Flut unerwünschter Pop-Ups ("www210.paypopup.com" & "/normal/yyy102.html") |
||
---|---|---|
#0
| ||
23.11.2005, 23:22
...neu hier
Beiträge: 1 |
||
|
||
24.11.2005, 13:17
Ehrenmitglied
Beiträge: 29434 |
#2
Hallo@PatrickM
hier ist nicht mehr viel zu retten...du musst formatieren O4 - HKLM\..\Run: [gfmwsx] C:\WINDOWS\SYSTEM\JNQUXU.EXE O4 - HKLM\..\Run: [kdj3s9au] C:\WINDOWS\SYSTEM\kdj3s9au.exe O4 - HKLM\..\Run: [SurfAccuracy] C:\PROGRAMME\SURFACCURACY\SACC.EXE O4 - HKLM\..\Run: [MSRESEARCH] C:\WINDOWS\MSRESEARCH.exe O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe O4 - HKCU\..\Run: [Dpat] C:\WINDOWS\Anwendungsdaten\asat.exe O4 - HKCU\..\Run: [Qcggyrv] C:\WINDOWS\SYSTEM\jmmmkezh.exe O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\STUBINSTALLER5975.EXE" O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted IP range: 64.127.104.144 O21 - SSODL: System - {BB8FECC0-CF4E-11D8-9631-00E07DA03664} - C:\WINDOWS\system32\system32.dll (file missing) __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
01.12.2005, 15:42
...neu hier
Beiträge: 3 |
#3
So so
hatte ebend das gleiche Problem. Kommt aber über ad.firstadsolution.com !!!!!!!!!!!!!!!!!!! ACHTUNG !!!!!!!!!!!!!!!!!!!!!!!!!!! http://ad.firstadsolution.com/rmtag2.js !!!!!!!!!!!!!!!!!!! ACHTUNG !!!!!!!!!!!!!!!!!!!!!!!!!!! das : /* url letter codes: rm_click_url = c rm_entity_id = e rm_network_id = n rm_publisher_code = e rm_dummy_mode = d rm_site_id = i rm_site_code = I rm_invalid_media_types = m rm_promote_sizes = p rm_section_id = s rm_section_code = S rm_show_detail = v rm_publisher_redirect = x rm_banned_pop_types = y rm_size_id = z rm_creative_id = cr rm_segment = g rm_prepopped_width = w rm_prepopped_height = h if rm_iframe_tags t = 3 u = window/browser url */ var url_id, context_id; var rm_host, rm_creative_id, rm_section_id, rm_section_code, rm_site_id, rm_site_code, rm_network_id, rm_publisher_code ; var rm_entity_id, rm_banned_pop_types, rm_invalid_media_types, rm_pub_redirect, rm_pub_redirect_dont_encode, rm_click_url ; var rm_promote_sizes, rm_promote_sizes_110, rm_promote_sizes_46 ; var rm_prepopped_width, rm_prepopped_height ; var rm_debug_tag, rm_dummy_mode, rm_show_detail, rm_image_tags, rm_iframe_tags, rm_iframe_w, rm_iframe_h ; var RM_COOKIE_NAME = 'ym_pop_freq' ; // Check that required variables are defined if (!rm_host) { rm_host = "http://ad.yieldmanager.com" ; } if (!rm_invalid_media_types) { var rm_invalid_media_types = 0 ; } // Check for Flash // Set variable for Flash player version var flash_version = 0; if (flashIntalledCookieExists()) { // If cookie exists, get the value of the cookie flash_version = flashIntalledCookieExists(); } else { // Check for flash player var flash = new Object(); flash = flashDetection(); if (flash.installed == true) { writeFlashInstalledCookie(flash.version); flash_version = flash.version; } else { // If no flash player, write cookie with value == 0 writeFlashInstalledCookie(0); } } function rmShowAd(size) { var bad_reason ; var original_size = size ; var rm_ad_size = rmGetSize(size) ; if (rm_ad_size < 0) { document.write('bad ad tag: invalid size') ; return ; } else if (!rm_section_id && !rm_section_code && !rm_publisher_code) { document.write('bad ad tag: no section_id, section_code, or publisher_code') ; return ; } if (size.indexOf("/") > -1) { size = size.split("/")[1]; } var rm_size_arr = size.split("x") ; var rm_w = rm_size_arr[0] ; var rm_h = rm_size_arr[1] ; rm_url = rm_host + "/imp?z=" + rm_ad_size ; rm_url += rmGetQueryParameters(original_size) ; if (rm_iframe_tags) { rm_tag_src = '<IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=' + rm_w + ' HEIGHT=' + rm_h + ' SRC="' + rm_url + '"><\/IFRAME>' ; } else if (rm_image_tags) { rm_image_click_url = rm_host + "/imageclick?z=" + rm_ad_size ; rm_image_click_url += rmGetQueryParameters(original_size); rm_tag_src = '<A HREF="' + rm_image_click_url + '&rid=[TIMESTAMP]"><IMG WIDTH="' + rm_w + '" HEIGHT="' + rm_h + '" SRC="' + rm_url + '&rid=[TIMESTAMP]" /></A>'; } else { rm_tag_src = '<SCRIPT TYPE="text/javascript" SRC="' + rm_url + '"><\/SCRIPT>' ; } if (!rm_debug_tag) { document.write(rm_tag_src) ; } else { rm_tag_src = rmReplace(rm_tag_src, '<', '<') ; rm_tag_src = rmReplace(rm_tag_src, '>', '>') ; document.write('' + rm_tag_src + '') ; } } function rmShowPop(pop) { if (!rm_section_id && !rm_section_code && !rm_publisher_code) { document.write('bad ad tag: no section_id, section_code, or publisher_code') ; return ; } rm_iframe_tags = false ; //make sure we can show pops if(rm_pop_frequency) { var pop_id = '' ; if (rm_section_id) { pop_id = rm_section_id ; } else if (rm_section_code) { pop_id = rm_section_code ; } else if (rm_publisher_code) { pop_id = rm_publisher_code ; } if(!rmCanShowPop(pop_id, rm_pop_frequency)) { if(rm_debug_tag) document.write('frequency cap exceeded'); return ; } } rm_url = rm_host + "/imp?z=0" ; rm_url += rmGetQueryParameters() ; if (rm_banned_pop_types) { rm_url += "&y=" + rm_banned_pop_types ; } if (rm_prepopped_width) { rm_url += "&w=" + rm_prepopped_width; } if (rm_prepopped_height) { rm_url += "&h=" + rm_prepopped_height; } if (rm_iframe_tags) { rm_tag_src = '<IFRAME frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="position:absolute; left:1px" WIDTH=1 HEIGHT=1 SRC="' + rm_url + '"></IFRAME>' ; } else { rm_tag_src = '<SCRIPT TYPE="text/javascript" SRC="' + rm_url + '"><\/SCRIPT>' ; } if (!rm_debug_tag) { document.write(rm_tag_src) ; } else { rm_tag_src = rmReplace(rm_tag_src, '<', '<') ; rm_tag_src = rmReplace(rm_tag_src, '>', '>') ; document.write('' + rm_tag_src + '') ; } } function rmGetQueryParameters(size) { var rm_url = '' ; if (rm_network_id) { rm_url += "&n=" + rm_network_id ; if (rm_publisher_code) { rm_url += "&E=" + rm_publisher_code ; } if (rm_site_code) { rm_url += "&I=" + rm_site_code ; } if (rm_section_code) { rm_url += "&S=" + rm_section_code ; } } else { if (rm_entity_id) { rm_url += "&e=" + rm_entity_id ; } if (rm_publisher_code) { rm_url += "&E=" + rm_publisher_code ; } if (rm_site_id) { rm_url += "&i=" + rm_site_id ; } else if (rm_site_code) { rm_url += "&I=" + rm_site_code ; } if (rm_section_id) { rm_url += "&s=" + rm_section_id ; } else { rm_url += "&S=" + rm_section_code ; } } if (rm_iframe_tags) { rm_url += "&t=3" ; } else if(rm_image_tags) { rm_url += "&t=2" ; } if (rm_promote_sizes) { rm_url += "&p=1"; } else if (rm_promote_sizes_110 && size == "120x600/160x600") { rm_url += "&p=1"; } else if (rm_promote_sizes_46 && size == "468x60/728x90") { rm_url += "&p=1"; } if (rm_invalid_media_types) { //if flash_version is set then we know flash media type is not unwanted if ((flash_version) && (flash_version == 0)) { //add flash to invalid media types (+ 2) rm_invalid_media_types = rm_invalid_media_types + 2; } //otherwise flash is already unwanted so no need to add to m rm_url += "&m=" + rm_invalid_media_types ; } else if (flash_version == 0) { rm_url += "&m=2"; } if (rm_dummy_mode) { rm_url += "&d=" + rm_dummy_mode ; } if (rm_show_detail) { rm_url += "&v=" + rm_show_detail ; } if (rm_pub_redirect_dont_encode) { // Do nothing. } else { rm_pub_redirect_dont_encode = 0 ; } if (rm_pub_redirect) { rm_url += "&x=" + rmGetPubRedirect(rm_pub_redirect_dont_encode) ; } if (rm_click_url) { rm_url += "&c=" + rmGetClickUrl() ; } if (!rm_debug_tag) { rm_url += "&u=" + rmGetWindowUrl() ; } // check for root frame if (top == self) { rm_url += "&r=1" ; } else { rm_url += "&r=0" ; } // detect the AskJeeves toolbar and insert querystring targetting info try { oAJ=eval("new ActiveXObject('AskJeevesToolbar.SettingsPlugin.1')") ; if (oAJ) { rm_url += "&ajt=1"; } } catch(e) {} return rm_url ; } function rmGetSize(size) { if (size.indexOf("pop") > -1) return 0 ; else if (size == "120x600") return 1 ; else if (size == "300x250") return 2 ; else if (size == "336x280") return 3 ; else if (size == "468x60") return 4 ; else if (size == "550x150") return 5 ; else if (size.indexOf("728x90") > -1) return 6 ; // size 7 is static textlink else if (size == "700x300") return 8 ; // size 9 is dynamic textlink else if (size.indexOf("160x600") > -1) return 10 ; // size 11 is unused else if (size == "125x125") return 12 ; else if (size == "234x60") return 13 ; else if (size == "120x240") return 14 ; else if (size == "180x150") return 15 ; else if (size == "300x600") return 16 ; else if (size == "100x25") return 17 ; else if (size == "710x30") return 18 ; else if (size == "720x300") return 19 ; else if (size == "300x200") return 20 ; else if (size == "72x50") return 21 ; else if (size == "125x90") return 22 ; else if (size == "120x90") return 23 ; else if (size == "520x31") return 24 ; else if (size == "300x400") return 25 ; else if (size == "460x31") return 26 ; else if (size == "503x140") return 27 ; else if (size == "250x400") return 28 ; else if (size == "200x200") return 29 ; else if (size == "250x250") return 30 ; else if (size == "468x250") return 31 ; else if (size == "500x350") return 32 ; else if (size == "425x600") return 33 ; else if (size == "140x60") return 34 ; else if (size == "120x60") return 35 ; else return -1 ; } function rmGetWindowUrl() { var url = '' ; try { url = encodeURIComponent(top.location.href) ; // Only take first 100 characters. url = url.substr(0, 100) ; } catch(e) {} return url ; } function rmGetPubRedirect(add_dollar) { var url = rm_pub_redirect ; if (add_dollar == 0) { return encodeURIComponent(url) ; } else { return encodeURIComponent(url + '$') ; } } function rmGetClickUrl() { var url = rm_click_url ; return encodeURIComponent(url) ; } function rmReplace(myString, toReplace, replaceBy) { return (myString.replace(new RegExp(toReplace, 'gi'), replaceBy)) ; } function rmTrim(str) { if(str != null) return str.replace(/^\s+/,'').replace(/\s+$/,'') ; } function rmUrlEncode(txt) { var SAFECHARS = "0123456789" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" + "-_.!~*'()" ; var HEX = "0123456789ABCDEF" ; var plaintext = txt ; var encoded = "" ; for (var i = 0; i < plaintext.length; i++ ) { var ch = plaintext.charAt(i) ; if (ch == " ") { encoded += "+" ; } else if (SAFECHARS.indexOf(ch) != -1) { encoded += ch ; } else { var charCode = ch.charCodeAt(0) ; if (charCode > 255) { encoded += "+" ; } else { encoded += "%" ; encoded += HEX.charAt((charCode >> 4) & 0xF) ; encoded += HEX.charAt(charCode & 0xF) ; } } } return encoded ; }; function rmCanShowPop(section_id, pop_frequency) { // Have to look for cookie with this site_id. if(rmCookieExists(section_id) == false) { // This cookie doesn't exist, // so we CAN show the pop. ret = true ; // We are going to show a pop, // so reset cookie. rmWritePopFrequencyCookie(section_id, pop_frequency) ; return true ; } else { return false ; } } function rmCookieExists(section_id) { var cookieName = RM_COOKIE_NAME + section_id ; if(rmGetCookie(cookieName) == null) { return false ; } else { return true ; } } function rmWritePopFrequencyCookie(section_id, pop_frequency) { var cookieName = RM_COOKIE_NAME + section_id ; var today = new Date() ; var expires = new Date() ; expires.setTime(today.getTime() + (1000 * pop_frequency)) ; var cookieText = cookieName + "=1;" + "expires=" + expires.toGMTString() + ";" ; document.cookie = cookieText ; return null ; } function flashIntalledCookieExists() { var cookieName = "flashInstalled" ; if(rmGetCookie(cookieName) == null) { return false ; } else { return rmGetCookie(cookieName) ; } } function writeFlashInstalledCookie(version) { var cookieName = "flashInstalled" ; var numdays = 14 ; var today = new Date() ; var expires = new Date() ; expires.setTime(today.getTime() + (1000 * 60 *60*24*numdays)) ; var cookieText = cookieName + "=" + version + "expires=" + expires.toGMTString() + ";" ; document.cookie = cookieText ; return null ; } function flashDetection() { var flash=new Object() ; flash.installed=false ; flash.version='0.0' ; if (navigator.plugins && navigator.plugins.length) { for (x=0; x<navigator.plugins.length; x++) { if (navigator.plugins[x].name.indexOf('Shockwave Flash') != -1) { flash.version=navigator.plugins[x].description.split('Shockwave Flash ')[1] ; flash.installed=true ; break ; } } } else if (window.ActiveXObject) { for (x=2; x<10; x++) { try { oFlash=eval("new ActiveXObject('ShockwaveFlash.ShockwaveFlash."+x+"');") ; if (oFlash) { flash.installed=true ; flash.version=x+'.0' ; } } catch(e) {} } } return flash ; } // Returns null if cookie doesn't exist. // Returns cookie value if it exists. function rmGetCookie(Name) { var search = Name + "=" ; var CookieString = document.cookie ; var result = null ; if(CookieString.length > 0) { offset = CookieString.indexOf(search) ; if(offset != -1) { offset += search.length ; end = CookieString.indexOf(";", offset) ; if(end == -1) { end = CookieString.length ; } result = unescape(CookieString.substring(offset, end)) ; } } return result ; } Script versteckt mit dem er über diese Paypopup wohl versucht Geld zu verdienen. Glaube war in einem Popup von soner Universitätsseite drin Dieser Beitrag wurde am 01.12.2005 um 16:10 Uhr von Toneye editiert.
|
|
|
||
01.12.2005, 16:39
Ehrenmitglied
Beiträge: 29434 |
#4
man sollte diesen Leuten, die solche Scripts erstellen und in Umlauf bringen die H... ab......damit sie an keinen PC mehr rankommen (Entschuldige den Wutausbruch)
--------------------- also immer die AktiveX deaktiviert halten und die Sicherheits-Einstellungen unter InternetOptionen auf hoch stellen Browser Sicherheit,Internetexplorer,Sicherheitsstufen http://virus-protect.org/ie.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
01.12.2005, 16:56
...neu hier
Beiträge: 3 |
#5
wohl war ;-)
habe gerade festgestellt das daß mit nem cookie von ad-w-a-r-e.com jedesmal neu ausgelöst wird |
|
|
||
03.12.2005, 00:38
Ehrenmitglied
Beiträge: 29434 |
#6
ein Cookie beinhaltet ein Javascript?
Ich verstehe leider zuwenig davon (wie Cookies aufgebaut sind...)...aber kann das sein ? __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
03.12.2005, 02:57
Member
Beiträge: 4730 |
#7
Cookies sind eigentlich nur dazu da, von der Webseite verändert und ausgelesen zu werden, die sie gesetzt hat. JavaScript in Cookies wäre mir neu, aber vielleicht meint Toneye auch was anderes?
Was natürlich sein kann: Der Pfad zur JavaScript-Datei ist im Cookie gespeichert und bei bedarf wird der Pfad ausgelesen und ausgeführt... __________ Dies ist eine Signatur! Persönlicher Service: Du kommst aus Berlin? Dann melde Dich per PN bei mir, evtl. können wir einen Termin vereinbaren. Der Grabsteinschubser |
|
|
||
03.12.2005, 04:35
...neu hier
Beiträge: 3 |
#8
Zitat Was natürlich sein kann:Ja das in etwa meinte ich ,denn bei mir wird bei Internetstart eine Datei (wahrscheinlich Cookie oder auch AktiveX) ausgelesen von ad-w-a-r-e.com das dann eigentlich die nervigen popups starten soll .(wird aber von spyware geblockt) läuft bei mir nur noch weil mich interessiert wen ich dafür zur Verantwortung ziehen könnte und dafür benötige ich halt auch diese Steuerungs-/Aktivierungs-Datei da wird wohl die "erste Anzeigenlösung"(firstadsolution) bald mit den ersten Privatlösungen in Anzeigenform rechnen können ;-) |
|
|
||
Mein Mozilla öffnet seit ein paar Tagen alle 5 Minuten ein neues Fenster mit einer Werbeseite, meistens mit "www210.paypopup.com" oder "/normal/yyy102.html" in der adresse.
Ad-Aware und Spy-Bot melden mir darüber hinaus eine Flut von 40 oder 50 Registry Keys und Registry Values, die zwar angeblich behoben werden, die aber beim nächsten Check wieder auftauschen.
Die Registry wäre mir ja eigentlich egal, solange normales Arbeiten am PC ohne ständige Unterbrechungen noch möglich wäre.
Hier jedenfalls mein HijackThis-Log:
Logfile of HijackThis v1.99.1
Scan saved at 23:04:00, on 23.11.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAMME\WINAMP3\WINAMPA.EXE
C:\WINDOWS\SYSTEM\JNQUXU.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\KDJ3S9AU.EXE
C:\PROGRAMME\SURFACCURACY\SACC.EXE
C:\PROGRAMME\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAMME\WINZIP\WZQKPICK.EXE
C:\PROGRAMME\TRUST\250S SERIES\LWBWHEEL.EXE
C:\PROGRAMME\WINAMP3\WINAMP3.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMME\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-control.com/srh/130/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-control.com/srh/130/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-control.com/srh/130/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-control.com/srh/130/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-control.com/srh/130/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-control.com/srh/130/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-control.com/srh/130/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programme\ICQ\NDetect.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [gfmwsx] C:\WINDOWS\SYSTEM\JNQUXU.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [kdj3s9au] C:\WINDOWS\SYSTEM\kdj3s9au.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\PROGRAMME\SURFACCURACY\SACC.EXE
O4 - HKLM\..\Run: [MSRESEARCH] C:\WINDOWS\MSRESEARCH.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\wininet.exe
O4 - HKCU\..\Run: [Dpat] C:\WINDOWS\Anwendungsdaten\asat.exe
O4 - HKCU\..\Run: [Qcggyrv] C:\WINDOWS\SYSTEM\jmmmkezh.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\STUBINSTALLER5975.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Programme\Winzip\WZQKPICK.EXE
O4 - Startup: Trust Ami Mouse 250S Series 1.2 (2).lnk = C:\Programme\Trust\250S Series\LwbWheel.exe
O4 - Startup: Winamp (2).lnk = C:\Programme\Winamp3\winamp3.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 64.127.104.144
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/de/win/QuickTimeFullInstaller.exe
O21 - SSODL: System - {BB8FECC0-CF4E-11D8-9631-00E07DA03664} - C:\WINDOWS\system32\system32.dll (file missing)
Vielen Fank im Voraus!
Patrick