Gehijackter IE und Firefox, bitte um hijackthis.log Analyse

#1 Hallo zusammen -
und schonmal vielen Dank im Voraus!

paypopup.com und Konsorten öffnen neue Fenster im Internet Explorer und Firefox. Spybot und AdAware sind schon gelaufen, inzwischen auch die MS AntiSpyware Beta installiert, außerdem bei http://www.hijackthis.de/ auswerten lassen und nichts verdächtiges gefunden.

Ich bitte alle Profis mal um Analyse des folgenden Codes:

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 14:08:55, on 02.11.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\webserver\Apache\Apache.exe
C:\webserver\Apache\Apache.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
d:\Programme\F-Secure\Common\FSMA32.EXE
d:\Programme\F-Secure\Common\FSMB32.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
d:\Programme\F-Secure\Common\FCH32.EXE
d:\Programme\F-Secure\Common\FAMEH32.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
d:\Programme\F-Secure\Common\FSGK32.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Programme\TridiaVNC\win32\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
d:\Programme\F-Secure\Common\FNRB32.EXE
d:\Programme\F-Secure\Common\FIH32.EXE
d:\Programme\F-Secure\Anti-Virus\fsav32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
D:\Programme\F-Secure\Common\FSM32.EXE
C:\Programme\Copy Handler\Copy Handler.exe
C:\Programme\FreePDF_XP\fpassist.exe
E:\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\WinRoll\winroll.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\Programme\Duden PC-Bib\PCLib.exe
C:\Programme\PrintKey2000\Printkey2000.exe
D:\Programme\tools\SSH_Win_Client\pageant.exe
C:\WINNT\system32\txtuser.exe
C:\Dokumente und Einstellungen\dandru\Desktop\Transparent\TransparentW.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\Dokumente und Einstellungen\dandru\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deutsche-bank.de/pbc/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.deutsche-bank.de/pbc/index.html
O3 - Toolbar: Dme&x Toolbar - {3F756BC4-26CB-497E-9409-8F09C1850C80} - C:\Programme\DMEXBar\dmexbar.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [F-Secure Manager] "d:\Programme\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Copy handler] C:\Programme\Copy Handler\Copy Handler.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [dynamicWall] C:\Programme\dynamicWall\DynamicWall.exe
O4 - HKCU\..\Run: [WinRoll] "C:\Programme\WinRoll\winroll.exe
O4 - HKCU\..\Run: [Dexpot 1.3] C:\Programme\Dexpot\dexpot.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Gaim] C:\Programme\Gaim\gaim.exe
O4 - Startup: Pageant.lnk = D:\Programme\tools\SSH_Win_Client\pageant.exe
O4 - Startup: Rainlendar.lnk = C:\Programme\Rainlendar\Rainlendar.exe
O4 - Startup: users.bat
O4 - Startup: Verknüpfung mit TransparentW.exe.lnk = C:\Dokumente und Einstellungen\dandru\Desktop\Transparent\TransparentW.exe
O4 - Global Startup: PC-Bibliothek-Direktsuche.lnk = D:\Programme\Duden PC-Bib\PCLib.exe
O4 - Global Startup: Printkey2000.lnk = C:\Programme\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: &Document Tree - C:\WINNT\web\tree.htm
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINNT\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINNT\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINNT\WEB\selsearch.htm
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: I&mages List - C:\WINNT\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINNT\WEB\frm2new.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Programme\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: Validate XML - C:\WINNT\web\msxmlval.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINNT\web\source.htm
O8 - Extra context menu item: View XSL Output - C:\WINNT\web\msxmlvw.htm
O8 - Extra context menu item: Zoom &In - C:\WINNT\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINNT\WEB\zoomout.htm
O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINNT\web\tree.htm
O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINNT\web\tree.htm
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Programme\netscape461\Program\AIM\AIM.EXE (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programme\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programme\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://map.zdf.de/archiv/et14/et14_ventoux/index.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/dribnif/de/win/QuickTimeInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/de/deleon/1.1.60-deleon/GoogleNav.cab
O16 - DPF: {ADC3EA10-8A28-41A9-96B4-534ADFC3CA0A} (Configuratore Auto Control) - http://www.buy@fiat.de/components/ocx/autopricer/configuratoreauto.cab
O16 - DPF: {B7BCF6D1-6EF6-11D2-97A1-0000C0EAE6E4} (Sausage Software Installer/Uninstaller) - http://autodownload.sausage.com/Installer.cab
O16 - DPF: {EC1AFAB0-2FEB-11D2-9777-0000C0EAE6E4} (Sausage Software Autodownloader) - http://autodownload.sausage.com/IEAutoDL.cab
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\k0pm0a71ed.dll
O23 - Service: Apache - Unknown owner - C:\webserver\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: FS BackWeb (BackWeb Client - 7681197) - Unknown owner - d:\PROGRA~1\F-Secure\BackWeb\7681197\PROGRAM\SERVIC~1.EXE
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - d:\Programme\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - d:\Programme\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - d:\Programme\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - d:\Programme\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINNT\system32\OOD2000.exe

Vielen, vielen Dank, sonst muss ich noch "roboraptor.com" Produkte abkaufen ;o)
Daniel-2

#2 Hallo@Daniel-2

(Look2Me-Verseuchung )

wende Option 1 an und poste den scanreport
http://virus-protect.org/l2mfix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Na vielen Dank schonmal, das klingt ja sehr professionell

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\k0pm0a71ed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{BDD27F7D-1E56-096A-B0FC-C92AB9D14246}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschaften f�r Multimediadatei"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite f�r Dokumente"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell-Erweiterungen f�r Freigaben"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL-Erweiterung"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Grafikkarten"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Bildschirme"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Anzeigeverschiebung"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung f�r Datentr„gerkopien"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell-Erweiterungen f�r Microsoft Windows-Netzwerkobjekte"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell-Erweiterungen f�r die Dateikomprimierung"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung f�r Webdrucker"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen� f�r die Verschl�sselung"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung f�r HyperTerminal-Icons"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell-Erweiterungen f�r Freigaben"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen f�r Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerk- und DFš-Verbindungen"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="Arbeitsplatz"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Aktenkoffer"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Ordnerverkn�pfung"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Bereitgestellter Datentr„ger"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automationsdienst"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Startmen�"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag & Drop-Hilfe"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Verschl�sselungselemente zu den Kontextmen�s im Explorer hinzuf�gen"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begr�áungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Miniaturansicht"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}"="Allaire FTP & RDS"
"{2F860D81-AF3C-11D4-BDB3-00E0987D8540}"="UltimateZip Shell Extension"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{67C63340-679B-11D2-92EE-000021474C11}"="OpenExpert Extensions"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webordner"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{3a9ae750-cf44-11cf-8835-0020afc04e78}"="Psion-Arbeitsplatz"
"{2F860D82-AF3C-11D4-BDB3-00E0987D8540}"="UltimateZip Drag Drop Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}"="IZArc DragDrop Menu"
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"="IZArc Shell Context Menu"
"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}"="Mobile"
"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}"="Mobile ContextMenuHandler"
"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}"="Mobile PropertySheetHandler"
@=""
"{6af09ec9-b429-11d4-a1fb-0090960218cb}"="My Bluetooth Places"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{FEB7DAE0-E111-11D0-BFD7-444553540000}"="ICEOWS"
"{01911620-77B1-11D5-B898-000374890932}"="WinPTEE"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverkn�pfung"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
"{75AFF9B1-799E-486C-AB87-42006BDF15A1}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{75AFF9B1-799E-486C-AB87-42006BDF15A1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{75AFF9B1-799E-486C-AB87-42006BDF15A1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{75AFF9B1-799E-486C-AB87-42006BDF15A1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{75AFF9B1-799E-486C-AB87-42006BDF15A1}\InprocServer32]
@="C:\\WINNT\\system32\\IFETCOMM.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
catsrv.dll Mon 5 Sep 2005 9:18:20 A.... 165.648 161,77 K
catsrvut.dll Mon 5 Sep 2005 9:18:20 A.... 595.728 581,77 K
cdosys.dll Tue 30 Aug 2005 10:29:34 A.... 2.532.112 2,41 M
clbcatex.dll Mon 5 Sep 2005 9:18:20 A.... 97.040 94,77 K
clbcatq.dll Mon 5 Sep 2005 9:18:20 A.... 551.184 538,27 K
colbact.dll Mon 5 Sep 2005 9:18:20 A.... 41.744 40,77 K
comrepl.dll Mon 5 Sep 2005 9:18:20 A.... 99.088 96,77 K
comsvcs.dll Mon 5 Sep 2005 9:18:22 A.... 1.477.904 1,41 M
comuid.dll Mon 5 Sep 2005 9:18:22 A.... 641.296 626,27 K
danim.dll Fri 2 Sep 2005 10:07:00 A.... 988.160 965,00 K
dxtrans.dll Fri 2 Sep 2005 15:35:16 A.... 192.000 187,50 K
es.dll Mon 5 Sep 2005 9:18:20 A.... 242.960 237,27 K
gwfspi~1.dll Mon 29 Aug 2005 13:27:06 A.... 23.304 22,76 K
ifetcomm.dll Wed 2 Nov 2005 9:40:48 ..S.R 234.272 228,78 K
jtp407~1.dll Wed 2 Nov 2005 9:40:46 ..S.R 234.749 229,25 K
k0pm0a~1.dll Tue 1 Nov 2005 12:58:12 ..S.R 234.272 228,78 K
kernel32.dll Tue 16 Aug 2005 10:17:10 A.... 768.272 750,27 K
legitc~1.dll Mon 29 Aug 2005 13:27:12 A.... 520.968 508,76 K
linkinfo.dll Fri 23 Sep 2005 12:03:10 A.... 17.680 17,27 K
msdtclog.dll Mon 5 Sep 2005 9:18:22 A.... 96.016 93,77 K
msdtcprx.dll Mon 5 Sep 2005 9:18:22 A.... 739.600 722,27 K
msdtctm.dll Mon 5 Sep 2005 9:18:22 A.... 1.200.400 1,14 M
msdtcui.dll Mon 5 Sep 2005 9:18:22 A.... 153.872 150,27 K
mshtml.dll Tue 4 Oct 2005 11:33:40 A.... 2.700.288 2,57 M
msieftp.dll Fri 5 Aug 2005 17:19:40 A.... 252.688 246,77 K
mstime.dll Fri 2 Sep 2005 16:31:26 A.... 496.128 484,50 K
mtxclu.dll Mon 5 Sep 2005 9:18:22 A.... 52.496 51,27 K
mtxdm.dll Mon 5 Sep 2005 9:18:24 A.... 26.896 26,27 K
mtxlegih.dll Mon 5 Sep 2005 9:18:24 A.... 35.600 34,77 K
mtxoci.dll Mon 5 Sep 2005 9:18:24 A.... 122.640 119,77 K
netman.dll Tue 16 Aug 2005 9:34:56 A.... 100.112 97,77 K
ntdll.dll Tue 16 Aug 2005 10:17:10 A.... 505.616 493,77 K
nwwks.dll Mon 22 Aug 2005 10:20:30 A.... 61.200 59,77 K
ole32.dll Mon 5 Sep 2005 9:18:18 A.... 957.712 935,27 K
olecnv32.dll Mon 5 Sep 2005 9:18:20 A.... 36.624 35,77 K
quartz.dll Tue 30 Aug 2005 8:26:24 A.... 1.233.408 1,18 M
rpcss.dll Mon 5 Sep 2005 9:18:20 A.... 212.240 207,27 K
shell32.dll Fri 23 Sep 2005 12:03:10 A.... 2.385.168 2,27 M
shlwapi.dll Wed 31 Aug 2005 17:51:46 A.... 409.600 400,00 K
spmsg.dll Tue 16 Aug 2005 23:31:58 ..... 15.072 14,72 K
stclient.dll Mon 5 Sep 2005 9:18:24 A.... 71.440 69,77 K
txfaux.dll Mon 5 Sep 2005 9:18:20 A.... 398.608 389,27 K
umpnpmgr.dll Fri 2 Sep 2005 10:24:00 A.... 94.992 92,77 K
urlmon.dll Fri 2 Sep 2005 16:31:26 A.... 458.752 448,00 K
webvw.dll Fri 23 Sep 2005 12:03:12 A.... 1.122.576 1,07 M
winsrv.dll Fri 23 Sep 2005 12:03:12 A.... 245.520 239,77 K
xolehlp.dll Mon 5 Sep 2005 9:18:24 A.... 20.240 19,77 K

47 items found: 47 files (3 H/S), 0 directories.
Total of file sizes: 23.863.885 bytes 22,76 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Datentr„ger in Laufwerk C: ist System
Datentr„gernummer: C08F-0BD6

Verzeichnis von C:\WINNT\System32

02.11.2005 09:40 234.272 IFETCOMM.DLL
02.11.2005 09:40 234.749 jtp4077qe.dll
01.11.2005 12:58 234.272 k0pm0a71ed.dll
01.11.2005 09:04 <DIR> dllcache
3 Datei(en) 703.293 Bytes
1 Verzeichnis(se), 110.223.360 Bytes frei

#4 nun wende bitte option 2 an, es kann sein, das Problem ist dann noch nicht geloest..aber da habe ich noch was im Aermel


Schließen Sie alle offenen Programme , da der nächste Schritt einen Neustart erfordert. Klicken Sie erneut auf l2mfix.bat und tippen Sie 2 ein --- [Enter].
# Drücken Sie eine beliebige Taste, um einen Systemneustart einzuleiten.
# Nach dem Neustart, werden Ihre Icons auf dem Desktop kurz erscheinen und kurz verschwinden - dies ist NORMAL.
# L2mfix wird den Systemscan fortsetzen und wenn es fertig ist, wird sich Notepad öffnen und einen Log anzeigen.

wenn kein Log erscheinen sollte: doppelclick -> second.bat

Kopieren Sie auch diesen hier in den Thread/ins Forum (Strg+C & Strg+V) oder wieder mit der rechten Maustaste.

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.
__________
MfG Sabina

rund um die PC-Sicherheit

#5 OK, also das brach mit einer "nothing to do"-Meldung ab (siehe log):

Zitat

L2Mfix 1.02b

Running From:
C:\Dokumente und Einstellungen\dandru\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Jeder
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER



Setting up for Reboot


Starting Reboot!

C:\Dokumente und Einstellungen\dandru\Desktop\l2mfix
System Rebooted!

Running From:
C:\Dokumente und Einstellungen\dandru\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1668 'explorer.exe'
Killing PID 1668 'explorer.exe'
Error 0x5 : Zugriff verweigert


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1696 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (152 bytes security) (deflated 22%)
adding: echo.reg (152 bytes security) (deflated 10%)
adding: direct.txt (152 bytes security) (stored 0%)
adding: lo2.txt (152 bytes security) (deflated 74%)
adding: readme.txt (152 bytes security) (deflated 49%)
adding: report.txt (152 bytes security) (deflated 64%)
adding: test.txt (152 bytes security) (deflated 50%)
adding: test2.txt (152 bytes security) (deflated 2%)
adding: test3.txt (152 bytes security) (deflated 2%)
adding: test5.txt (152 bytes security) (deflated 2%)
adding: backregs/75AFF9B1-799E-486C-AB87-42006BDF15A1.reg (152 bytes security) (deflated 70%)
adding: backregs/shell.reg (152 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{75AFF9B1-799E-486C-AB87-42006BDF15A1}"=-
[-HKEY_CLASSES_ROOT\CLSID\{75AFF9B1-799E-486C-AB87-42006BDF15A1}]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
[q

Aber während ich das hier tippe, ist noch(! toitoitoi!) kein weiteres PopUp gekommen. Viiiieeelen Dank soweit schonmal!

Daniel-2

#6 um sicher zu sein, dass alles in Ordnung ist: (irgendwie gefaellt mir das Log nicht...es wurde nichts geloescht....)

Zitat

02.11.2005 09:40 234.272 IFETCOMM.DLL
02.11.2005 09:40 234.749 jtp4077qe.dll
01.11.2005 12:58 234.272 k0pm0a71ed.dll

scanne mit der Trialversion Spysweeper und poste den Scanbericht
http://virus-protect.org/spysweeper.html
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Das Programm macht's ja sehr gründlich. Ich paste mal beide Logs rein - Du wirst Dich wohl damit auskennen... ;-)

Zitat

Spy Sweeper will provide you with detailed information about the operations being performed in this area.
Updating spyware definitions from Webroot.com
Please wait... This may take a few minutes...
Your spyware definitions have been updated.
You are now protected against 112030 known traces.
Automated check for program update in progress.
Your Spy Sweeper application is up to date.
Automated check for news in progress.
... no new news at this time.
Processing Hosts File Alerts
Fixed Hosts File entry: www.kazaagold.com
Fixed Hosts File entry: www.k-lite.com

To ensure proper removal of spyware, adware and other unwanted items, be sure to close any programs that are open.
Your Sweep Options indicate the following will be swept:
Drives: C: D: E:
Also sweeping: Memory, Cookies, Registry
Adware found: brilliant digital
System Monitor found: keybugger
Adware found: 7adpower
Spy Cookie found: 247realmedia cookie
Spy Cookie found: 888 cookie
Spy Cookie found: accoona cookie
Spy Cookie found: reunion cookie
Spy Cookie found: yieldmanager cookie
Spy Cookie found: hbmediapro cookie
Spy Cookie found: apmebf cookie
Spy Cookie found: falkag cookie
Spy Cookie found: azjmp cookie
Spy Cookie found: belnk cookie
Spy Cookie found: bizrate cookie
Spy Cookie found: cassava cookie
Spy Cookie found: starware.com cookie
Spy Cookie found: hypertracker.com cookie
Spy Cookie found: maxserving cookie
Spy Cookie found: 2o7.net cookie
Spy Cookie found: partypoker cookie
Spy Cookie found: paypopup cookie
Spy Cookie found: realmedia cookie
Spy Cookie found: rn11 cookie
Spy Cookie found: tradedoubler cookie
Adware found: isearch toolbar
Adware found: look2me
Full Sweep has completed. Elapsed time 00:45:46
Traces Found: 122

Zitat

********
11:37: | Start of Session, Donnerstag, 3. November 2005 |
11:37: Spy Sweeper started
11:37: Sweep initiated using definitions version 564
11:37: Starting Memory Sweep
11:46: Memory Sweep Complete, Elapsed Time: 00:08:10
11:46: Starting Registry Sweep
11:46: Found Adware: brilliant digital
11:46: HKCR\.s3d\ (1 subtraces) (ID = 104924)
11:46: HKLM\software\classes\.s3d\ (1 subtraces) (ID = 104956)
11:47: Found System Monitor: keybugger
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\lyttlesoft studios\ (3 subtraces) (ID = 129575)
11:47: Found Adware: 7adpower
11:47: HKCR\progetto1.int_ver32\ (3 subtraces) (ID = 831501)
11:47: HKCR\clsid\{0d62a517-e7c6-4e1f-a577-07d4ac549a48}\ (27 subtraces) (ID = 831505)
11:47: HKCR\typelib\{391f0ac2-2cfc-4d56-a0e5-c7beb14f26e6}\ (9 subtraces) (ID = 831589)
11:47: HKLM\software\classes\progetto1.int_ver32\ (3 subtraces) (ID = 831690)
11:47: HKLM\software\classes\clsid\{0d62a517-e7c6-4e1f-a577-07d4ac549a48}\ (27 subtraces) (ID = 831694)
11:47: HKLM\software\classes\typelib\{391f0ac2-2cfc-4d56-a0e5-c7beb14f26e6}\ (9 subtraces) (ID = 831778)
11:48: Registry Sweep Complete, Elapsed Time:00:02:04
11:48: Starting Cookie Sweep
11:48: Found Spy Cookie: 247realmedia cookie
11:48: dandru@247realmedia[1].txt (ID = 1953)
11:48: Found Spy Cookie: 888 cookie
11:48: dandru@888[1].txt (ID = 2019)
11:48: Found Spy Cookie: accoona cookie
11:48: dandru@accoona[2].txt (ID = 2041)
11:48: Found Spy Cookie: reunion cookie
11:48: dandru@ad.reunion[1].txt (ID = 3256)
11:48: Found Spy Cookie: yieldmanager cookie
11:48: dandru@ad.yieldmanager[2].txt (ID = 3751)
11:48: Found Spy Cookie: hbmediapro cookie
11:48: dandru@adopt.hbmediapro[1].txt (ID = 2768)
11:48: Found Spy Cookie: apmebf cookie
11:48: dandru@apmebf[2].txt (ID = 2229)
11:48: Found Spy Cookie: falkag cookie
11:48: dandru@as-us.falkag[2].txt (ID = 2650)
11:48: dandru@as1.falkag[2].txt (ID = 2650)
11:48: Found Spy Cookie: azjmp cookie
11:48: dandru@azjmp[2].txt (ID = 2270)
11:48: Found Spy Cookie: belnk cookie
11:48: dandru@belnk[1].txt (ID = 2292)
11:48: Found Spy Cookie: bizrate cookie
11:48: dandru@bizrate[2].txt (ID = 2308)
11:48: Found Spy Cookie: cassava cookie
11:48: dandru@cassava[1].txt (ID = 2362)
11:48: dandru@dist.belnk[2].txt (ID = 2293)
11:48: Found Spy Cookie: starware.com cookie
11:48: dandru@h.starware[2].txt (ID = 3442)
11:48: Found Spy Cookie: hypertracker.com cookie
11:48: dandru@hypertracker[2].txt (ID = 2817)
11:48: Found Spy Cookie: maxserving cookie
11:48: dandru@maxserving[1].txt (ID = 2966)
11:48: Found Spy Cookie: 2o7.net cookie
11:48: dandru@microsofteup.112.2o7[1].txt (ID = 1958)
11:48: Found Spy Cookie: partypoker cookie
11:48: dandru@partypoker[2].txt (ID = 3111)
11:48: Found Spy Cookie: paypopup cookie
11:48: dandru@paypopup[2].txt (ID = 3119)
11:48: Found Spy Cookie: realmedia cookie
11:48: dandru@realmedia[1].txt (ID = 3235)
11:48: dandru@reunion[1].txt (ID = 3255)
11:48: Found Spy Cookie: rn11 cookie
11:48: dandru@rn11[2].txt (ID = 3261)
11:48: Found Spy Cookie: tradedoubler cookie
11:48: dandru@tradedoubler[2].txt (ID = 3575)
11:48: dandru@www.reunion[1].txt (ID = 3256)
11:48: dandru@www.starware[1].txt (ID = 3442)
11:48: Cookie Sweep Complete, Elapsed Time: 00:00:08
11:48: Starting File Sweep
11:55: Found Adware: isearch toolbar
11:55: cmdinst.exe (ID = 154747)
11:56: int_ver32b.ocx (ID = 156465)
12:01: int_ver32b.inf (ID = 156464)
12:07: Found Adware: look2me
12:07: bw2.com (ID = 65721)
12:23: File Sweep Complete, Elapsed Time: 00:35:11
12:23: Full Sweep has completed. Elapsed time 00:45:46
12:23: Traces Found: 122
12:24: Removal process initiated
12:25: Quarantining All Traces: look2me
12:25: Quarantining All Traces: keybugger
12:25: Quarantining All Traces: 7adpower
12:25: Quarantining All Traces: brilliant digital
12:25: Quarantining All Traces: isearch toolbar
12:25: Quarantining All Traces: 247realmedia cookie
12:25: Quarantining All Traces: 2o7.net cookie
12:25: Quarantining All Traces: 888 cookie
12:25: Quarantining All Traces: accoona cookie
12:25: Quarantining All Traces: apmebf cookie
12:25: Quarantining All Traces: azjmp cookie
12:25: Quarantining All Traces: belnk cookie
12:25: Quarantining All Traces: bizrate cookie
12:25: Quarantining All Traces: cassava cookie
12:25: Quarantining All Traces: falkag cookie
12:25: Quarantining All Traces: hbmediapro cookie
12:25: Quarantining All Traces: hypertracker.com cookie
12:25: Quarantining All Traces: maxserving cookie
12:25: Quarantining All Traces: partypoker cookie
12:25: Quarantining All Traces: paypopup cookie
12:25: Quarantining All Traces: realmedia cookie
12:25: Quarantining All Traces: reunion cookie
12:25: Quarantining All Traces: rn11 cookie
12:25: Quarantining All Traces: starware.com cookie
12:25: Quarantining All Traces: tradedoubler cookie
12:25: Quarantining All Traces: yieldmanager cookie
12:26: Removal process completed. Elapsed time 00:01:14
********
11:16: | Start of Session, Donnerstag, 3. November 2005 |
11:16: Spy Sweeper started
11:21: Your spyware definitions have been updated.
11:31: Processing Hosts File Alerts
11:31: Fixed Hosts File entry: www.kazaagold.com
11:31: Fixed Hosts File entry: www.k-lite.com

Wie sieht's aus?
Also bisher habe ich seit dem letzten Posting kein weiteres PopUp bekommen - aber auch noch nicht wieder neu gebootet (also nicht noch einmal mehr, als es die Programme erfordert hatten).

Danke, Danke, Danke, Danke, Danke, Danke, Danke, Danke, Danke, Danke, Danke, Danke!
Daniel-2