonui.exe.manifest
05.09.2005 10:35:24 RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
05.09.2005 10:35:24 RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
05.09.2005 10:35:24 RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
05.09.2005 10:35:34 RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
05.09.2005 10:35:24 RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
18.10.2005 08:03:18 H 1024 C:\WINDOWS\system32\config\default.LOG
18.10.2005 12:01:06 H 1024 C:\WINDOWS\system32\config\SAM.LOG
18.10.2005 08:03:18 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
18.10.2005 17:17:04 H 1024 C:\WINDOWS\system32\config\software.LOG
18.10.2005 17:10:44 H 1024 C:\WINDOWS\system32\config\system.LOG
05.09.2005 12:20:22 H 1024 C:\WINDOWS\system32\config\TempKey.LOG
05.09.2005 12:20:22 H 1024 C:\WINDOWS\system32\config\userdiff.LOG
07.09.2005 18:36:22 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
05.09.2005 11:21:46 HS 62 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\desktop.ini
05.09.2005 11:21:46 HS 62 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\desktop.ini
05.09.2005 10:36:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\desktop.ini
05.09.2005 10:36:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\desktop.ini
05.09.2005 10:36:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\65SH8FW4\desktop.ini
05.09.2005 10:36:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\DQ3N9KXG\desktop.ini
05.09.2005 10:36:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G76ZB7TS\desktop.ini
05.09.2005 10:36:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\J5ZK1C7V\desktop.ini
05.09.2005 10:36:14 HS 113 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\desktop.ini
05.09.2005 10:36:14 HS 113 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\desktop.ini
05.09.2005 10:35:38 HS 187 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
05.09.2005 11:21:46 HS 62 C:\WINDOWS\system32\config\systemprofile\Startmenü\desktop.ini
05.09.2005 10:37:30 HS 208 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\desktop.ini
05.09.2005 10:37:30 HS 84 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Autostart\desktop.ini
05.09.2005 10:37:30 HS 495 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Zubehör\desktop.ini
05.09.2005 10:37:30 HS 303 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Zubehör\Eingabehilfen\desktop.ini
05.09.2005 10:37:30 HS 84 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Zubehör\Unterhaltungsmedien\desktop.ini
07.09.2005 20:31:56 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\024270ba-a90e-4e3c-8b74-f74ced35a40b
07.09.2005 20:31:56 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
18.10.2005 08:02:46 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04.08.2004 09:58:22 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 09:58:22 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 09:58:22 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 09:58:22 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 09:58:22 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03.06.2005 03:52:54 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 09:58:22 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 09:58:22 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 09:58:22 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 09:58:22 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
30.07.1998 13:44:02 14336 C:\WINDOWS\SYSTEM32\pmxusb.cpl
Microsoft Corporation 04.08.2004 09:58:22 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04.08.2004 09:58:22 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 09:58:22 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 09:58:22 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
05.09.2005 10:37:30 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
05.09.2005 12:05:52 650 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\FRITZ!fax.lnk
21.07.2005 00:26:16 30720 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\palstart.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
05.09.2005 11:21:46 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
05.09.2005 10:37:30 HS 84 C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
05.09.2005 11:21:46 HS 62 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\desktop.ini
19.09.2005 15:47:18 42928 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16664845-0E00-11D2-8059-000000000000}
ClickCatcher MSIE handler = C:\Programme\Gemeinsame Dateien\ReGet Shared\Catcher.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{17939A30-18E2-471E-9D3A-56DD725F1215} = ReGet Bar : C:\Programme\ReGetDx\iebar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole : C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DAEMON Tools-1033 "C:\Programme\D-Tools\daemon.exe" -lang 1033
HotKey C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
AVGCtrl "C:\Programme\AVPersonal\AVGNT.EXE" /min
HDInspector.exe C:\Programme\Festplatten-Inspektor\HDInspector.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
SunJavaUpdateSched C:\Programme\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Gadwin PrintScreen 2.6 C:\Programme\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
SpybotSD TeaTimer C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
CDRAutoRun 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32\PlacesBar
Place0 8
Place1 0
Place2 5
Place3 17
Place4 18

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 18.10.2005 17:20:43

Silentrunners - Log
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadwin PrintScreen 2.6" = "C:\Programme\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash" ["Gadwin Systems, Inc."]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DAEMON Tools-1033" = ""C:\Programme\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"HotKey" = "C:\WINDOWS\Twain_32\FlatBed\HotKey.exe" ["Pmx. Electronics Ltd."]
"AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
"HDInspector.exe" = "C:\Programme\Festplatten-Inspektor\HDInspector.exe" [file not found]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{16664845-0E00-11D2-8059-000000000000}\(Default) = "ClickCatcher MSIE handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\ReGet Shared\Catcher.dll" ["ReGet Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"FRITZ!fax" -> shortcut to: "C:\Programme\FRITZ!\FriFax32.exe" ["AVM Berlin"]
INFECTION WARNING! "palstart.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{17939A30-18E2-471E-9D3A-56DD725F1215}" = "ReGet Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ReGetDx\iebar.dll" ["ReGet Software"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, ""C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
FRITZ!fax Color Port Monitor\Driver = "FritzColorPort.dll" ["AVM Berlin GmbH"]
FRITZ!fax Port Monitor\Driver = "FritzPort.dll" ["AVM Berlin GmbH"]
HPZLNT09\Driver = "hpzlnt09.dll" ["HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 31 seconds, including 3 seconds for message boxes)


Done.. ;)

So, ich hoffe damit ist was anzufangen

lg
Seitenanfang Seitenende
18.10.2005, 18:10
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 arbeite das bitte ab und poste den scanreport
smitRem TOOL (Entfernungstool)
http://noahdfear.geekstogo.com/

öffne smitRem folder,Doppelklick: RunThis.bat
warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)
suche smitfiles.txt und poste die Textdatei in den Thread

loeschen
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\ts.ico

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 1