Spysheriff nach Download und Wallpaper geändert

#0
11.12.2005, 13:25
...neu hier

Beiträge: 1
#16 Hi erst mal....

leute ich versteh nur bahnhoff kann ein paar dateien löschen etc aber wirklich weiter komm ich nicht !! der desktop is wieder normal außer das die farbe von den icons noch blau ist ... und das rote x noch da ist und meine internet exploder startseite immer wieder kommt bitte um hilfe und ein wenig einfacher ! oder deteilierter erklärt ^^
Seitenanfang Seitenende
11.12.2005, 13:27
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#17 crunch

CCleaner
lösche alle temp-Dateien
http://virus-protect.org/temp.html

kopiere hier die 4 Textdateien
http://virus-protect.org/datfindbat.html

kopiere das Log vom Silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.12.2005, 21:44
...neu hier

Beiträge: 8
#18 Hallo zusammen !!

Ich habe leider genau das gleiche Problem !!

Ich habe zwar die Textdateien, aber ich weiss nicht genau welche dateien ich mit der killbox löschen muss !!

Ich könnte ja schon mal die 4 Textdateien rein kopieren :

1:

Verzeichnis von C:\WINDOWS\system32

12.12.2005 22:14 3'469 ndpqrs22.ini
12.12.2005 20:25 0 uqporu09.html
12.12.2005 20:19 46'592 zlbw.dll
12.12.2005 20:19 57'390 sywsvcs.exe
12.12.2005 20:19 57'390 ll.exe
12.12.2005 20:19 58 svcp.csv
12.12.2005 20:19 4 winsub.xml
12.12.2005 20:19 12'137 mstool.exe

12.12.2005 18:03 54'046 perfc009.dat
12.12.2005 18:03 382'302 perfh009.dat
12.12.2005 18:03 393'122 perfh007.dat
12.12.2005 18:03 65'062 perfc007.dat
12.12.2005 18:03 905'204 PerfStringBackup.INI
09.12.2005 18:14 1'158 wpa.dbl
02.12.2005 20:49 47'880 p90si1ih.dat
02.12.2005 20:49 131'024 m844pbhq.dat
02.12.2005 20:49 4'672 t9rkanj8.dat

12.11.2005 17:14 249'496 FNTCACHE.DAT
11.11.2005 06:00 2'377'568 MRT.exe
05.11.2005 14:01 262'144 wrap_oal.dll
05.11.2005 14:01 86'016 OpenAL32.dll
02.11.2005 00:00 188'416 vorbis.dll
02.11.2005 00:00 45'056 ogg.dll
02.11.2005 00:00 73'728 EmAcmMp3Wrapper.ax
02.11.2005 00:00 151'552 HDX4AACDecoder.ax
02.11.2005 00:00 147'456 HDX4AMRDecoder.ax
02.11.2005 00:00 503'808 hdx4_dshow.dll
02.11.2005 00:00 225'280 HDX4mp4Source.ax
02.11.2005 00:00 921'600 vorbisenc.dll
02.11.2005 00:00 237'568 OggDS.dll
16.10.2005 12:28 302'352 MSWNG300.DLL
16.10.2005 12:13 243'984 VBAR2232.DLL
16.10.2005 12:13 1'015'568 MSJT3032.DLL
16.10.2005 12:12 250'640 MSRD2X32.DLL
15.10.2005 15:53 35'600 MSJINT32.DLL
15.10.2005 15:53 23'824 MSJTER32.DLL
15.10.2005 15:53 76'288 ODBCTL32.DLL
08.10.2005 16:55 43'520 CmdLineExt03.dll
06.10.2005 04:18 280'064 gdi32.dll
06.10.2005 04:08 1'839'616 win32k.sys
04.10.2005 16:26 3'013'120 mshtml.dll
25.09.2005 18:20 98'304 CmdLineExt.dll
23.09.2005 09:00 2'718 59i4r2lm.dat
23.09.2005 04:06 8'491'520 shell32.dll
10.09.2005 02:54 2'067'968 cdosys.dll
03.09.2005 00:53 664'064 wininet.dll

2: (die kann ich einfach nicht löschen!)

Verzeichnis von C:\DOKUME~1\BENNI-~1\LOKALE~1\Temp

12.12.2005 18:34 16'384 Perflib_Perfdata_a0c.dat
12.12.2005 18:34 16'384 Perflib_Perfdata_930.dat
12.11.2005 14:03 24'613 IadHide5.dll

3:

Verzeichnis von C:\WINDOWS

12.12.2005 21:20 202 NeroDigital.ini
12.12.2005 20:21 1'999 desktop.html
12.12.2005 20:19 2'033 hosts
12.12.2005 20:19 3'052 secure32.html
12.12.2005 20:19 1'024 tool5.exe
12.12.2005 20:19 1'024 tool4.exe
12.12.2005 20:19 8'238 tool3.exe
12.12.2005 20:19 12'137 tool1.exe
12.12.2005 20:19 23'936 toolbar.exe
12.12.2005 20:19 1'024 country.exe
12.12.2005 20:19 29'184 tool2.exe
12.12.2005 20:19 57'544 kl.exe
12.12.2005 20:19 0 uniq

12.12.2005 19:38 334'796 setupapi.log
12.12.2005 19:06 192 winamp.ini
12.12.2005 18:34 0 0.log
12.12.2005 18:34 3'922 ModemLog_Creatix V.9X DSP Data Fax Modem.txt
12.12.2005 18:34 159 wiadebug.log
12.12.2005 18:34 1'484'293 WindowsUpdate.log
12.12.2005 18:34 50 wiaservc.log
12.12.2005 18:33 2'048 bootstat.dat
12.12.2005 18:02 228'213 setupact.log
11.12.2005 23:29 32'540 SchedLgU.Txt
06.12.2005 22:00 286 nsw.log
19.11.2005 01:26 21'763 wmsetup.log
12.11.2005 14:03 118'784 bwUnin-7.2.0.157-8876480SL.exe
12.11.2005 12:12 92'015 iis6.log
12.11.2005 12:12 119'979 ntdtcsetup.log
12.11.2005 12:12 27'081 ocmsn.log
12.11.2005 12:12 195'556 comsetup.log
12.11.2005 12:12 236'695 tsoc.log
12.11.2005 12:12 1'393 imsins.log
12.11.2005 12:12 11'864 KB896424.log
12.11.2005 12:12 307'963 ocgen.log
12.11.2005 12:12 28'543 msgsocm.log
12.11.2005 12:12 572'875 FaxSetup.log
12.11.2005 12:12 20'980 updspapi.log
15.10.2005 20:58 1'393 imsins.BAK
15.10.2005 20:58 20'999 KB901017.log
15.10.2005 20:58 23'259 KB902400.log
15.10.2005 20:57 14'007 KB896688.log
15.10.2005 20:57 13'590 KB905414.log
15.10.2005 20:57 13'388 KB900725.log
15.10.2005 20:57 11'232 KB904706.log
15.10.2005 20:57 11'832 KB905749.log
15.10.2005 15:53 60'416 ST4UNST.EXE
07.10.2005 23:13 0 vpd.properties
25.09.2005 18:16 108'409 DirectX.log
03.09.2005 13:19 3'752 Far Cry HQ Pack Setup Log.txt
03.09.2005 13:19 724'992 iun6002.exe

4:

Verzeichnis von C:\

12.12.2005 22:19 0 sys.txt
12.12.2005 22:19 13'431 system.txt
12.12.2005 22:17 411 systemtemp.txt
12.12.2005 22:17 102'983 system32.txt
12.12.2005 20:19 29'184 winstall.exe
12.12.2005 18:33 1'073'270'784 hiberfil.sys
12.12.2005 18:33 1'610'612'736 pagefile.sys
18.08.2005 08:48 102 Platform.ini
22.04.2005 19:05 4'020 data
04.04.2005 19:36 0 DEUTSCH.DAT
25.10.2004 11:53 211 boot.ini
25.10.2004 11:48 47'564 NTDETECT.COM
25.10.2004 11:48 251'184 ntldr
23.06.2004 08:21 860 IPH.PH
22.06.2004 16:43 0 IO.SYS
22.06.2004 16:43 0 CONFIG.SYS
22.06.2004 16:43 0 MSDOS.SYS
22.06.2004 16:43 0 AUTOEXEC.BAT
29.08.2002 13:00 4'952 bootfont.bin

Und hier noch das Log vom Silentrunner: (ich habe es einfach in "eigene Dateien" laufen lassen!)

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = (empty string)
"LDM" = "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" ["Logitech"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Windows installer" = "C:\winstall.exe" [null data]
"aupd" = "C:\WINDOWS\system32\sywsvcs.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Dit" = "Dit.exe" [null data]
"Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" ["Computer Associates International, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"ledpointer" = "CNYHKey.exe" ["Chicony"]
"PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" ["CyberLink Corp."]
"Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"PRISMSTA.EXE" = "PRISMSTA.EXE START" ["Intersil Americas Inc."]
"DownloadAccelerator" = "C:\PROGRA~1\DAP\DAP.EXE /STARTUP" ["Speedbit Ltd."]
"WheelMouse" = "Amoumain.exe" [null data]
"MessengerPlus3" = ""C:\Programme\Messenger Plus! 3\MsgPlus.exe"" ["Patchou"]
"VirtualCloneDrive" = ""C:\Programme\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"]
"(Default)" = (empty string)
"ATICCC" = ""C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"navapp" = "C:\Programme\NavExcel\NavHelper\v2.0.4d\navapp.exe" [null data]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"mmtask" = "C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" ["TODO: <Company name>"]
"AceGain LiveUpdate" = "C:\Programme\AceGain\LiveUpdate\LiveUpdate.exe" [file not found]
"AnyDVD" = "C:\Programme\SlySoft\AnyDVD\AnyDVD.exe" ["SlySoft, Inc."]
"Power Scan" = "C:\Programme\Power Scan\powerscan.exe" [file not found]
"ndpqrs22" = "C:\WINDOWS\system32\ndpqrs22.exe" [empty string]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0000CC75-ACF3-4cac-A0A9-DD3868E06852}\(Default) = "DAPHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\DAP\DAPBHO.dll" ["Speedbit Ltd."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" [file not found]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Group Policies [Description]:
-----------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]

HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html"
[disables the Display Properties|Desktop (tab) (except the "Customize
Desktop..." button); selects wallpaper if Active Desktop is enabled]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop enabled via Group Policy.

Wallpaper selected via Group Policy.


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS]


Startup items in "Benni -" & "All Users" startup folders:
---------------------------------------------------------

C:\Dokumente und Einstellungen\Benni -\Startmenü\Programme\Autostart
INFECTION WARNING! "Registration Myst V" [null data]
"wkcalrem" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkCalRem.exe" ["Microsoft® Corporation"]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"ATI CATALYST System Tray" -> shortcut to: "C:\Programme\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
"BTTray" -> shortcut to: "C:\Programme\Sitecom\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
"Logitech Desktop Messenger" -> shortcut to: "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"]
"Logitech SetPoint" -> shortcut to: "C:\Programme\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" = "GMX Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\GMX\GMX Toolbar\toolbar.dll" ["GMX GmbH"]

"{86227D9C-0EFE-4F8A-AA55-30386A3F5686}" = "YourSiteBar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\YourSiteBar\ysb.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{62999427-33FC-4BAF-9C9C-BCE6BD127F08}" = "DAP Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\DAP\DAPIEBar.dll" [empty string]

"{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" = "GMX Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\GMX\GMX Toolbar\toolbar.dll" ["GMX GmbH"]

"{86227D9C-0EFE-4F8A-AA55-30386A3F5686}" = "YourSiteBar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\YourSiteBar\ysb.dll" [file not found]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{10E42047-DEB9-4535-A118-B3F6EC39B807}\
"ButtonText" = "SideFind"

{669695BC-A811-4A9D-8CDF-BA8C795F261C}\
"ButtonText" = "Run DAP"
"Exec" = "C:\PROGRA~1\DAP\DAP.EXE" ["Speedbit Ltd."]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Programme\Sitecom\Bluetooth Software\btsendto_ie.htm" [null data]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.msn.ch/Default.asp

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "C:\Programme\Sitecom\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
eTrust Antivirus Job Server, InoTask, ""C:\Programme\CA\eTrust Antivirus\InoTask.exe"" ["Computer Associates International, Inc."]
eTrust Antivirus Realtime Server, InoRT, ""C:\Programme\CA\eTrust Antivirus\InoRT.exe"" ["Computer Associates International, Inc."]
eTrust Antivirus RPC Server, InoRPC, ""C:\Programme\CA\eTrust Antivirus\InoRpc.exe"" ["Computer Associates International, Inc."]
HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
SAP-Agent, NwSapAgent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipxsap.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth-Druckeranschluss\Driver = "bthcrp.dll" ["Broadcom Corporation"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 37 seconds, including 18 seconds for message boxes)


Ist ein bisschen viel, aber ich hoffe das man mir jetzt helfen kann !!

Gruss Rockman
Dieser Beitrag wurde am 12.12.2005 um 22:07 Uhr von Rockman editiert.
Seitenanfang Seitenende
13.12.2005, 00:33
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#19 Hallo@Rockman

C:\WINDOWS\system32\p90si1ih.dat
C:\WINDOWS\system32\m844pbhq.dat
C:\WINDOWS\system32\t9rkanj8.dat
C:\WINDOWS\system32\59i4r2lm.dat

--> rechtsklick---> oeffnen mit Editor--> kopiere mir was im Texteditor erscheint

-------------------------------------------------------------

b]Gehe in die Registry[/b]

Start-->Ausfuehren--> regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"Wallpaper" = "C:\WINDOWS\desktop.html" <--loeschen

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-
"NoActiveDesktop"=-
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-
"NoComponents"=-
"NoAddingComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoHTMLWallpaper"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows installer"=-
"aupd"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power Scan"=-
"ndpqrs22"=-

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot / Process all in List )--> anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\system32\ndpqrs22.ini
C:\WINDOWS\system32\uqporu09.html
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\sywsvcs.exe
C:\WINDOWS\system32\ll.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\mstool.exe
C:\WINDOWS\system32\p90si1ih.dat
C:\WINDOWS\system32\m844pbhq.dat
C:\WINDOWS\system32\t9rkanj8.dat
C:\WINDOWS\system32\59i4r2lm.dat

C:\WINDOWS\desktop.html
C:\WINDOWS\hosts
C:\WINDOWS\system32\ndpqrs22.exe
C:\WINDOWS\secure32.html
C:\WINDOWS\tool5.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool1.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\country.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\kl.exe
C:\WINDOWS\uniq
C:\WINDOWS\iun6002.exe
C:\winstall.exe

PC neustarten
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fix.reg" auf dem Desktop doppelklicken.

deinstallieren:
Power Scan
YourSiteBar
NavExcel

Killbox
DelTree (include SubDirectories)
Man will zum Beispiel einen Ordner löschen . Nun muss man nicht alle Dateien im Ordner einzeln eingeben, sondern klickt die Option DelTree (include subdirectories).
Hierbei wird ein komplettes Archiv mitsamt der Unterordner gelöscht.

C:\Programme\Power Scan
C:\Programme\YourSiteBar
C:\Programme\NavExcel

---------------------------------------------------------------------------
Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

scanne
http://virus-protect.org/microtrend.html

Kaspersky -Onlinescanner (poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.12.2005, 21:06
...neu hier

Beiträge: 8
#20 Hallo@Sabina

So spät noch wach ;) !

Also, wenn ich die Dateien mit dem Editor öffne, kommen nur ganz viele kleine Kästchen mit ein paar Buchstaben dazwischen !!!

Ausser bei der letzten Datei, dort stand etwas, irgenwie sind aber die Dateien jetzt gelöscht !!

Ach ja ich habe die Killbox benutzt !!

Na gut, also die Datei Power Scan existiert irgendwie gar nich mehr, genau wie YourSiteBar !!
Und NavExel könnte ich manuel, einzeln löschen !

Da ich diese funktion "DelTree" bei meiner Killbox gar nicht habe !!

Soll ich also den Ordner NavExel löschen ?

PS: wenn ich im abgesicherten Modus bin, kann ich dann ganz normal mich anmelden wie wenn ich im normalen Modus wäre ?

Gruss Rockman
Seitenanfang Seitenende
14.12.2005, 11:34
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#21 arbeite das erst mal ab, dann sehen wir weiter:
--------------------------------------------------------------------------
alles abarbeiten, wie oben beschrieben, auch die hoster.zip anwenden

NavExel alles loeschen !

mit microtrend scannen

Kaspersky -Onlinescanner (poste den scanreport)
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
14.12.2005, 12:56
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#22 Tag,Sabine
Bin auch infiziert mit SpySheriif,war ganz zufällig auf eine cr"hiernicht"ck Seite
;)
Hier mein Log
Logfile of HijackThis v1.99.1
Scan saved at 2:14:33, on 14-12-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ESCAN\TRAYICOS.EXE
C:\WINDOWS\SYSTEM\KERNELS64.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\VXH8JKDQ2.EXE
C:\WINDOWS\SYSTEM\VXH8JKDQ6.EXE
C:\WINDOWS\SYSTEM\VXH8JKDQ7.EXE
C:\WINDOWS\INET20001\WINLOGON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINSTALL.EXE
C:\WINDOWS\SYSTEM\SYWSVCS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\DATA\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F1 - win.ini: run=C:\WINDOWS\INET20001\WINLOGON.EXE
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\SYSTEM\ZOLKER011.DLL
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20001\3.00.11.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels64.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20001\WINLOGON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [eScan Updater] C:\PROGRA~1\ESCAN\TRAYICOS.EXE
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\SYSTEM\kernels64.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INET20001\WINLOGON.EXE
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\SYSTEM\sywsvcs.exe
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\sywsvcs.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O10 - Broken Internet access because of LSP provider 'mwnsp.dll' missing
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: st3 - C:\WINDOWS\G1699615.DLL
O21 - SSODL: DDE - {F33812FB-F35C-4674-90F6-FD757C419C51} - C:\WINDOWS\SYSTEM\birdihuy32.dll
O21 - SSODL: Module - {429F4BB8-7BF7-4152-8011-3C6F9EB7E892} - C:\WINDOWS\SYSTEM\chp.dll



Het volume in station C heeft geen naam.
Het volumenummer is 2821-18E0
Map van C:\.

SYS TXT 0 14-12-05 2:11 sys.txt
SYSTEM TXT 12.773 14-12-05 2:11 system.txt
SYSTEM~1 TXT 1.141 14-12-05 2:11 systemtemp.txt
SYSTEM32 TXT 377 14-12-05 2:11 system32.txt
SCANDISK LOG 486 14-12-05 2:08 SCANDISK.LOG
LO1193~1 EXE 6.505 14-12-05 1:50 lo1193031151.exe
SPYWAR~1 URL 142 14-12-05 1:49 Spyware Remover.url
POPUPB~1 URL 140 14-12-05 1:49 PopUp Blocker.url
WINSTALL EXE 29.184 14-12-05 1:49 winstall.exe
LO-492~1 EXE 6.505 14-12-05 1:48 lo-492723991.exe
23990098 $$$ 134 13-12-05 9:53 23990098.$$$
MSDOS SYS 1.676 10-12-05 17:50 MSDOS.SYS
DETLOG TXT 70.051 10-12-05 17:44 DETLOG.TXT
FRUNLOG TXT 1.011 10-12-05 17:41 FRUNLOG.TXT
SUHDLOG DAT 5.166 10-12-05 17:36 SUHDLOG.DAT
SYSTEM 1ST 466.976 10-12-05 17:36 SYSTEM.1ST
MSDOS --- 22 10-12-05 17:14 MSDOS.---
COMMAND COM 96.546 05-05-99 22:22 COMMAND.COM
IO SYS 222.390 05-05-99 22:22 IO.SYS
25 bestand(en) 1.124.806 bytes.
0 dir('s) 1.343.750.144 bytes beschikbaar.

Het volume in station C heeft geen naam.
Het volumenummer is 2821-18E0
Map van C:\WINDOWS.

SYSTEM DAT 4.218.912 14-12-05 2:10 SYSTEM.DAT
USER DAT 266.272 14-12-05 2:10 USER.DAT
TSP LOG 6.551 14-12-05 2:09 tsp.log
ESCAN LOG 35.738 14-12-05 2:09 ESCAN.LOG
CPERROR LOG 778 14-12-05 2:09 CPERROR.LOG
SCHEDLOG TXT 2.643 14-12-05 2:08 SchedLog.Txt
SYSTEM INI 1.661 14-12-05 2:08 SYSTEM.INI
NDISLOG TXT 0 14-12-05 2:08 NDISLOG.TXT
SHELLI~1 740.955 14-12-05 2:02 ShellIconCache
ZSETTI~1 DLL 926 14-12-05 1:56 zsettings.dll
G1699615 DLL 13.824 14-12-05 1:56 g1699615.dll
WIN386 SWP 226.492.416 14-12-05 1:50 WIN386.SWP
DESKTO~1 HTM 1.999 14-12-05 1:50 desktop.html
COMMAND PIF 967 14-12-05 1:49 command.PIF
WIN INI 8.718 14-12-05 1:49 WIN.INI
G1317746 DLL 13.824 14-12-05 1:49 g1317746.dll
FLAG BLA 2 14-12-05 1:49 flag.bla
ESCAN DBF 155 14-12-05 1:28 escan.dbf
220 bestand(en) 241.604.271 bytes.
0 dir('s) 1.343.750.144 bytes beschikbaar.

Het volume in station C heeft geen naam.
Het volumenummer is 2821-18E0
Map van C:\WINDOWS\SYSTEM32.

FOLDER HTT 13.301 10-12-06 17:52 folder.htt
DESKTOP INI 266 10-12-06 17:52 desktop.ini
ST3 DLL 0 14-12-05 2:04 st3.dll
3 bestand(en) 13.567 bytes.
0 dir('s) 1.343.684.608 bytes beschikbaar.

Het volume in station C heeft geen naam.
Het volumenummer is 2821-18E0
Map van C:\WINDOWS\TEMP.

OQOAOILM HTM 1.102 14-12-05 2:09 oqoaoilm.htm
ZBZ BAT 124 14-12-05 1:56 zbz.bat
D BAT 123 14-12-05 1:56 d.bat
QVXT2~1 GAM 1.632 14-12-05 1:56 qvxt2.game
QVXT3~1 GAM 1.632 14-12-05 1:56 qvxt3.game
QVXT4~1 GAM 1.632 14-12-05 1:56 qvxt4.game
VX4~1 GAM 8.367 14-12-05 1:56 vx4.game
VX6~1 GAM 11.776 14-12-05 1:50 vx6.game
1213~1 451 14.357 14-12-05 1:49 1213.4516
MAXDD~1 GAM 12.616 14-12-05 1:49 maxdd.game
2~1 QTD 29.184 14-12-05 1:49 2.qtdfmp
5~1 QTD 3.120 14-12-05 1:49 5.qtdfmp
6~1 QTD 3.152 14-12-05 1:49 6.qtdfmp
7~1 QTD 3.584 14-12-05 1:49 7.qtdfmp
1~1 QTD 1.665 14-12-05 1:49 1.qtdfmp
MSIEVENT LOG 764 13-12-05 9:26 msievent.log
DRW1144 TMP 6.985 13-12-05 2:33 drw1144.TMP
17 bestand(en) 101.815 bytes.
0 dir('s) 1.343.750.144 bytes beschikbaar.

eSCAN
C:\lo-492723991.exe File Infected with "Trojan-Downloader.Win32.Small.cax". Action Taken: File deleted!
C:\lo1193031151.exe File Infected with "Trojan-Downloader.Win32.Small.cax". Action Taken: File deleted!
C:\WINDOWS\g1317746.dll File Infected with "Trojan-Downloader.Win32.Delf.zu". Action Taken: File deleted!
C:\WINDOWS\g1699615.dll File Infected with "Trojan-Downloader.Win32.Delf.zu". Unable to delete infected file. Virus could not be removed!
C:\WINDOWS\SYSTEM\vxh8jkdq1.exe File Infected with "Trojan-Downloader.Win32.Small.bho". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\vxh8jkdq5.exe File Infected with "Trojan-Downloader.Win32.Small.axn". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\1286625.exe File Infected with "Trojan-Dropper.Win32.Small.abx". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\vxgame1.exe File Infected with "Trojan-Dropper.Win32.Agent.ri". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\vxgame2.exe File Infected with "Packed.Win32.Klone.b". Action Taken: File renamed!
C:\WINDOWS\SYSTEM\maxd64.exe File Infected with "Trojan.Win32.Dialer.ay". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\vxgame3.exe File Infected with "Trojan-Dropper.Win32.Small.aih". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\vxgamet2.exe File Infected with "Trojan-Downloader.Win32.Small.bxc". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\vxgamet3.exe File Infected with "Trojan-Dropper.Win32.Agent.abu". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\chp.dll File Infected with "Trojan.Win32.Spabot.t". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\birdihuy32.dll File Infected with "Trojan-Proxy.Win32.Small.ct". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\vxgamet4.exe File Infected with "Trojan-Downloader.Win32.Tibs.s". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\vxgame6.exe File Infected with "Trojan-Downloader.Win32.CWS.gen". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\Fggbdk32.exe File Infected with "Net-Worm.Win32.Padobot.z". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\ll.exe File Infected with "Packed.Win32.Klone.b". Action Taken: File renamed!
C:\WINDOWS\SYSTEM\vxgame4.exe File Infected with "Trojan-Downloader.Win32.Small.cah". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\Fddckppn.dll File Infected with "Net-Worm.Win32.Padobot.z". Action Taken: File deleted!
C:\WINDOWS\SYSTEM\CICBBIE0.exe File Infected with "Net-Worm.Win32.Padobot.z". Action Taken: File deleted!
C:\WINDOWS\inet20001\services.exe
File Infected with "Trojan-Downloader.Win32.CWS.gen". Action Taken: File deleted!

C:\WINDOWS\inet20001\mm3.exe File Infected with "Trojan-Spy.Win32.Delf.ig". Action Taken: File deleted!
C:\WINDOWS\inet20001\alg.exe File Infected with "Email-Worm.Win32.Delf.i". Action Taken: File deleted!

wo dec 14 09:37:24 2005 => Total Number of Files Infected: 25
wo dec 14 09:37:24 2005 => Total Number of Files Renamed: 2
wo dec 14 09:37:24 2005 => Total Number of Files Deleted: 22
wo dec 14 09:37:24 2005 => Total Number of Errors: 1

CounterSpy

Spyware Scan Details
Start Date: 14-12-05 10:16:45
End Date: 14-12-05 10:34:13
Total Time: 17 mins 28 secs

Detected spyware

Trojan.vxgame Trojan more information...
Status: Deleted

Infected files detected
c:\windows\system\vxgamet1.exe
c:\windows\system\vx.tll
c:\windows\flag.bla
c:\windows\system\ddr64.dll
c:\windows\system\qvxgamet2.exe
c:\windows\system\qvxgamet3.exe
c:\windows\system\qvxgamet4.exe
c:\windows\system\svcp.csv
c:\windows\system\winsub.xml
c:\windows\system\split1.exe

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 DLLName C:\WINDOWS\G1699615.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 logoff WACLEventLogoff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 lock WACLEventLock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 logon WACLEventLogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startup WACLEventStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 shutdown WACLEventShutdown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startshell WACLEventStartShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 unlock WACLEventUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startscreensaver WACLEventStartScreenSaver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 stopscreensaver WACLEventStopScreenSaver


CoolWebSearch.MWSearch Spyware more information...
Details: MWSearch adds a search toolbar to Internet Explorer and hijacks the default search page.
Status: Deleted

Infected files detected
c:\windows\zsettings.dll
c:\WINDOWS\SYSTEM\ztoolb011.dll

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{B75F75B8-93F3-429D-FF34-660B206D897A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A}


Search Terror Search Hijacker more information...
Details: Search Terror is a Search Hijacker
Status: Deleted

Infected files detected
c:\windows\system\birdihuy.dll


topnetsearch Browser Hijacker more information...
Status: Deleted

Infected files detected
c:\windows\system\zlokdfs9.leo
c:\windows\system\ztoolb011.dll

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A}


CoolWebSearch Browser Hijacker more information...
Details: CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\ProgID Replace.HBO.1
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\InprocServer32 C:\WINDOWS\inet20001\3.00.11.dll
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\Programmable
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\TypeLib {516A36EA-AFE2-4965-A492-B198B7F7B018}
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\VersionIndependentProgID Replace.HBO
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3} HBO Class


Unclassified.Trojan.H Spyware more information...
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1
HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1\CLSID {9EAC0102-5E61-2312-BC2D-4D54434D5443}
HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1 Search Toolbar


Tubby.MakeMeSearch Browser Hijacker more information...
Details: MakeMeSearch is a browser redirector that runs as an Internet Explorer browser helper object. MakeMeSearch changes your homepage and browser settings.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\MTC MTC
HKEY_CURRENT_USER\Software\MTC MTC\Options Run 4
HKEY_CURRENT_USER\Software\MTC MTC\Options Shown 1
HKEY_CURRENT_USER\Software\MTC MTC\Options Dnl 0
HKEY_CURRENT_USER\Software\MTC MTC\Options mlu 1026957
HKEY_CURRENT_USER\Software\MTC MTC\Options lu 1026957
HKEY_CURRENT_USER\Software\MTC MTC\Options Flg 2


Krepper Trojan Downloader more information...
Details: Krepper is a trojan virus, that modifies website surfing to display advertising, and downloads additional threats
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\Replace.HBO
HKEY_CLASSES_ROOT\Replace.HBO\CLSID {5321E378-FFAD-4999-8C62-03CA8155F0B3}
HKEY_CLASSES_ROOT\Replace.HBO\CurVer Replace.HBO.1
HKEY_CLASSES_ROOT\Replace.HBO HBO Class
HKEY_CLASSES_ROOT\Replace.HBO.1
HKEY_CLASSES_ROOT\Replace.HBO.1\CLSID {5321E378-FFAD-4999-8C62-03CA8155F0B3}
HKEY_CLASSES_ROOT\Replace.HBO.1 HBO Class
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\ProgID Replace.HBO.1
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\InprocServer32 C:\WINDOWS\inet20001\3.00.11.dll
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\Programmable
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\TypeLib {516A36EA-AFE2-4965-A492-B198B7F7B018}
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\VersionIndependentProgID Replace.HBO
HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3} HBO Class


Trojan.Proxy.birdihuy Trojan more information...
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{F33812FB-F35C-4674-90F6-FD757C419C51}
HKEY_CLASSES_ROOT\clsid\{F33812FB-F35C-4674-90F6-FD757C419C51}\InProcServer32 C:\WINDOWS\SYSTEM\birdihuy32.dll
HKEY_CLASSES_ROOT\clsid\{F33812FB-F35C-4674-90F6-FD757C419C51}\InProcServer32 ThreadingModel Apartment


Alexa Toolbar Potential Privacy Risk more information...
Details: Alexa is a free, ad-based product which installs itself into your Internet Explorer or Netscape browser. It ads a bar which has a series of links into your browser which gives quite a bit of information about each web page that you visit.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum
HKEY_CLASSES_ROOT\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum Implementing
HKEY_CLASSES_ROOT\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum
HKEY_CLASSES_ROOT\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum Implementing


bho.CashDeluxe.dwc Misc more information...
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 logoff WACLEventLogoff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 lock WACLEventLock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 logon WACLEventLogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startup WACLEventStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 shutdown WACLEventShutdown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startshell WACLEventStartShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 unlock WACLEventUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startscreensaver WACLEventStartScreenSaver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 stopscreensaver WACLEventStopScreenSaver
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}\InprocServer32 C:\WINDOWS\G1699615.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} C:\WINDOWS\G1699615.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} ThreadingModel Apartment


Claria.DashBar Cookie Cookie more information...
Details: DashBar cookie is a small text file placed on the user's computer after when visiting the Claria/GAIN DashBar website.
Status: Deleted

Infected cookies detected
c:\windows\cookies\anyuser@belnk[1].txt


PayPopup.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\windows\cookies\anyuser@paypopup[2].txt


SpyLog.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\windows\cookies\anyuser@spylog[1].txt


FastClick.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\windows\cookies\anyuser@media.fastclick[1].txt
c:\windows\cookies\anyuser@fastclick[2].txt


XXXCounter.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\windows\cookies\anyuser@xxxcounter[1].txt


Findwhat Cookie more information...
Status: Deleted

Infected cookies detected
c:\windows\cookies\anyuser@findwhat[1].txt



Ein Bild von inet20001 kommt noch;)
Toedeloe
__________
MfG Argus
Dieser Beitrag wurde am 14.12.2005 um 13:05 Uhr von Arnold editiert.
Seitenanfang Seitenende
14.12.2005, 13:16
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#23

Zitat

Bin auch infiziert mit SpySheriif,war ganz zufällig auf eine cr"hiernicht"ck Seite
lol lol lol lol lol


C:\WINDOWS\SYSTEM32.

FOLDER HTT 13.301 10-12-06 17:52 folder.htt

das interessiert mich...lasse es mal mit jotti scannen

---------------
C:\winstall.exe hat kein Scanner gefunden (und anderes)
http://virus-protect.org/artikel/spyware/inet20002.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
15.12.2005, 16:56
...neu hier

Beiträge: 8
#24 Hallo@Sabina

Also ich habe alles gemacht !

Hier ist der Scaneraport von Kaspersky:

1.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 14, 2005 21:53:34
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/12/2005
Kaspersky Anti-Virus database records: 155192
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOKUME~1\BENNI-~1\LOKALE~1\Temp\

Scan Statistics:
Total number of scanned objects: 22404
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 728 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

2.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 15, 2005 00:07:33
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/12/2005
Kaspersky Anti-Virus database records: 155192
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 75807
Number of viruses found: 7
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 4688 sec

Infected Object Name - Virus Name
C:\!KillBox\mstool.exe Infected: Trojan-Proxy.Win32.Xorpix.e
C:\!KillBox\secure32.html Infected: not-virus:Hoax.Win32.Renos.y
C:\!KillBox\tool1.exe Infected: Trojan-Proxy.Win32.Xorpix.e
C:\!KillBox\tool2.exe Infected: not-virus:Hoax.Win32.Renos.ae
C:\!KillBox\toolbar.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\!KillBox\winstall.exe Infected: not-virus:Hoax.Win32.Renos.ae
C:\Dokumente und Einstellungen\Benni -\Desktop\rormu501.zip/start.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\Dokumente und Einstellungen\Benni -\Desktop\rormu501.zip/start.exe Infected: Trojan-Downloader.Win32.INService.ja
C:\Dokumente und Einstellungen\Benni -\Desktop\rormu501.zip Infected: Trojan-Downloader.Win32.INService.ja
C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP238\A0042048.exe/run.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP238\A0042048.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP244\A0042539.exe Infected: Trojan-Downloader.Win32.INService.gen
C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048687.exe Infected: Trojan-Proxy.Win32.Xorpix.e
C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048691.exe Infected: Trojan-Proxy.Win32.Xorpix.e
C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048692.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048694.exe Infected: not-virus:Hoax.Win32.Renos.ae
C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048697.exe Infected: not-virus:Hoax.Win32.Renos.ae

Scan process completed.

Gruss Rockman
Seitenanfang Seitenende
15.12.2005, 17:28
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#25 deaktiviere die systemwiederherstellung...dann aktiviere sie wieder
http://virus-protect.org/systemwiederherstellung.html

und leere manuell alles in der killbox

LOESCHE:
C:\Dokumente und Einstellungen\Benni -\Desktop\rormu501.zip
dann scanne mit http://virus-protect.org/cureit.html

dann sollte wieder alles o.k. sein ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
15.12.2005, 18:08
...neu hier

Beiträge: 8
#26 Systemwiderherstellung abgeschlossen !

Soll ich die Killbox ganz löschen ?
Also den ganzen Ordner ?

Rormu501 gelöscht !

Ach und kann ich die fix.reg und die sheriff.reg von meinem desktop löschen ?
oder muss ich die drauf lassen ?

gruss Rockman
Dieser Beitrag wurde am 15.12.2005 um 18:35 Uhr von Rockman editiert.
Seitenanfang Seitenende
16.12.2005, 11:46
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#27 die reg-dateien kannst du loeschen, sie sind ja schon der registry beigefugt.
wenn du jetzt noch mal mit kaspersky scannst, muesste alles sauber bleiben
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.01.2006, 12:16
...neu hier

Beiträge: 8
#28 Hallo Sabina

habe auch das Problem

hier meine Log:

1.

Verzeichnis von C:\WINDOWS\system32

02.01.2006 08:57 35.870 vsconfig.xml
01.01.2006 20:13 373.114 perfh007.dat
01.01.2006 20:13 365.410 perfh009.dat
01.01.2006 20:13 46.414 perfc009.dat
01.01.2006 20:13 56.062 perfc007.dat
01.01.2006 20:13 848.274 PerfStringBackup.INI
01.01.2006 20:10 226.408 FNTCACHE.DAT
01.01.2006 19:39 1.158 wpa.dbl
01.01.2006 19:30 251 spupdwxp.log
01.01.2006 18:05 4.212 zllictbl.dat
08.12.2005 16:25 2.723.680 MRT.exe
01.12.2005 04:31 1.492.480 shdocvw.dll
24.11.2005 00:58 3.013.632 mshtml.dll
24.11.2005 00:58 1.022.464 browseui.dll
15.11.2005 00:51 71.440 zlcommdb.dll
15.11.2005 00:51 79.624 zlcomm.dll
15.11.2005 00:51 100.104 vsxml.dll
15.11.2005 00:51 382.728 vsutil.dll
15.11.2005 00:51 71.440 vsregexp.dll
15.11.2005 00:50 227.088 vspubapi.dll
15.11.2005 00:50 104.208 vsmonapi.dll
15.11.2005 00:50 141.064 vsinit.dll
15.11.2005 00:50 372.816 vsdatant.sys
15.11.2005 00:50 83.720 vsdata.dll
15.11.2005 00:34 54.960 vsutil_loc0407.dll
05.11.2005 04:16 606.208 urlmon.dll
05.11.2005 04:16 1.056.256 danim.dll
21.10.2005 04:40 664.064 wininet.dll
21.10.2005 04:40 474.112 shlwapi.dll
21.10.2005 04:40 39.424 pngfilt.dll
21.10.2005 04:40 146.432 msrating.dll
21.10.2005 04:40 448.512 mshtmled.dll
21.10.2005 04:40 530.944 mstime.dll
21.10.2005 04:40 96.768 inseng.dll
21.10.2005 04:40 251.392 iepeers.dll
21.10.2005 04:40 152.064 cdfview.dll
21.10.2005 04:40 205.312 dxtrans.dll
21.10.2005 04:40 55.808 extmgr.dll
20.10.2005 23:25 1.094.144 esent.dll
17.10.2005 20:58 65.536 QuickTimeVR.qtx
17.10.2005 20:57 49.152 QuickTime.qts
16.10.2005 19:47 176.167 rmoc3260.dll
16.10.2005 19:47 6.656 pndx5016.dll
16.10.2005 19:47 5.632 pndx5032.dll
16.10.2005 19:47 278.528 pncrt.dll
13.10.2005 00:11 15.584 spmsg.dll
07.10.2005 12:50 483.328 actskn45.ocx
06.10.2005 04:18 280.064 gdi32.dll
06.10.2005 04:08 1.839.616 win32k.sys


2.

Verzeichnis von C:\DOKUME~1\TOBIAS~1\LOKALE~1\Temp

02.01.2006 08:58 16.384 ~DF729D.tmp
02.01.2006 08:58 512 ~DFEED.tmp
02.01.2006 08:58 16.384 ~DFEA0.tmp
02.01.2006 08:58 16.384 Perflib_Perfdata_d6c.dat
4 Datei(en) 49.664 Bytes
0 Verzeichnis(se), 20.282.793.984 Bytes frei


3.

Verzeichnis von C:\WINDOWS

02.01.2006 10:25 1.125 winamp.ini
02.01.2006 09:19 927 win.ini
02.01.2006 08:57 426.173 WindowsUpdate.log
02.01.2006 08:57 4.052 ModemLog_Smart Link 56K Modem.txt
02.01.2006 08:57 159 wiadebug.log
02.01.2006 08:57 50 wiaservc.log
02.01.2006 08:56 2.048 bootstat.dat
02.01.2006 08:55 32.622 SchedLgU.Txt
01.01.2006 20:06 2.901 mozver.dat
01.01.2006 19:32 316.640 WMSysPr9.prx
01.01.2006 18:26 0 nsreg.dat
01.01.2006 18:25 1.405.223 setupapi.log.0.old
01.01.2006 18:22 107.132 UninstallFirefox.exe
01.01.2006 17:21 0 tool5.exe
01.01.2006 17:21 0 tool4.exe
01.01.2006 17:21 0 tool3.exe
01.01.2006 17:21 0 tool1.exe
01.01.2006 17:21 0 toolbar.exe
01.01.2006 17:21 1.999 desktop.html
01.01.2006 17:20 0 uniq

30.12.2005 21:07 115 PTGE.INI
18.12.2005 14:58 115 PTEG.INI
27.08.2005 20:33 6.400 balloon.wav
27.05.2005 00:22 10.752 hh.exe
23.04.2005 09:53 1.333 hosts
23.04.2005 09:53 0 dimak

03.04.2005 12:53 211 uno.ini


4.

Verzeichnis von C:\

02.01.2006 12:09 0 sys.txt
02.01.2006 12:08 5.107 system.txt
02.01.2006 12:07 453 systemtemp.txt
02.01.2006 12:05 95.861 system32.txt
02.01.2006 08:56 1.610.612.736 pagefile.sys
01.01.2006 21:12 80.597 hpfr3740.log
01.01.2006 18:51 211 boot.ini
01.01.2006 18:45 47.564 NTDETECT.COM
01.01.2006 18:45 251.184 ntldr
30.12.2005 21:07 215 stterm.2
30.12.2005 21:07 0 stterm.u
23.08.2005 12:33 18 stterm
23.04.2005 09:53 252 tmp.txt


Log von Silentrunner:


"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SunJavaUpdateSched" = "C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["Marmiko IT-Solutions GmbH"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"vmlib" = "vmlib.exe" [file not found]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"BearShare" = ""C:\Programme\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]
"Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"AVGCtrl" = "C:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "Shell" = "explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"" [MS], [file not found], [file not found], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
EncodeDivXExt\(Default) = "{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\DivX\Dr.DivX\EncodeDivXExt.dll" [empty string]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Group Policies [Description]:
-----------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]

HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html"
[disables the Display Properties|Desktop (tab) (except the "Customize
Desktop..." button); selects wallpaper if Active Desktop is enabled]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop enabled via Group Policy.

Wallpaper selected via Group Policy.


Startup items in "Tobias Schäfer" & "All Users" startup folders:
----------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 29
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [file not found]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, "C:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
IPv6-Hilfsdienst, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
RIP-Überwachung, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
SmartLinkService, SLService, "slserv.exe" [" "]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 43 seconds, including 10 seconds for message boxes)





Hilf mir bitte!!!!
Seitenanfang Seitenende
02.01.2006, 12:32
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#29 valerossi

gehe in die Registry
Start-->Ausfuehren--> regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"Wallpaper" = "C:\WINDOWS\desktop.html" <--loeschen

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot / Process all in List )--> anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\tool5.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool1.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\desktop.html
C:\WINDOWS\uniq
C:\WINDOWS\balloon.wav
C:\WINDOWS\hosts
C:\WINDOWS\dimak

PC neustarten

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

SmitRem2.8
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

laden--> in den abgesicherten Modus booten --> öffne smitRem folder --> Doppelklick: RunThis.bat warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)

http://siri.urz.free.fr/Fix/SmitfraudFix.zip
1. doppelklick smitfraudfix.cmd
2. klicke 1 (es wird ein Report von den infizierten Dateien erstellt)
3. starte den PC neu und druecke beim Hochfahren die Taste F8 und waehle "Abgesicherter Modus"
4. doppelklick smitfraudfix.cmd
5. klicke 2
6. auf die Frage: "Voulez-vous nettoyer le registre ?" antworte mit: o
falls festgestellt wird, dass die Datei wininet.dll infiziert ist, antworte auf die Frage: " Corriger le fichier infecté ?" mit o

wenn der scane beeendet ist, kopiere die Logfile ab

------------------

Hijackthis
http://computercops.biz/zx/Merijn/hijackthis.zip
http://virus-protect.org/hjtkurz.html
Lade/entpacke HijackThis in einem Ordner
--> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.01.2006, 13:47
...neu hier

Beiträge: 8
#30 Hi Sabina

habe jetzt alles so gemacht.

Am Anfang wenn Windows startet kommt noch eine Fehlermeldung:

ibm00001.exe nicht gefunden!!!!



Hier die Logs:


Smitfound Log:

SmitFraudFix v2.11

Rapport fait à 13:19:18,59 le 02.01.2006
Executé à partir de C:\Dokumente und Einstellungen\Tobias Sch„fer\Druckumgebung\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus


»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés



»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» Fin du rapport










Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 13:43:20, on 02.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\BearShare\BearShare.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\Dokumente und Einstellungen\Tobias Schäfer\Druckumgebung\Desktop\Neuer Ordner\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vmlib] vmlib.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1665febc752071ab5118/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136136312343
O17 - HKLM\System\CCS\Services\Tcpip\..\{88B41272-458A-48B5-BB11-C5D07DEF73B6}: NameServer = 217.237.149.225 217.237.150.141
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Hab mein bestes gegeben und mich immer an die Anweisungen gehalten°!!!

Gruss Tobias
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: