Home » Viren, Trojaner & Malware Forum » Trojan Downloader.AK » Themenansicht

Firefox Tipp: Instantfox - Quick Search Add-On!

Seite(n): 1 2

Antworten

Trojan Downloader.AK

20.11.2005, 18:00

Argus

Ehrenmitglied

Beiträge: 6028

#1 @Sabina
Hier mein logfile
Kaspersky hat diesen Trojan entfernt
Siehst du noch irgendwas im Log?
Konnte das hintergrund Bild nicht mehr ändern,ich dachte es kam durch diesen Trojan
Hab mir den ganzen Tag damit beschäftigt
Ist es ein fehler in Spybot s&d!

Logfile of HijackThis v1.99.1
Scan saved at 17:50:18, on 20-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Stan's Stuff, Inc\Klox\klox.exe
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\PROGRA~1\eScan\MAILSCAN.EXE
C:\PROGRA~1\eScan\kavss.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\eScan\avpm.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Die beste Seite die es gibt http://board.protecus.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Klox.lnk = C:\Program Files\Stan's Stuff, Inc\Klox\klox.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
__________
MfG Argus

21.11.2005, 13:08

Sabina

Ehrenmitglied

Beiträge: 29434

#2 Hallo@Arnold

poste die 4 Textdateien
http://virus-protect.org/datfindbat.html

---------------------------
versuche das Log vom Silentrunner zu posten
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

21.11.2005, 13:31

Argus

Ehrenmitglied
Themenstarter

Beiträge: 6028

#3 De volumenaam van station C is WindowsXP
Het volumenummer is B027-71BC

Map van C:\WINDOWS\system32

21-11-2005 11:44 74.304 Status.MPF
20-11-2005 15:50 2.550 Uninstall.ico
20-11-2005 15:50 1.406 Help.ico
20-11-2005 15:50 1.718 Open.ico
20-11-2005 15:50 1.406 AddQuit.ico
20-11-2005 15:50 5.350 IE.ico
20-11-2005 15:50 9.470 Desktop.ico
20-11-2005 15:50 1.718 Quick.ico
19-11-2005 17:10 7.264 eInstall.dat
19-11-2005 10:13 13.646 wpa.dbl
17-11-2005 23:17 34.308 BASSMOD.dll
09-11-2005 10:32 243.920 FNTCACHE.DAT
02-11-2005 06:34 2.376.032 MRT.exe

De volumenaam van station C is WindowsXP
Het volumenummer is B027-71BC

Map van C:\DOCUME~1\Arnold\LOCALS~1\Temp

21-11-2005 13:03 2.143 java_install_reg.log
21-11-2005 12:55 2.048.000 Acr5AB.tmp
21-11-2005 12:55 0 Acr5A9.tmp
21-11-2005 12:55 179 Acr599.tmp
21-11-2005 12:55 426 Acr59B.tmp
21-11-2005 12:37 2.173 jusched.log
21-11-2005 12:37 663 jupdate1.5.0.xml
21-11-2005 11:43 0 sqlite_Vjmo9Z0EGcP3nfU
21-11-2005 10:16 0 is34.tmp
21-11-2005 10:15 0 is2D.tmp
21-11-2005 10:15 109.056 79d1c8.mst
20-11-2005 23:43 31.564 AAX92.tmp
20-11-2005 23:43 29.060 AAX91.tmp
13 bestand(en) 2.223.264 bytes
0 map(pen) 15.705.660.928 bytes beschikbaar

De volumenaam van station C is WindowsXP
Het volumenummer is B027-71BC

Map van C:\WINDOWS

21-11-2005 11:44 3.168 win.ini
21-11-2005 11:43 0 0.log
21-11-2005 11:43 159 wiadebug.log
21-11-2005 11:43 90.218 WindowsUpdate.log
21-11-2005 11:43 50 wiaservc.log
21-11-2005 11:42 38.200 ESCAN.LOG
21-11-2005 11:42 792 frights.log
21-11-2005 11:42 2.048 bootstat.dat
21-11-2005 11:41 32.626 SchedLgU.Txt
20-11-2005 22:54 80.894 setupapi.log
20-11-2005 22:22 41 popcinfo.dat
20-11-2005 15:50 32 pavsig.txt
20-11-2005 00:28 83.168 ntbtlog.txt
19-11-2005 17:58 180 setupact.log
19-11-2005 17:57 0 setuperr.log
19-11-2005 17:33 0 Sti_Trace.log
19-11-2005 17:31 361 MAILINST.LOG
19-11-2005 17:31 14.444 WSSPORD.DAT
19-11-2005 17:25 25 escan.dbf
19-11-2005 17:24 237 system.ini
17-11-2005 20:48 4 RM_RESULT.DAT
17-11-2005 19:53 170 GetServer.ini
17-11-2005 19:52 1.142.784 TMUPDATE.DLL
17-11-2005 19:52 69.689 UNZIP.DLL
17-11-2005 19:52 208.896 PATCH.EXE
16-11-2005 18:36 3.851.289 REGBK04.ZIP
16-11-2005 05:56 16.502.861 VPTNFILE.951
16-11-2005 05:56 16.502.861 lpt$vpn.951
15-11-2005 22:43 69 NeroDigital.ini
15-11-2005 21:10 2.440.100 tsc.ptn
14-11-2005 16:25 4.096 d3dx.dat
08-11-2005 20:46 3.925.374 REGBK03.ZIP
25-10-2005 08:33 46.841 TMVAmain.ptn
25-10-2005 01:05 180.504 TMVAINFO.xml
23-10-2005 12:30 1 AR.DAT
17-10-2005 22:34 3.904.499 REGBK02.ZIP
10-10-2005 09:57 3.889.865 REGBK01.ZIP
02-10-2005 00:12 3.386.984 tmadce.ptn
30-09-2005 15:54 3.888.486 REGBK00.ZIP
12-09-2005 16:41 424.960 WRServices.dll
27-06-2005 22:15 (2) winstart.bat
27-05-2005 00:22 10.752 hh.exe
23-04-2005 10:28 223 HP PrecisionScan Pro.INI
24-03-2005 16:08 25.088 inst_tsp.exe
09-03-2005 20:00 19 addrem.ini
04-03-2005 13:10 106.496 bdoscandel.exe
01-03-2005 14:30 453 bdoscandellang.ini
18-02-2005 18:40 1.044.560 vsapi32.dll
01-02-2005 12:11 316.640 WMSysPr9.prx
10-01-2005 16:17 170.053 tsc.exe
06-01-2005 01:12 749 WindowsShell.Manifest

De volumenaam van station C is WindowsXP
Het volumenummer is B027-71BC

Map van C:\

21-11-2005 13:27 0 sys.txt
21-11-2005 13:26 6.111 system.txt
21-11-2005 13:25 883 systemtemp.txt
21-11-2005 13:24 107.914 system32.txt
21-11-2005 12:20 5 AVPCallback.log
21-11-2005 11:48 344 23990098.$$$
21-11-2005 11:43 0 Log.txt
21-11-2005 11:42 402.653.184 pagefile.sys
19-11-2005 23:36 0 mcaf.log
19-11-2005 17:57 695 smitfiles.txt
09-11-2005 10:37 211 boot.ini

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"MailScan Dispatcher" = ""C:\Program Files\eScan\LAUNCH.EXE"" ["MicroWorld Technologies Inc."]
"eScan Monitor" = "C:\PROGRA~1\eScan\AVPMWrap.EXE" ["MicroWorld Technologies Inc."]
"eScan Updater" = "C:\PROGRA~1\eScan\TRAYICOS.EXE /App" ["MicroWorld Technologies Inc."]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"SPAMfighter Agent" = ""C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60" ["SPAMfighter ApS"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Verzendmap van Share-to-Web"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wns.dll" ["Hewlett-Packard"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Bureaubladverkenner"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Arnold\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
__________
MfG Argus

21.11.2005, 15:04

Sabina

Ehrenmitglied

Beiträge: 29434

#4 das Log vom Silentrunner ist nicht komplett...oder?

hier kopiere mehr Tage....bis August.....
Map van C:\WINDOWS\system32
__________
MfG Sabina

rund um die PC-Sicherheit

21.11.2005, 17:11

Argus

Ehrenmitglied
Themenstarter

Beiträge: 6028

#5 "Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"MailScan Dispatcher" = ""C:\Program Files\eScan\LAUNCH.EXE"" ["MicroWorld Technologies Inc."]
"eScan Monitor" = "C:\PROGRA~1\eScan\AVPMWrap.EXE" ["MicroWorld Technologies Inc."]
"eScan Updater" = "C:\PROGRA~1\eScan\TRAYICOS.EXE /App" ["MicroWorld Technologies Inc."]
"MPFExe" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"SPAMfighter Agent" = ""C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60" ["SPAMfighter ApS"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Verzendmap van Share-to-Web"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wns.dll" ["Hewlett-Packard"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Bureaubladverkenner"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Arnold\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "Arnold" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten
"Klox" -> shortcut to: "C:\Program Files\Stan's Stuff, Inc\Klox\klox.exe" ["Stan Hudecek"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
mwtsp.dll ["MicroWorld Technologies Inc."], 01 - 11, 23
%SystemRoot%\system32\mswsock.dll [MS], 12 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 21 - 22

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Onderzoek"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Onderzoek"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

eScan Monitor Service, KAVMonitorService, "C:\PROGRA~1\eScan\avpm.exe /service" ["Kaspersky Labs."]
eScan Server-Updater, eScan-trayicos, "C:\PROGRA~1\eScan\TRAYSSER.EXE" ["MicroWorld Technologies Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe" ["McAfee Corporation"]
McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 21 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 34 seconds.
---------- (total run time: 105 seconds)

Gut so?

De volumenaam van station C is WindowsXP
Het volumenummer is B027-71BC

Map van C:\WINDOWS\system32

21-11-2005 11:44 74.304 Status.MPF
20-11-2005 15:50 2.550 Uninstall.ico
20-11-2005 15:50 1.406 Help.ico
20-11-2005 15:50 1.718 Open.ico
20-11-2005 15:50 1.406 AddQuit.ico
20-11-2005 15:50 5.350 IE.ico
20-11-2005 15:50 9.470 Desktop.ico
20-11-2005 15:50 1.718 Quick.ico
19-11-2005 17:10 7.264 eInstall.dat
19-11-2005 10:13 13.646 wpa.dbl
17-11-2005 23:17 34.308 BASSMOD.dll
09-11-2005 10:32 243.920 FNTCACHE.DAT
02-11-2005 06:34 2.376.032 MRT.exe
30-10-2005 11:06 424.766 perfh013.dat
30-10-2005 11:06 76.900 perfc013.dat
30-10-2005 11:06 366.504 perfh009.dat
30-10-2005 11:06 60.434 perfc009.dat
30-10-2005 11:06 938.556 PerfStringBackup.INI
06-10-2005 04:19 280.064 gdi32.dll
06-10-2005 04:11 1.839.616 win32k.sys
05-10-2005 01:27 3.013.120 mshtml.dll
03-10-2005 14:45 0 asfiles.txt
23-09-2005 04:08 8.497.664 shell32.dll
10-09-2005 02:55 2.067.968 cdosys.dll
03-09-2005 00:55 661.504 wininet.dll
03-09-2005 00:55 605.184 urlmon.dll
03-09-2005 00:55 474.112 shlwapi.dll
03-09-2005 00:55 1.483.776 shdocvw.dll
03-09-2005 00:55 530.432 mstime.dll
03-09-2005 00:55 39.424 pngfilt.dll
03-09-2005 00:55 146.432 msrating.dll
03-09-2005 00:55 448.512 mshtmled.dll
03-09-2005 00:54 251.392 iepeers.dll
03-09-2005 00:54 96.768 inseng.dll
03-09-2005 00:54 55.808 extmgr.dll
03-09-2005 00:54 205.312 dxtrans.dll
03-09-2005 00:54 1.056.768 danim.dll
03-09-2005 00:54 1.020.416 browseui.dll
03-09-2005 00:54 151.552 cdfview.dll
01-09-2005 03:28 19.968 linkinfo.dll
01-09-2005 03:28 292.352 winsrv.dll
30-08-2005 04:56 1.291.264 quartz.dll
23-08-2005 23:16 349.760 mcinsctl.dll
23-08-2005 04:40 124.416 umpnpmgr.dll
22-08-2005 19:36 197.632 netman.dll
16-08-2005 16:13 9.216 MpfApi.dll
11-08-2005 16:12 65.024 nwwks.dll
03-08-2005 09:33 520.456 LegitCheckControl.DLL

Zum Spybot s&d folgendes
Nach dem scannen kam nur eine meldung von Desktop.ActiveDesktop
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:0

Habe mit
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000

alles wieder hingekriegt
Danach wieder Spybot und mein hintergrund war wieder nicht zu ändern
Habe Spybot auch entfernt wegen eScan und McAfee trubbels

Gruss
Arnold
__________
MfG Argus

21.11.2005, 23:25

Sabina

Ehrenmitglied

Beiträge: 29434

#6 kopier mal:
http://virus-protect.org/winpfind.html
winPfind hier ...komplett lol

Zitat

Map van C:\DOCUME~1\Arnold\LOCALS~1\Temp

21-11-2005 13:03 2.143 java_install_reg.log
21-11-2005 12:55 2.048.000 Acr5AB.tmp
21-11-2005 12:55 0 Acr5A9.tmp
21-11-2005 12:55 179 Acr599.tmp
21-11-2005 12:55 426 Acr59B.tmp
21-11-2005 12:37 2.173 jusched.log
21-11-2005 12:37 663 jupdate1.5.0.xml
21-11-2005 11:43 0 sqlite_Vjmo9Z0EGcP3nfU ???

loesche mit Cleanup die temp-dateien
http://virus-protect.org/cleanup.html
__________
MfG Sabina

rund um die PC-Sicherheit

25.11.2005, 22:40

Kurzei2

...neu hier

Beiträge: 4

#7 hi
ich glaube ich habe das gleiche problem wie arnold aber was habt ihr da zusammen geschrieben.
wie bringe ich in weg?
die würmer,trujaner und vieren programme löschen bar datein aber er ist immer noch da!

Kurzei

25.11.2005, 23:11

Argus

Ehrenmitglied
Themenstarter

Beiträge: 6028

#8 @Kurzei2
Posste mal ein log von Hijack This
HijackThis direct download: http://216.180.233.162/~merijn/files/HijackThis.exe

poste die 4 Textdateien
http://virus-protect.org/datfindbat.html
__________
MfG Argus

26.11.2005, 17:05

Kurzei2

...neu hier

Beiträge: 4

#9 hi

get das so??

Datentr„ger in Laufwerk D: ist Windows
Volumeseriennummer: 64A6-BDA6

Verzeichnis von D:\WINDOWS\system32

26.11.2005 15:16 39.291 nvapps.xml
21.11.2005 14:54 50.714 interceptor.sys
21.11.2005 14:49 36.864 intercept.dll
20.11.2005 00:08 77.824 ca2.dll
20.11.2005 00:08 274.432 sfi2.dll
19.11.2005 16:31 2.184 wpa.dbl
15.11.2005 16:36 240.736 FNTCACHE.DAT
14.11.2005 16:37 8.464 sporder.dll
04.11.2005 23:33 552 d3d8caps.dat
03.11.2005 20:08 311.604 perfh009.dat
03.11.2005 20:08 316.594 perfh007.dat
03.11.2005 20:08 39.992 perfc009.dat
03.11.2005 20:08 48.156 perfc007.dat
03.11.2005 20:08 723.744 PerfStringBackup.INI
03.11.2005 20:00 16.832 amcompat.tlb
03.11.2005 20:00 23.392 nscompat.tlb
03.11.2005 19:58 2.780 qtplugin.log
03.11.2005 19:57 157.696 rmoc3260.dll
03.11.2005 19:57 5.632 pndx5032.dll
03.11.2005 19:57 25.088 prefscpl.cpl
03.11.2005 19:57 6.656 pndx5016.dll
03.11.2005 19:57 278.528 pncrt.dll
03.11.2005 18:38 25.065 wmpscheme.xml
03.11.2005 18:28 261 $winnt$.inf
03.11.2005 18:25 488 logonui.exe.manifest
03.11.2005 18:25 488 WindowsLogon.manifest
03.11.2005 18:25 749 sapi.cpl.manifest
03.11.2005 18:25 749 nwc.cpl.manifest
03.11.2005 18:25 749 cdplayer.exe.manifest
03.11.2005 18:25 749 wuaucpl.cpl.manifest
03.11.2005 18:25 749 ncpa.cpl.manifest
03.11.2005 18:22 21.740 emptyregdb.dat
03.11.2005 18:20 0 h323log.txt
10.10.2005 22:51 180.224 NVUNINST.EXE
10.10.2005 22:51 180.224 nvuenet.exe
10.10.2005 21:49 286.720 nvnt4cpl.dll
10.10.2005 21:49 5.378.048 nvoglnt.dll
10.10.2005 21:49 34.304 nvcod.dll
10.10.2005 21:49 319.488 nvrsar.dll
10.10.2005 21:49 241.664 nvrscs.dll
10.10.2005 21:49 245.760 nvrsda.dll
10.10.2005 21:49 270.336 nvrsde.dll
10.10.2005 21:49 274.432 nvrsel.dll
10.10.2005 21:49 241.664 nvrseng.dll
10.10.2005 21:49 274.432 nvrses.dll
10.10.2005 21:49 266.240 nvrsesm.dll
10.10.2005 21:49 241.664 nvrsfi.dll
10.10.2005 21:49 442.368 nvappbar.exe
10.10.2005 21:49 278.528 nvrsfr.dll
10.10.2005 21:49 45.056 nvapi.dll
10.10.2005 21:49 3.921.024 nv4_disp.dll
10.10.2005 21:49 34.304 nvcodins.dll
10.10.2005 21:49 147.456 nvcolor.exe
10.10.2005 21:49 86.016 nvmctray.dll
10.10.2005 21:49 1.339.392 nvdspsch.exe
10.10.2005 21:49 425.984 keystone.exe
10.10.2005 21:49 45.056 nvmccsrs.dll
10.10.2005 21:49 319.488 nvrshe.dll
10.10.2005 21:49 253.952 nvrshu.dll
10.10.2005 21:49 1.519.616 nwiz.exe
10.10.2005 21:49 15.868 nvdisp.nvu
10.10.2005 21:49 167.936 nvwrszht.dll
10.10.2005 21:49 229.376 nvmccs.dll
10.10.2005 21:49 303.104 nvwrstr.dll
10.10.2005 21:49 294.912 nvwrssv.dll
10.10.2005 21:49 303.104 nvwrssl.dll
10.10.2005 21:49 299.008 nvwrssk.dll
10.10.2005 21:49 315.392 nvwrsru.dll
10.10.2005 21:49 319.488 nvwrsptb.dll
10.10.2005 21:49 323.584 nvwrspt.dll
10.10.2005 21:49 294.912 nvwrspl.dll
10.10.2005 21:49 299.008 nvwrsno.dll
10.10.2005 21:49 319.488 nvwrsnl.dll
10.10.2005 21:49 196.608 nvwrsko.dll
10.10.2005 21:49 274.432 nvrsit.dll
10.10.2005 21:49 212.992 nvwrsja.dll
10.10.2005 21:49 323.584 nvwrsit.dll
10.10.2005 21:49 315.392 nvwrshu.dll
10.10.2005 21:49 258.048 nvrsja.dll
10.10.2005 21:49 278.528 nvwrshe.dll
10.10.2005 21:49 327.680 nvwrsfr.dll
10.10.2005 21:49 303.104 nvwrsfi.dll
10.10.2005 21:49 327.680 nvwrsesm.dll
10.10.2005 21:49 335.872 nvwrses.dll
10.10.2005 21:49 286.720 nvwrseng.dll
10.10.2005 21:49 335.872 nvwrsel.dll
10.10.2005 21:49 311.296 nvwrsde.dll
10.10.2005 21:49 294.912 nvwrsda.dll
10.10.2005 21:49 1.466.368 nview.dll
10.10.2005 21:49 286.720 nvwrscs.dll
10.10.2005 21:49 282.624 nvwrsar.dll
10.10.2005 21:49 1.019.904 nvwimg.dll
10.10.2005 21:49 1.662.976 nvwdmcpl.dll
10.10.2005 21:49 81.920 nvwddi.dll
10.10.2005 21:49 163.840 nvwrszhc.dll
10.10.2005 21:49 573.440 nvhwvid.dll
10.10.2005 21:49 180.224 nvudisp.exe
10.10.2005 21:49 73.728 nvtuicpl.cpl
10.10.2005 21:49 131.139 nvsvc32.exe
10.10.2005 21:49 466.944 nvshell.dll
10.10.2005 21:49 118.784 nvrszht.dll
10.10.2005 21:49 217.088 nvrszhc.dll
10.10.2005 21:49 249.856 nvrstr.dll
10.10.2005 21:49 245.760 nvrssv.dll
10.10.2005 21:49 7.286.784 nvcpl.dll
10.10.2005 21:49 249.856 nvrssl.dll
10.10.2005 21:49 249.856 nvrssk.dll
10.10.2005 21:49 262.144 nvrsru.dll
10.10.2005 21:49 262.144 nvrsptb.dll
10.10.2005 21:49 266.240 nvrspt.dll
10.10.2005 21:49 249.856 nvrspl.dll
10.10.2005 21:49 249.856 nvrsno.dll
10.10.2005 21:49 266.240 nvrsnl.dll
10.10.2005 21:49 253.952 nvrsko.dll
25.05.2005 13:10 127.632 tsuninst.exe
19.04.2005 14:55 66.848 filter.exe
19.04.2005 14:55 53.248 SSubTmr6.dll
19.04.2005 14:55 372.736 TidyAtl.dll
19.04.2005 14:55 279.800 FTPX.dll
09.11.2004 23:21 225.280 AOLDial.dll
18.08.2004 09:34 442.368 vp6vfw.dll
19.07.2004 16:19 285.696 kstvtune.ax
09.07.2004 04:27 122.880 dmusic.dll
09.07.2004 04:27 974.848 dxdiag.exe
09.07.2004 04:27 316.928 qdv.dll

26.11.2005, 21:04

Sabina

Ehrenmitglied

Beiträge: 29434

#10 poste die 4 Textdateien
http://virus-protect.org/datfindbat.html

Verzeichnis von C:\WINDOWS\system32
Verzeichnis von C:\DOKUME~1\Username\LOKALE~1\Temp
Verzeichnis von C:\WINDOWS
Verzeichnis von C:\

Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten --> kopiere das Ergebnis in das Sicherheitsforum
http://www.virustotal.com/flash/index_en.html

D:\WINDOWS\system32\intercept.dll
D:\WINDOWS\system32\sporder.dll

-

Zitat

-----------
info:Adware.TargetSaver
25.05.2005 13:10 127.632 tsuninst.exe
http://securityresponse.symantec.com/avcenter/venc/data/adware.targetsaver.html

__________
MfG Sabina

rund um die PC-Sicherheit

27.11.2005, 20:01

Kurzei2

...neu hier

Beiträge: 4

#11 so oder was meinst du ?? ich
kenne mich so gut aus was heist eigendlich poste??

Datentr„ger in Laufwerk D: ist Windows
Volumeseriennummer: 64A6-BDA6

Verzeichnis von D:\

27.11.2005 20:02 0 sys.txt
27.11.2005 20:02 5.702 system.txt
27.11.2005 20:02 7.635 systemtemp.txt
27.11.2005 20:02 93.529 system32.txt
27.11.2005 17:48 1.610.612.736 pagefile.sys
5 Datei(en) 1.610.719.602 Bytes
0 Verzeichnis(se), 4.821.086.208 Bytes frei

27.11.2005, 21:40

Sabina

Ehrenmitglied

Beiträge: 29434

#12 posten bedeutet--> hier reinkopieren.

nun hast du es schon geschafft, zwei der vier logs hier zu kopieren.
Vielleicht kommen die restlichen zwei auch noch....

Verzeichnis von D:\DOKUME~1\Username\LOKALE~1\Temp
Verzeichnis von D:\WINDOWS
__________
MfG Sabina

rund um die PC-Sicherheit

28.11.2005, 16:04

Kurzei-2

...neu hier

Beiträge: 3

#13 hier des zweite

Datentr„ger in Laufwerk D: ist Windows
Volumeseriennummer: 64A6-BDA6

Verzeichnis von D:\DOKUME~1\MEINS~1\LOKALE~1\Temp

28.11.2005 15:54 4 PMShared
28.11.2005 15:53 1.476 jusched.log
28.11.2005 15:32 663 jupdate1.5.0.xml
27.11.2005 20:55 376 java_install_reg.log
27.11.2005 20:55 23.560 java_install.log
27.11.2005 20:52 757 jinstall.cfg
27.11.2005 20:51 0 temp0.tmp
27.11.2005 20:44 983 TmpICQMagic_{EC202595-1DFD-4301-A1EA-13C1E331B505}27576.html
27.11.2005 20:27 0 JETA5A5.tmp
27.11.2005 20:16 16.384 ~DFA299.tmp
27.11.2005 20:16 512 ~DF9CB3.tmp
27.11.2005 20:16 16.384 ~DF9CA4.tmp
27.11.2005 20:12 16.384 ~DFCD80.tmp
27.11.2005 20:12 16.384 ~DFCD35.tmp
27.11.2005 20:12 16.384 ~DFCD4E.tmp
27.11.2005 20:12 16.384 ~DFCD67.tmp
16.11.2005 20:35 119.016 set110.tmp
01.01.1970 01:00 4.569 2vrmehx.ABI
18 Datei(en) 250.220 Bytes
0 Verzeichnis(se), 5.520.343.040 Bytes frei

28.11.2005, 18:18

Sabina

Ehrenmitglied

Beiträge: 29434

#14 Hallo@Kurzei-2

scanne mit Counterspy
http://virus-protect.org/counterspy.html

nach dem Scan muss man sich entscheiden für:
*Ignore
*Remove
*Quarantaine
wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab und ins Sicherheitsforum)
__________
MfG Sabina

rund um die PC-Sicherheit

28.11.2005, 19:26

Kurzei-2

...neu hier

Beiträge: 3

#15 Spyware Scan Details
Start Date: 28.11.2005 18:46:54
End Date: 28.11.2005 19:01:56
Total Time: 15 mins 2 secs

Detected spyware

W32.Spybot.Worm Worm more information...
Status: Deleted

Infected files detected
c:\winstall.exe

Infected registry entries detected
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows installer

SearchForIt.AdShooter Adware more information...
Details: AdShooter is adware that downloads and displays advertisements.
Status: Deleted

Infected files detected
d:\windows\system32\ca2.dll
d:\windows\system32\sfi2.dll

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{c109664b-ceb1-420b-b353-d55a561536dd}
HKEY_CLASSES_ROOT\clsid\{c109664b-ceb1-420b-b353-d55a561536dd}\InprocServer32 D:\WINDOWS\System32\sfi2.dll
HKEY_CLASSES_ROOT\clsid\{c109664b-ceb1-420b-b353-d55a561536dd}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{c109664b-ceb1-420b-b353-d55a561536dd}\ProgID SYI.SYIObj.1
HKEY_CLASSES_ROOT\clsid\{c109664b-ceb1-420b-b353-d55a561536dd}\TypeLib {F43085A3-5FBD-4954-B7BF-00A8F1A1B9FE}
HKEY_CLASSES_ROOT\clsid\{c109664b-ceb1-420b-b353-d55a561536dd}\VersionIndependentProgID SYI.SYIObj
HKEY_CLASSES_ROOT\clsid\{c109664b-ceb1-420b-b353-d55a561536dd} searchforit
HKEY_CURRENT_USER\Software\searchforit\searchforit
HKEY_CURRENT_USER\Software\searchforit\searchforit ad
HKEY_CURRENT_USER\Software\searchforit\searchforit gUpdate 0
HKEY_CURRENT_USER\Software\searchforit\searchforit NID
HKEY_CURRENT_USER\Software\searchforit\searchforit toolbar_id
HKEY_CURRENT_USER\Software\searchforit\searchforit showcorrupted 1
HKEY_CURRENT_USER\Software\searchforit\searchforit updateVer
HKEY_CURRENT_USER\Software\searchforit\searchforit UpdateBegin 0
HKEY_CURRENT_USER\Software\searchforit\searchforit LastCheckTime 1132597271
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYI.SYIObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYI.SYIObj.1\CLSID {C109664B-CEB1-420b-B353-D55A561536DD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYI.SYIObj.1 Searchforit
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYI.SYIObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYI.SYIObj\CLSID {C109664B-CEB1-420b-B353-D55A561536DD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYI.SYIObj\CurVer SYI.SYIObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYI.SYIObj searchforit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\searchforitsearchforit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\searchforitsearchforit DisplayName searchforit - Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\searchforitsearchforit UninstallString regsvr32 /u /s "D:\WINDOWS\System32\sfi2.dll"
HKEY_CURRENT_USER\Software\DR_S
HKEY_CURRENT_USER\Software\DR_S\dp\adsh version 1.2
HKEY_CURRENT_USER\Software\DR_S\dp\adsh time 20051119
HKEY_CURRENT_USER\Software\DR_S\dp\ca version 2.0
HKEY_CURRENT_USER\Software\DR_S\dp\ca time 20051119
HKEY_CURRENT_USER\Software\DR_S\dp\sfisb version 1.0
HKEY_CURRENT_USER\Software\DR_S\dp\sfisb time 20051119
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb\157 1132564567 1132564567
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb\157 1132574173 1132574173
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb\93 1132562165 1132562165
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb\93 1132571772 1132571772
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb version 1.0
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb time 20051119
HKEY_CURRENT_USER\Software\DR_S\dp\ts version 1.0
HKEY_CURRENT_USER\Software\DR_S\dp\ts time 20051119
HKEY_CURRENT_USER\Software\DR_S u_id
HKEY_CURRENT_USER\Software\DR_S time 20051119
HKEY_CURRENT_USER\Software\DR_S lastupdate 20051119
HKEY_CURRENT_USER\Software\DR_S w_id 1071
HKEY_CURRENT_USER\Software\searchforit
HKEY_CURRENT_USER\Software\searchforit\searchforit ad
HKEY_CURRENT_USER\Software\searchforit\searchforit gUpdate 0
HKEY_CURRENT_USER\Software\searchforit\searchforit NID
HKEY_CURRENT_USER\Software\searchforit\searchforit toolbar_id
HKEY_CURRENT_USER\Software\searchforit\searchforit showcorrupted 1
HKEY_CURRENT_USER\Software\searchforit\searchforit updateVer
HKEY_CURRENT_USER\Software\searchforit\searchforit UpdateBegin 0
HKEY_CURRENT_USER\Software\searchforit\searchforit LastCheckTime 1132597271
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5F3970B-745E-46AC-B890-E08F69777D80}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5F3970B-745E-46AC-B890-E08F69777D80} Cas

Trojan.Desktophijack Trojan more information...
Details: Trojan.Desktophijack modifies the home page and desktop settings on a compromised computer.
Status: Deleted

Infected files detected
d:\windows\desktop.html

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ForceActiveDesktopOn 1

Spy Sheriff Potentially Unwanted Software more information...
Details: SpySheriff is known to be installed through webpages exploiting known vulnerabilities. It scans system for possible spyware infection and prompts user to register in order to clean the system.
Status: Deleted

Infected files detected
d:\windows\tool2.exe
c:\winstall.exe

Infected registry entries detected
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows installer

NewDotNet Browser Plug-in more information...
Details: New.Net is an Internet Explorer spyware/hijacker plug-in that adds subdomains of 'new.net' to your name resolution system (Windows’ Host file), resulting in what appear to be extra top-level domains (.shop, and so on) being resolvable.
Status: Deleted

Infected files detected
d:\windows\ndnuninstall6_38.exe
D:\WINDOWS\NDNuninstall6_98.exe

Unclassified.Spyware.103 Spyware more information...
Status: Deleted

Infected files detected
d:\windows\kl.exe

Accoona.Toolbar Toolbar more information...
Details: The Accoona Toolbar is a Internet Explorer toolbar that is bundled and installed with other programs.
Status: Deleted

Infected files detected
d:\windows\acc1.txt

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Search Assistant Tracking ID &utm_id=400010&utm_content=assist&utm_source=efc&utm_medium=bund&utm_campaign=efc0605
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Search Assistant URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant CommServer URL http://www.accoona.com/soap
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Content Type text/xml
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Package ID 400010
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Soap Action URL http://www.accoona.com/soap
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Updates Rate 1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant XMLNS http://search.accoona.com
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Update Stamp
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant XMLNS http://search.accoona.com
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Updates Rate 1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Soap Action URL http://www.accoona.com/soap
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Search Assistant URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Content Type text/xml
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant CommServer URL http://www.accoona.com/soap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208} (Default) Accoona Search Assistant
HKEY_CLASSES_ROOT\ABar.ABarBand
HKEY_CLASSES_ROOT\ABar.ABarBand\CLSID {364B6276-C6C1-40B6-A6D7-6C48871FD707}
HKEY_CLASSES_ROOT\ABar.ABarBand\CurVer ABar.ABarBand.1
HKEY_CLASSES_ROOT\ABar.ABarBand ABarBand
HKEY_CLASSES_ROOT\ABar.ABarBand.1
HKEY_CLASSES_ROOT\ABar.ABarBand.1\CLSID {364B6276-C6C1-40B6-A6D7-6C48871FD707}
HKEY_CLASSES_ROOT\ABar.ABarBand.1 ABarBand
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch\CLSID {944864A5-3916-46E2-96A9-A2E84F3F1208}
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch\CurVer ASearchAssist.ADefaultSearch.1
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch ADefaultSearch Class
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch.1
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch.1\CLSID {944864A5-3916-46E2-96A9-A2E84F3F1208}
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch.1 ADefaultSearch Class
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\InprocServer32 D:\Programme\Accoona\atoolbar.dll
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\ProgID ABar.ABarBand.1
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\TypeLib {21F022C8-C045-4555-8A90-651E6A3DC6C6}
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\VersionIndependentProgID ABar.ABarBand
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707} Accoona
HKEY_CLASSES_ROOT\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}
HKEY_CLASSES_ROOT\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\InprocServer32 D:\Programme\Accoona\ASearchAssist.dll
HKEY_CLASSES_ROOT\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\ProgID ASearchAssist.ADefaultSearch.1
HKEY_CLASSES_ROOT\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\TypeLib {EA3956D2-EC38-41AB-B601-47AA281E4952}
HKEY_CLASSES_ROOT\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\VersionIndependentProgID ASearchAssist.ADefaultSearch
HKEY_CLASSES_ROOT\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208} ADefaultSearch Class
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}\TypeLib {EA3956D2-EC38-41AB-B601-47AA281E4952}
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C} IADefaultSearch
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}\TypeLib {21F022C8-C045-4555-8A90-651E6A3DC6C6}
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188} IABarBand
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}\1.0\0\win32 D:\Programme\Accoona\atoolbar.dll
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}\1.0\HELPDIR D:\Programme\Accoona\
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}\1.0 Accoona Toolbar 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}\1.0\0\win32 D:\Programme\Accoona\ASearchAssist.dll
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}\1.0\HELPDIR D:\Programme\Accoona\
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}\1.0 ASearchAssist 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864A5-3916-46E2-96A9-A2E84F3F1208}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864A5-3916-46E2-96A9-A2E84F3F1208} Accoona Search Assistant

SpySheriff Misc more information...
Details: SpySheriff is a fake Spyware removal program. It is usually bundled with other malware.
Status: Deleted

Infected files detected
D:\WINDOWS\desktop.html
c:\winstall.exe

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows installer C:\winstall.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows installer

RBot.steam Trojan more information...
Status: Quarantined

Infected files detected
G:\games\CS 1.6\platform\steam_dev.exe

eZula.TopText Adware more information...
Details: eZula TopText is a browser hijacker that will alter all pages viewed in Internet Explorer by adding extra links to words and phrases targeted by advertisers. These links are unauthorized by the users of the sites being viewed and not part of the orig
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\drs.n
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\drs.n uID
HKEY_CURRENT_USER\Software\DR_S
HKEY_CURRENT_USER\Software\DR_S\dp\adsh version 1.2
HKEY_CURRENT_USER\Software\DR_S\dp\adsh time 20051119
HKEY_CURRENT_USER\Software\DR_S\dp\ca version 2.0
HKEY_CURRENT_USER\Software\DR_S\dp\ca time 20051119
HKEY_CURRENT_USER\Software\DR_S\dp\sfisb version 1.0
HKEY_CURRENT_USER\Software\DR_S\dp\sfisb time 20051119
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb\157 1132564567 1132564567
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb\157 1132574173 1132574173
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb\93 1132562165 1132562165
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb\93 1132571772 1132571772
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb version 1.0
HKEY_CURRENT_USER\Software\DR_S\dp\sfitb time 20051119
HKEY_CURRENT_USER\Software\DR_S\dp\ts version 1.0
HKEY_CURRENT_USER\Software\DR_S\dp\ts time 20051119
HKEY_CURRENT_USER\Software\DR_S u_id
HKEY_CURRENT_USER\Software\DR_S time 20051119
HKEY_CURRENT_USER\Software\DR_S lastupdate 20051119
HKEY_CURRENT_USER\Software\DR_S w_id 1071

ReplaceSearch Spyware more information...
Details: Internet Explorer BHO that hijacks searches.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl.1\CLSID {832BEBED-C3DA-4534-A2C2-B2FFF220C820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl.1 ReplaceSearchCtl Class
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl\CLSID {832BEBED-C3DA-4534-A2C2-B2FFF220C820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl\CurVer ReplaceSearch.ReplaceSearchCtl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ReplaceSearch.ReplaceSearchCtl ReplaceSearchCtl Class
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{832BEBED-C3DA-4534-A2C2-B2FFF220C820} Replace Search Ctl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\InprocServer32 D:\WINDOWS\System32\replaceSearch.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\ProgID ReplaceSearch.ReplaceSearchCtl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\TypeLib {B9C1DD92-B443-4BF1-B4C0-950E41A9F9F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\VersionIndependentProgID ReplaceSearch.ReplaceSearchCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{832BEBED-C3DA-4534-A2C2-B2FFF220C820} ReplaceSearchCtl Class
HKEY_CLASSES_ROOT\clsid\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}
HKEY_CLASSES_ROOT\clsid\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\InprocServer32 D:\WINDOWS\System32\replaceSearch.dll
HKEY_CLASSES_ROOT\clsid\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\ProgID ReplaceSearch.ReplaceSearchCtl.1
HKEY_CLASSES_ROOT\clsid\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\TypeLib {B9C1DD92-B443-4BF1-B4C0-950E41A9F9F7}
HKEY_CLASSES_ROOT\clsid\{832BEBED-C3DA-4534-A2C2-B2FFF220C820}\VersionIndependentProgID ReplaceSearch.ReplaceSearchCtl
HKEY_CLASSES_ROOT\clsid\{832BEBED-C3DA-4534-A2C2-B2FFF220C820} ReplaceSearchCtl Class
HKEY_CLASSES_ROOT\ReplaceSearch.ReplaceSearchCtl
HKEY_CLASSES_ROOT\ReplaceSearch.ReplaceSearchCtl\CLSID {832BEBED-C3DA-4534-A2C2-B2FFF220C820}
HKEY_CLASSES_ROOT\ReplaceSearch.ReplaceSearchCtl\CurVer ReplaceSearch.ReplaceSearchCtl.1
HKEY_CLASSES_ROOT\ReplaceSearch.ReplaceSearchCtl ReplaceSearchCtl Class
HKEY_CLASSES_ROOT\ReplaceSearch.ReplaceSearchCtl.1
HKEY_CLASSES_ROOT\ReplaceSearch.ReplaceSearchCtl.1\CLSID {832BEBED-C3DA-4534-A2C2-B2FFF220C820}
HKEY_CLASSES_ROOT\ReplaceSearch.ReplaceSearchCtl.1 ReplaceSearchCtl Class

Mainpean Stardialer Dialer more information...
Details: Mainpean Stardialer is a dialer distributed by slsk.org, a faked SoulSeek domain.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\mainpean highspeed
HKEY_LOCAL_MACHINE\software\mainpean highspeed Pre 0
HKEY_LOCAL_MACHINE\software\mainpean highspeed PreNumber 0
HKEY_LOCAL_MACHINE\software\mainpean highspeed DeviceName WAN-Miniport (PPPOE)
HKEY_LOCAL_MACHINE\software\mainpean highspeed Country de
HKEY_LOCAL_MACHINE\software\mainpean highspeed Language Deu
HKEY_LOCAL_MACHINE\software\mainpean highspeed Machine 287549822

eDonkey2000 P2P more information...
Details: eDonkey2000 is a P2P file sharing program that bundles adware/spyware such as Webhancer, Web Search Toolbar and New.Net.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 G:\programme\edonkey\eDonkey2000\plugins\ed2kie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 ThreadingModel Both
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\ProgID eD2KDownloadManager.object.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\TypeLib {379919F2-1612-45B7-B9F4-773F6D5214F5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\VersionIndependentProgID eD2KDownloadManager.object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620} eD2K downloadManager object

TargetSaver Trojan Downloader more information...
Details: TargetSaver is a process run at Windows startup, which opens pop-ups.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSL Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSL Installer NoRemove 1

InternetOffers Adware more information...
Details: InternetOffers displays popup advertisements with no attribution and installs without consent.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSL Installer NoRemove 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSL Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSL Installer NoRemove 1

Com.com Cookie more information...
Details: Redirects to cnet.com
Status: Deleted

Infected cookies detected
d:\dokumente und einstellungen\mein´s\cookies\mein´s@com[2].txt

DoubleClick Cookie more information...
Details: DoubleClick is a popular ad serving network that uses spyware cookies, to target advertising.
Status: Deleted

Infected cookies detected
d:\dokumente und einstellungen\mein´s\cookies\mein´s@doubleclick[1].txt

Mediaplex.com Cookie more information...
Details: Cookie used to track cross site advertising with the Mediaplex and value Click advertising companies.
Status: Deleted

Infected cookies detected
d:\dokumente und einstellungen\mein´s\cookies\mein´s@mediaplex[1].txt

Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:

Seite(n): 1 2