TR/Click.526 - Wie werde ich es los? |
||
---|---|---|
#0
| ||
23.10.2005, 09:12
...neu hier
Beiträge: 3 |
||
|
||
23.10.2005, 10:09
Moderator
Beiträge: 7805 |
#2
Das sieht mir nach Rootkit aus. Nutzte bitte mal Blacklight http://www.f-secure.com/blacklight/try.shtml
Lade es herunter, entpacke es in einen extra Ordner, starte es, waehle folgendes, erst " i acept the agreement", dann "scan", warte bis es den REchner geprueft hat, dann "next" und "exit". Es befindet sich nun eine TXT Datei in dem Ordner, in dem sich auch Blacklight befindet, post es bitte hier. __________ MfG Ralf SEO-Spam Hunter |
|
|
||
23.10.2005, 13:10
...neu hier
Themenstarter Beiträge: 3 |
#3
Besten Dank für Deine Hilfe!
Hier das Logfile: 10/23/05 13:05:52 [Info]: BlackLight Engine 1.0.23 initialized 10/23/05 13:05:52 [Info]: OS: 5.1 build 2600 (Service Pack 2) 10/23/05 13:05:52 [Note]: 4019 4 10/23/05 13:05:52 [Note]: 4005 0 10/23/05 13:05:55 [Note]: 4006 0 10/23/05 13:05:55 [Note]: 4011 1292 10/23/05 13:05:55 [Note]: FSRAW library version 1.7.1011 10/23/05 13:06:19 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe 10/23/05 13:06:19 [Note]: 10002 1 10/23/05 13:06:33 [Info]: Hidden file: C:\WINDOWS\system32\favme.exe 10/23/05 13:06:34 [Note]: 10002 1 10/23/05 13:06:44 [Info]: Hidden file: C:\WINDOWS\system32\BNDMOD.EXE.VIR 10/23/05 13:07:35 [Note]: 4002 5 10/23/05 13:07:35 [Note]: 4003 1 10/23/05 13:07:35 [Note]: 10002 1 10/23/05 13:07:46 [Info]: Hidden file: C:\WINDOWS\system32\dmjuk.exe 10/23/05 13:07:46 [Note]: 4002 32 10/23/05 13:07:46 [Note]: 4003 1 10/23/05 13:07:46 [Note]: 10002 1 10/23/05 13:07:56 [Info]: Hidden file: C:\WINDOWS\system32\hlmicro.exe 10/23/05 13:07:57 [Note]: 10002 1 10/23/05 13:08:06 [Info]: Hidden file: C:\WINDOWS\system32\hwiper.exe 10/23/05 13:08:16 [Note]: 4002 5 10/23/05 13:08:16 [Note]: 4003 1 10/23/05 13:08:16 [Note]: 10002 1 10/23/05 13:08:30 [Info]: Hidden file: C:\WINDOWS\system32\csqsj.exe 10/23/05 13:08:30 [Note]: 4002 32 10/23/05 13:08:30 [Note]: 4003 1 10/23/05 13:08:30 [Note]: 10002 1 10/23/05 13:09:43 [Note]: 4007 0 |
|
|
||
23.10.2005, 13:16
Moderator
Beiträge: 7805 |
#4
Dann starte blacklight nochmal und lasse alle Dateien, die es anzeigt umbenennen, ausser dieser:
10/23/05 13:06:19 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe Dann lass Blaklight den Rechner neu starten. fixe alle "O17" Eintraege, starte nocheinmal neu, gehe ins Internet, erstelle ein neues Hijackthis log und das auch bitte hier posten. Bitte schicke die umbenannten Dateien, sie heissen jetzt z.B. C:\WINDOWS\system32\hlmicro.exe.ren anstatt C:\WINDOWS\system32\hlmicro.exe an virus@protecus.de __________ MfG Ralf SEO-Spam Hunter |
|
|
||
27.10.2005, 17:54
Member
Beiträge: 21 |
#5
hallo, ich bin Laie und habe ein böses Problem.... das Antivir schlegt alarm
und es kommt immer wieder die Warnung: C:\WINDOWS\SYSTEM32\BNDMOD.EXE Ist das Trojanische Pferd TR/Click.526 Ich hatte mich hier im Forum schon ein wenig eingelesen... könnte sich das Logfile bitte mal jemand genauer ansehen? Danke Logfile of HijackThis v1.99.1 Scan saved at 17:29:45, on 27.10.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE C:\Programme\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\system32\Brmfrmps.exe C:\WINDOWS\System32\nvsvc32.exe C:\Programme\RVS\WCOM\SYSTEM\RVSINST.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\rmctrl.exe C:\Programme\QuickTime\qttask.exe C:\Programme\ScanSoft\PaperPort\pptd40nt.exe C:\Programme\AVPersonal\AVSched32.EXE C:\Programme\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Programme\AVPersonal\AVGNT.EXE C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\WinRAR\WinRAR.exe C:\DOKUME~1\bho\LOKALE~1\Temp\Rar$EX05.603\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Messenger\ycomp.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Messenger\ycomp.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [CleanUp XP] C:\Programme\CleanUp XP\CleanUp.exe -h O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.versatel.de/internet-cd/ O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.04.03&http://www.opel.de/res/download/rtt/meriva/meriva3d.html O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096581686679 O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{110BF745-59E2-46A4-BB07-717736F774C8}: NameServer = 85.255.114.52,85.255.112.74 O17 - HKLM\System\CCS\Services\Tcpip\..\{BA74C33F-6863-43D2-ABF4-DCB4F1B0D58A}: NameServer = 85.255.114.52,85.255.112.74 O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B52C11-7E06-4E69-A9E3-5AED9EECD6E8}: NameServer = 85.255.114.52,85.255.112.74 O17 - HKLM\System\CS1\Services\Tcpip\..\{110BF745-59E2-46A4-BB07-717736F774C8}: NameServer = 85.255.114.52,85.255.112.74 O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: RVS Installer (RVSINST) - RVS Datentechnik GmbH, München - C:\Programme\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe |
|
|
||
27.10.2005, 18:23
Moderator
Beiträge: 7805 |
#6
Dann arbeite mal das ab, was ich ab 23.10.2005, 10:09 beschrieben habe, sprih Blacklight log posten und dann mal weiter schauen.
__________ MfG Ralf SEO-Spam Hunter |
|
|
||
27.10.2005, 18:57
Member
Beiträge: 21 |
#7
@raman
hier die Blacklight log 10/27/05 18:49:30 [Info]: BlackLight Engine 1.0.24 initialized 10/27/05 18:49:30 [Info]: OS: 5.1 build 2600 (Service Pack 2) 10/27/05 18:49:31 [Note]: 4019 4 10/27/05 18:49:31 [Note]: 4005 0 10/27/05 18:49:35 [Note]: 4006 0 10/27/05 18:49:35 [Note]: 4011 572 10/27/05 18:49:36 [Note]: FSRAW library version 1.7.1013 10/27/05 18:50:18 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe 10/27/05 18:50:18 [Note]: 10002 1 10/27/05 18:50:29 [Info]: Hidden file: C:\WINDOWS\system32\csing.exe 10/27/05 18:50:29 [Note]: 4002 32 10/27/05 18:50:29 [Note]: 4003 1 10/27/05 18:50:29 [Note]: 10002 1 10/27/05 18:50:30 [Info]: Hidden file: C:\WINDOWS\system32\favme.exe 10/27/05 18:50:30 [Note]: 10002 1 10/27/05 18:50:36 [Info]: Hidden file: C:\WINDOWS\system32\hwiper.exe 10/27/05 18:50:36 [Note]: 10002 1 10/27/05 18:51:46 [Note]: 4007 0 |
|
|
||
27.10.2005, 19:03
Moderator
Beiträge: 7805 |
#8
Bei dir gilt das selbe wie fuer fisherman
"Dann starte blacklight nochmal und lasse alle Dateien, die es anzeigt umbenennen, ausser dieser: 10/23/05 13:06:19 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe Dann lass Blaklight den Rechner neu starten. fixe alle "O17" Eintraege, starte nocheinmal neu, gehe ins Internet, erstelle ein neues Hijackthis log und das auch bitte hier posten. Bitte schicke die umbenannten Dateien, sie heissen jetzt z.B. C:\WINDOWS\system32\hlmicro.exe.ren anstatt C:\WINDOWS\system32\hlmicro.exe an virus@protecus.de" __________ MfG Ralf SEO-Spam Hunter |
|
|
||
27.10.2005, 19:21
Member
Beiträge: 21 |
#9
@raman
ich bin froh das ich weiß wie man den rechner startet... wie stelle ich das an mit der Umbenennung der Dateien im Programm Blacklight? Wenn ich im Pogramm umbenennen kann (Step 2) habe ich 4 Zeilen: csing.exe favme.exe hwiper.exe wbemtest.exe Die ersten drei anklicken und dann auf Rename??? Ich hoffe, dass ich nix falsch machen |
|
|
||
27.10.2005, 19:25
Moderator
Beiträge: 7805 |
#10
Ja, die Dateien musst du "renamen" lassen
csing.exe favme.exe hwiper.exe Dann neu starten und ein aktuelles Hijackthis log posten. __________ MfG Ralf SEO-Spam Hunter |
|
|
||
27.10.2005, 20:50
Member
Beiträge: 21 |
#11
Hier das Hijackthis nach dem Neustart
Logfile of HijackThis v1.99.1 Scan saved at 20:52:21, on 27.10.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE C:\Programme\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\system32\Brmfrmps.exe C:\WINDOWS\System32\nvsvc32.exe C:\Programme\RVS\WCOM\SYSTEM\RVSINST.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\rmctrl.exe C:\Programme\QuickTime\qttask.exe C:\Programme\ScanSoft\PaperPort\pptd40nt.exe C:\Programme\AVPersonal\AVSched32.EXE C:\Programme\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Programme\AVPersonal\AVGNT.EXE C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\WinRAR\WinRAR.exe C:\DOKUME~1\bho\LOKALE~1\Temp\Rar$EX28.426\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Messenger\ycomp.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Messenger\ycomp.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [CleanUp XP] C:\Programme\CleanUp XP\CleanUp.exe -h O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.versatel.de/internet-cd/ O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.04.03&http://www.opel.de/res/download/rtt/meriva/meriva3d.html O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096581686679 O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{110BF745-59E2-46A4-BB07-717736F774C8}: NameServer = 85.255.114.52,85.255.112.74 O17 - HKLM\System\CCS\Services\Tcpip\..\{BA74C33F-6863-43D2-ABF4-DCB4F1B0D58A}: NameServer = 85.255.114.52,85.255.112.74 O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B52C11-7E06-4E69-A9E3-5AED9EECD6E8}: NameServer = 85.255.114.52,85.255.112.74 O17 - HKLM\System\CS1\Services\Tcpip\..\{110BF745-59E2-46A4-BB07-717736F774C8}: NameServer = 85.255.114.52,85.255.112.74 O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: RVS Installer (RVSINST) - RVS Datentechnik GmbH, München - C:\Programme\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe |
|
|
||
27.10.2005, 21:13
Moderator
Beiträge: 7805 |
#12
FIx bitte noch das:
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O14 - IERESET.INF: START_PAGE_URL=http://www.versatel.de/internet-cd/ O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.04.03&http://www.opel.de/res/download/rtt/meriva/meriva3d.html O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096581686679 O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{110BF745-59E2-46A4-BB07-717736F774C8}: NameServer = 85.255.114.52,85.255.112.74 O17 - HKLM\System\CCS\Services\Tcpip\..\{BA74C33F-6863-43D2-ABF4-DCB4F1B0D58A}: NameServer = 85.255.114.52,85.255.112.74 O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B52C11-7E06-4E69-A9E3-5AED9EECD6E8}: NameServer = 85.255.114.52,85.255.112.74 O17 - HKLM\System\CS1\Services\Tcpip\..\{110BF745-59E2-46A4-BB07-717736F774C8}: NameServer = 85.255.114.52,85.255.112.74 O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file) Starte neu und nutze bitte einmal die Datentraegerbereinigung http://support.microsoft.com/default.aspx?scid=kb;de;315246 und mache dann einen kontrollscan mit Escan: ftp://ftp.microworldsystems.com/download/tools/mwav.exe kleine Erklaerung dazu findest du hier: http://cidres-security.de/escan.html ein Update ist nicht noetig. __________ MfG Ralf SEO-Spam Hunter |
|
|
||
27.10.2005, 22:00
Member
Beiträge: 21 |
#13
Hallo Ralf,
wie mache ich das? Ich meine die Dateien Fixen??? Muss ich die einzelnen Dateien raussuchen, dann anklicken und dann auf Fix checked klicken? Sorry, aber ich habe keine Ahnung was ich hier mache. Gruß Birgit |
|
|
||
27.10.2005, 22:01
Moderator
Beiträge: 7805 |
||
|
||
27.10.2005, 22:11
Member
Beiträge: 21 |
#15
Zitat raman posteteHallo Ralf, da bin ich wieder.... Der Escan ist sehr lang und irgendwie hat das Entpacken und dateianlegen nicht gefunzt....Ordner 'C:\Bases_X' navigieren und die 'kavupd.exe' ausführen... war nicht. Die Datei kann ich nirgens finden. ----------------- Dieser Beitrag wurde am 27.10.2005 um 23:05 Uhr von gleddes editiert.
|
|
|
||
Irgendwo hab ich mir diesen fiesen Trojaner eingefangen, AntiVir meldet ihn jedesmal, wenn ich nach Systemstart ins Internet gehe und den Explorer öffne. Ich wäre das Biest gern wieder los.
Ich habe mit WinPFind v1.4.1 und HijackThis v1.99.1 einen Scan gemacht. Vllt hilft das jemandem weiter:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 18.08.2001 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10.08.2005 00:14:00 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10.08.2005 00:14:00 692736 C:\WINDOWS\SYSTEM32\DivX.dll
aspack 04.08.2004 00:57:10 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04.08.2004 00:57:34 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 18.08.2001 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
PTech 03.08.2004 22:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
23.10.2005 08:30:00 S 2048 C:\WINDOWS\bootstat.dat
11.09.2005 09:14:52 H 10820 C:\WINDOWS\Help\update.GID
23.10.2005 08:31:36 H 31767 C:\WINDOWS\system32\vsconfig.xml
15.10.2005 07:36:06 H 4212 C:\WINDOWS\system32\zllictbl.dat
23.10.2005 09:00:52 H 1024 C:\WINDOWS\system32\config\default.LOG
23.10.2005 08:30:06 H 1024 C:\WINDOWS\system32\config\SAM.LOG
23.10.2005 08:31:44 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
23.10.2005 08:58:22 H 1024 C:\WINDOWS\system32\config\software.LOG
23.10.2005 09:00:22 H 1024 C:\WINDOWS\system32\config\system.LOG
Checking for CPL files...
Microsoft Corporation 04.08.2004 00:58:24 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 00:58:24 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 00:58:24 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Logitech Inc. 08.10.2004 12:23:58 282624 C:\WINDOWS\SYSTEM32\camcpl.cpl
Microsoft Corporation 04.08.2004 00:58:24 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 14.12.1996 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 04.08.2004 00:58:24 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 00:58:24 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 00:58:24 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 00:58:24 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 00:58:24 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 00:58:24 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 00:58:24 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 00:58:24 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 00:58:24 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 20.07.2005 21:07:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 00:58:24 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 00:58:24 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04.08.2004 00:58:24 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 00:58:24 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 00:58:24 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 04.08.2004 00:58:24 162816 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
20.08.2005 15:50:36 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
20.08.2005 16:35:54 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini
20.08.2005 16:58:08 191 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hpzinstall.log
Checking files in %USERPROFILE%\Startup folder...
20.08.2005 15:50:36 HS 84 C:\Dokumente und Einstellungen\Tom\Startmenü\Programme\Autostart\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
20.08.2005 16:35:54 HS 62 C:\Dokumente und Einstellungen\Tom\Anwendungsdaten\desktop.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\programme\google\googletoolbar2.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Zone Labs Client C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
AVWUpd32 "C:\PROGRA~1\AVWin\Avwupd32.EXE" /min
AVGCtrl C:\Programme\AVPersonal\AVGNT.EXE /min
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk
path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
backup C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader - Schnellstart
path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
backup C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader - Schnellstart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^hp psc 1000 series.lnk
path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\Tools\HPALL-~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series
path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\Tools\HPALL-~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^hpoddt01.exe.lnk
path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\Tools\HPALL-~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe
path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\Tools\HPALL-~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Dokumente und Einstellungen^Tom^Startmenü^Programme^Autostart^Microsoft-Indexerstellung.lnk
path C:\Dokumente und Einstellungen\Tom\Startmenü\Programme\Autostart\Microsoft-Indexerstellung.lnk
backup C:\WINDOWS\pss\Microsoft-Indexerstellung.lnkStartup
location Startup
command C:\PROGRA~1\MICROS~2\Office\FINDFAST.EXE
item Microsoft-Indexerstellung
path C:\Dokumente und Einstellungen\Tom\Startmenü\Programme\Autostart\Microsoft-Indexerstellung.lnk
backup C:\WINDOWS\pss\Microsoft-Indexerstellung.lnkStartup
location Startup
command C:\PROGRA~1\MICROS~2\Office\FINDFAST.EXE
item Microsoft-Indexerstellung
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Dokumente und Einstellungen^Tom^Startmenü^Programme^Autostart^Office-Start.lnk
path C:\Dokumente und Einstellungen\Tom\Startmenü\Programme\Autostart\Office-Start.lnk
backup C:\WINDOWS\pss\Office-Start.lnkStartup
location Startup
command C:\PROGRA~1\MICROS~2\Office\OSA.EXE -b
item Office-Start
path C:\Dokumente und Einstellungen\Tom\Startmenü\Programme\Autostart\Office-Start.lnk
backup C:\WINDOWS\pss\Office-Start.lnkStartup
location Startup
command C:\PROGRA~1\MICROS~2\Office\OSA.EXE -b
item Office-Start
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVGCtrl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AVGNT
hkey HKLM
command "C:\Programme\AVWin\AVGNT.EXE" /min
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AVGNT
hkey HKLM
command "C:\Programme\AVWin\AVGNT.EXE" /min
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BearShare
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BearShare
hkey HKLM
command "C:\Tools\Peer-to-Peer\BearShare\BearShare.exe" /pause
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BearShare
hkey HKLM
command "C:\Tools\Peer-to-Peer\BearShare\BearShare.exe" /pause
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C-Media Mixer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Mixer
hkey HKLM
command Mixer.exe /startup
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\C-Media Speaker Configuration
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Setup
hkey HKLM
command C:\PROGRA~2\C-Media\WIN_ME\Setup.exe /SPEAKER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Setup
hkey HKLM
command C:\PROGRA~2\C-Media\WIN_ME\Setup.exe /SPEAKER
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTFMON.EXE
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hgqhp.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hgqhp
hkey HKLM
command C:\WINDOWS\system32\hgqhp.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hgqhp
hkey HKLM
command C:\WINDOWS\system32\hgqhp.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechSoftwareUpdate
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ManifestEngine
hkey HKCU
command C:\Programme\Logitech\Video\ManifestEngine.exe boot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ManifestEngine
hkey HKCU
command C:\Programme\Logitech\Video\ManifestEngine.exe boot
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechVideoRepair
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISStart
hkey HKLM
command C:\Programme\Logitech\Video\ISStart.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISStart
hkey HKLM
command C:\Programme\Logitech\Video\ISStart.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechVideoTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LogiTray
hkey HKLM
command C:\Programme\Logitech\Video\LogiTray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LogiTray
hkey HKLM
command C:\Programme\Logitech\Video\LogiTray.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMSX
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LVCOMSX
hkey HKLM
command C:\WINDOWS\system32\LVCOMSX.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LVCOMSX
hkey HKLM
command C:\WINDOWS\system32\LVCOMSX.EXE
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvMediaCenter
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VVSN
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item VVSN
hkey HKLM
command C:\Programme\VVSN\VVSN.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item VVSN
hkey HKLM
command C:\Programme\VVSN\VVSN.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winampa
hkey HKLM
command C:\Tools\Winamp\winampa.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winampa
hkey HKLM
command C:\Tools\Winamp\winampa.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zBrowser Launcher
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTouch
hkey HKLM
command C:\Programme\Logitech\iTouch\iTouch.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTouch
hkey HKLM
command C:\Programme\Logitech\iTouch\iTouch.exe
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 23.10.2005 09:01:09
Logfile of HijackThis v1.99.1
Scan saved at 09:15:57, on 23.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\DOKUME~1\Tom\LOKALE~1\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wetter.com/v2/?SID=&LANG=DE&LOC=7000&LOCFROM=0202&type=WORLD&id=14533
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVWUpd32] "C:\PROGRA~1\AVWin\Avwupd32.EXE" /min
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{1325BB52-CEFB-4311-B79B-2C0071B386C2}: NameServer = 85.255.113.124,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{23265222-B18F-431A-86E4-CFA3D4D8EB86}: NameServer = 85.255.113.124,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BE26009-F539-4022-A8BF-79ACBB0E101C}: NameServer = 85.255.113.124 85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{1325BB52-CEFB-4311-B79B-2C0071B386C2}: NameServer = 85.255.113.124,85.255.112.15
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe