bloodhound.w32.EP "eingefangen"

#1 jetzt hats mich erwischt

wenn mir jemand helfen könnte dieses Biest zu entfernen wäre ich ihm sehr dankbar

hier mein log file

Logfile of HijackThis v1.99.1
Scan saved at 12:31:14, on 26.12.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netgt.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
C:\Programme\Thomson Multimedia\Thomson Lyra Personal Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\DOKUME~1\oem\LOKALE~1\Temp\6.tmp.exe
C:\DOKUME~1\oem\LOKALE~1\Temp\7.tmp.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
F:\Corel\Suite8\Programs\DAD8.EXE
C:\Dokumente und Einstellungen\oem\Lokale Einstellungen\Temp\Temporäres Verzeichnis 3 für hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\oem\Lokale Einstellungen\Temp\Temporäres Verzeichnis 4 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {BABD9DA6-1A9E-2FD5-636D-C0DB378E00C3} - C:\WINDOWS\syswx32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
O4 - HKLM\..\Run: [LyraPJProfiler] "C:\Programme\Thomson Multimedia\Thomson Lyra Personal Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NAVNet] "C:\WINDOWS\msxmidi.exe" /m
O4 - HKLM\..\Run: [6.tmp] C:\DOKUME~1\oem\LOKALE~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOKUME~1\oem\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [WinHound] C:\Programme\WinHound\WinHound.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOKUME~1\oem\LOKALE~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOKUME~1\oem\LOKALE~1\Temp\7.tmp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Corel DAD 8.LNK = F:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netgt.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\Sptisrv.exe

#2 Dieterbr

LSPfix
http://www.spychecker.com/program/lspfix.html
schreibe mir, welche dll du findest
---------------------------------------------------------------------

Start -> Ausfuehren --> schreib rein: notepad -- klicke OK.
oder , falls das kommando nicht stimmt, oeffne den Editor....

Dann kopiere folgenden Text rein:

Zitat

sc stop Remote Procedure Call (RPC) Helper
sc delete Remote Procedure Call (RPC) Helper
del C:\WINDOWS\system32\netgt.exe
del delete.bat

Auf dem Desktop abspeichern als "delete.bat". --> Doppeltklicken


öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kmlvl.dll/sp.html#53142%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BABD9DA6-1A9E-2FD5-636D-C0DB378E00C3} - C:\WINDOWS\syswx32.dll
O4 - HKLM\..\Run: [NAVNet] "C:\WINDOWS\msxmidi.exe" /m
O4 - HKLM\..\Run: [6.tmp] C:\DOKUME~1\oem\LOKALE~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOKUME~1\oem\LOKALE~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [WinHound] C:\Programme\WinHound\WinHound.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOKUME~1\oem\LOKALE~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOKUME~1\oem\LOKALE~1\Temp\7.tmp.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netgt.exe

PC neustarten

wende CleanUp an, wie auf der Seite beschrieben
http://virus-protect.org/cleanup.html

kopiere hier die 4 Textdateien (3 Monate reichen)
http://virus-protect.org/datfindbat.html

kopiere den scanreport
http://virus-protect.org/artikel/tools/ADSSpy.exe
__________
MfG Sabina

rund um die PC-Sicherheit

#3 erstmal danke, dass du dich um mich "kümmerst"

ich sehe unter "Keep"

4 Dateien:

mswsock.dll
winrnr.dll
newdotnet6_98.dll
rsvpsp.dll


jetzt füre ich die anderen genannten schritte durch

bis gleich

#4 bringe die newdotnet6_98.dll von links nach rechts und loesche die dll.

dann arbeite alles weitere ab
+
(berichte, ob die bat-Datei funktioniert hat)
__________
MfG Sabina

rund um die PC-Sicherheit

#5 C:\WINDOWS\System32

23.12.2005 16:38 1.136 wpa.dbl
22.12.2005 09:08 3.567 cijtz.txt
04.12.2005 20:13 11.895 netgt.exe
04.12.2005 18:19 35.447 netui.exe
03.12.2005 16:48 8.464 sporder.dll
24.11.2005 17:19 13.581 vmrfk.log
30.10.2005 02:45 313.280 perfh009.dat
30.10.2005 02:45 40.998 perfc009.dat
30.10.2005 02:45 318.680 perfh007.dat
30.10.2005 02:45 49.424 perfc007.dat
30.10.2005 02:45 728.266 PerfStringBackup.INI

26.12.2005 16:39 16.384 ~DF9FF0.tmp
1 Datei(en) 16.384 Bytes
0 Verzeichnis(se), 1.076.756.480 Bytes frei
Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: B86D-2D41

Verzeichnis von C:\WINDOWS

26.12.2005 16:33 0 0.log
26.12.2005 16:32 4.544 ModemLog_Conexant SoftK56 Data Fax Modem.txt
26.12.2005 16:32 2.048 bootstat.dat
26.12.2005 16:31 31.998 SchedLgU.Txt
24.12.2005 09:27 3.584 uninstIU.exe
24.12.2005 09:27 1.430 warnhp.html
24.12.2005 00:53 23.166 stub3.ini
24.12.2005 00:42 22.711 stub2.ini
24.12.2005 00:31 22.854 stub1.ini
23.12.2005 19:51 197.761 ggupg.txt
18.12.2005 09:56 0 logs1.ini
13.12.2005 00:36 68.608 kmlvl.dll
12.12.2005 07:55 707 _default.pif
12.12.2005 07:55 8.107 xpsp1hfm.log
12.12.2005 07:55 4.111 Q311455.log
12.12.2005 07:55 481 Q308387.log
10.12.2005 18:18 3.251 mozver.dat
09.12.2005 23:32 25.153 CORELPF.LRS
09.12.2005 23:32 220 setuperr.log
09.12.2005 19:11 6.681 msxmidi.exe
08.12.2005 15:36 56.577 setupapi.log
04.12.2005 04:47 113 wmsetup.log
03.12.2005 16:52 182.272 NDNuninstall6_98.exe
03.12.2005 16:48 50.688 NDNuninstall6_38.exe
28.11.2005 23:08 133.791 iphx32.dll
18.11.2005 23:12 213.345 setupact.log
17.11.2005 12:41 50 wiaservc.log
17.11.2005 12:41 216 wiadebug.log
05.11.2005 19:38 63 setup.log
15.10.2005 14:15 0 nsreg.dat
15.10.2005 14:15 99.970 UninstallFirefox.exe

Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: B86D-2D41

Verzeichnis von C:\

26.12.2005 16:42 0 sys.txt
26.12.2005 16:41 7.750 system.txt
26.12.2005 16:40 281 systemtemp.txt
26.12.2005 16:35 95.926 system32.txt
26.12.2005 16:31 267.440.128 hiberfil.sys
26.12.2005 16:31 402.653.184 pagefile.sys
19.11.2005 17:24 41.250 hpfr5100.log


bei ADS Spy kamen folgende einträge:

C:\WINDOWS\_default.pif : dvcjxu (3567 bytes)
C:\WINDOWS\_default.pif : kdrevr (197761 bytes)
C:\WINDOWS\_default.pif : mgdhcg (133791 bytes)
C:\WINDOWS\_default.pif : vwvxre (68608 bytes)
C:\WINDOWS\_default.pif : xioszt (11895 bytes)
C:\WINDOWS\CORELPF.LRS : ofytq (35447 bytes)
C:\WINDOWS\Q308387.log : ezlviz (11895 bytes)
C:\WINDOWS\Q311455.log : wadbck (35447 bytes)
C:\WINDOWS\setuperr.log : ieijm (133791 bytes)
C:\WINDOWS\xpsp1hfm.log : zbglzw (13581 bytes)



ich denke schon, dass die bat datei funktioniert hat... ich hau aber trotzdem nochmal ein hijack logfile rein:

Logfile of HijackThis v1.99.1
Scan saved at 16:45:45, on 26.12.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netgt.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
C:\Programme\Thomson Multimedia\Thomson Lyra Personal Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
F:\Corel\Suite8\Programs\DAD8.EXE
C:\Programme\Opera\Opera.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\oem\Lokale Einstellungen\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {3454264C-8EDD-1CBD-6CD0-61768256790B} - C:\WINDOWS\iphx32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
O4 - HKLM\..\Run: [LyraPJProfiler] "C:\Programme\Thomson Multimedia\Thomson Lyra Personal Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Corel DAD 8.LNK = F:\Corel\Suite8\Programs\DAD8.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netgt.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\Sptisrv.exe

#6 loesche die Streams mit dem Tool ADSSpy

C:\WINDOWS\_default.pif : dvcjxu (3567 bytes)
C:\WINDOWS\_default.pif : kdrevr (197761 bytes)
C:\WINDOWS\_default.pif : mgdhcg (133791 bytes)
C:\WINDOWS\_default.pif : vwvxre (68608 bytes)
C:\WINDOWS\_default.pif : xioszt (11895 bytes)
C:\WINDOWS\CORELPF.LRS : ofytq (35447 bytes)
C:\WINDOWS\Q308387.log : ezlviz (11895 bytes)
C:\WINDOWS\Q311455.log : wadbck (35447 bytes)
C:\WINDOWS\setuperr.log : ieijm (133791 bytes)
C:\WINDOWS\xpsp1hfm.log : zbglzw (13581 bytes)

----------------------------------------------------------------------
LSPfix
http://www.spychecker.com/program/lspfix.html
bringe die newdotnet6_98.dll von links nach rechts und loesche die dll.
wie ich im Log vom HijackThis sehe, ist die dll immer noch im Windsock

------------------------------------------------------------------------

deinstalieren:...falls es nicht gelingt, schreibe es mir
C:\Programme\WinHound
New.net --> C:\PROGRA~1\NEWDOT...

deinstallieren, wenn das nicht geht, loesche es unter programme (die newdotnet6_98.dll muss aber mit lspfix geloescht werden, sonst kommst du nicht mehr ins Internet)
-------------------------------------------------------------------------------

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot / Process all in List )--> anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\System32\cijtz.txt
C:\WINDOWS\System32\netgt.exe
C:\WINDOWS\System32\netui.exe
C:\WINDOWS\System32\sporder.dll
C:\WINDOWS\system32\netgt.exe
C:\WINDOWS\system32\vmrfk.log
C:\DOKUME~1\oem\LOKALE~1\Temp\6.tmp.exe
C:\DOKUME~1\oem\LOKALE~1\Temp\7.tmp.exe
C:\WINDOWS\syswx32.dll
C:\WINDOWS\uninstIU.exe
C:\WINDOWS\warnhp.html
C:\WINDOWS\stub3.ini
C:\WINDOWS\stub2.ini
C:\WINDOWS\stub1.ini
C:\WINDOWS\ggupg.txt
C:\WINDOWS\iphx32.dll
C:\WINDOWS\kmlvl.dll
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\NDNuninstall6_98.exe
C:\WINDOWS\NDNuninstall6_38.exe

PC neustarten

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O2 - BHO: Class - {3454264C-8EDD-1CBD-6CD0-61768256790B} - C:\WINDOWS\iphx32.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\netgt.exe

PC neustarten


poste das Log vom Winpfind
http://virus-protect.org/winpfind.html
+
das Log vom Silentrunner
http://virus-protect.org/silentrunner.html

erst danach beginnen die virenscanns
__________
MfG Sabina

rund um die PC-Sicherheit

#7 WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 18.08.2001 12:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 15.11.2001 12:49:52 18432 C:\WINDOWS\SYSTEM32\oleext.dll
WinShutDown 14.04.1998 09:00:00 64000 C:\WINDOWS\SYSTEM32\PFAUTO8.DLL
WinShutDown 14.04.1998 09:00:00 68096 C:\WINDOWS\SYSTEM32\PRAUTO8.DLL
WinShutDown 14.04.1998 09:00:00 68096 C:\WINDOWS\SYSTEM32\QPAUTO8.DLL
Umonitor 18.08.2001 12:00:00 659456 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 18.08.2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
WinShutDown 14.04.1998 09:00:00 72192 C:\WINDOWS\SYSTEM32\WPAUTO8.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
26.12.2005 18:06:12 S 2048 C:\WINDOWS\bootstat.dat
26.12.2005 18:07:40 H 1024 C:\WINDOWS\system32\config\default.LOG
26.12.2005 18:06:14 H 1024 C:\WINDOWS\system32\config\SAM.LOG
26.12.2005 18:06:50 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
26.12.2005 18:44:06 H 1024 C:\WINDOWS\system32\config\software.LOG
26.12.2005 18:06:52 H 1024 C:\WINDOWS\system32\config\system.LOG
26.12.2005 16:33:02 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\4TQNSTUZ\desktop.ini
26.12.2005 16:33:02 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ECZGZFJD\desktop.ini
26.12.2005 16:33:02 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\KJSSST5X\desktop.ini
26.12.2005 16:33:02 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\X05ZSGSP\desktop.ini
26.12.2005 18:06:16 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 18.08.2001 12:00:00 68096 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 18.08.2001 12:00:00 563712 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 18.08.2001 12:00:00 133120 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 18.08.2001 12:00:00 152064 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 18.08.2001 12:00:00 295936 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 18.08.2001 12:00:00 123392 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29.08.2002 02:41:00 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18.08.2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 18.08.2001 12:00:00 566272 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 18.08.2001 12:00:00 259072 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18.08.2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 18.08.2001 12:00:00 111616 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intersil Corporation 17.01.2002 00:29:14 296022 C:\WINDOWS\SYSTEM32\PRISMCFG.cpl
Microsoft Corporation 18.08.2001 12:00:00 275456 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18.08.2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 18.08.2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 18.08.2001 12:00:00 68096 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 18.08.2001 12:00:00 563712 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 18.08.2001 13:00:00 133120 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 18.08.2001 12:00:00 152064 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 18.08.2001 12:00:00 295936 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 18.08.2001 12:00:00 123392 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29.08.2002 02:41:00 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 18.08.2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18.08.2001 12:00:00 566272 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18.08.2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18.08.2001 12:00:00 259072 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18.08.2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 18.08.2001 12:00:00 111616 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 18.08.2001 12:00:00 151552 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 18.08.2001 12:00:00 275456 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 18.08.2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18.08.2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
27.05.2004 17:17:16 481 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Corel DAD 8.LNK
22.08.2002 17:47:40 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
26.11.2003 20:43:14 1718 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
22.08.2002 17:37:48 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
22.08.2002 17:47:40 HS 84 C:\Dokumente und Einstellungen\oem\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
22.08.2002 17:37:48 HS 62 C:\Dokumente und Einstellungen\oem\Anwendungsdaten\desktop.ini
24.04.2005 11:56:34 39104 C:\Dokumente und Einstellungen\oem\Anwendungsdaten\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programme\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83BD3F}
= shellwp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1} = F:\Corel\Suite8\Programs\PFSE80.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programme\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1} = F:\Corel\Suite8\Programs\PFSE80.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Programme\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
ButtonText = @shdoclc.dll,-866 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton AntiVirus\NavShExt.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CARPService carpserv.exe
LaunchApp Alaunch
ATIModeChange Ati2mdxx.exe
AtiPTA atiptaxx.exe
SynTPLpr C:\Programme\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Programme\Synaptics\SynTP\SynTPEnh.exe
NAV Agent C:\PROGRA~1\NORTON~1\navapw32.exe
LManager C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
LyraPJProfiler "C:\Programme\Thomson Multimedia\Thomson Lyra Personal Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Software Update "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HP Component Manager "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
MSMSGS "C:\Programme\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 26.12.2005 18:47:13





und das andere

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CARPService" = "carpserv.exe" ["Conexant Systems"]
"LaunchApp" = "Alaunch" ["Acer Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"LManager" = "C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE" ["Dritek System Inc."]
"LyraPJProfiler" = ""C:\Programme\Thomson Multimedia\Thomson Lyra Personal Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"" ["Thomson multimedia Inc."]
"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]
"HP Software Update" = ""C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HP Component Manager" = ""C:\Programme\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"DeviceDiscovery" = "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\SmartFTP\smarthook.dll" ["SmartFTP"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "F:\Corel\Suite8\Programs\PFSE80.DLL" ["Novell, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "F:\Corel\Suite8\Programs\PFSE80.DLL" ["Novell, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]


Default executables:
--------------------

.SCR: HKLM\SOFTWARE\Classes\scrfile\shell\open\command\
INFECTION WARNING! "Default" = ""%1" /S "%3""


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\oem\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "oem" & "All Users" startup folders:
-----------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Corel DAD 8" -> shortcut to: "F:\Corel\Suite8\Programs\DAD8.EXE" [null data]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Meinen Computer prüfen" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOKUME~1\ALLUSE~1\ANWEND~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Norton AntiVirus Auto-Protect-Dienst, navapsvc, "C:\Programme\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 69 seconds, including 18 seconds for message boxes)

#8 SmitRem2.8
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

laden--> in den abgesicherten Modus booten --> öffne smitRem folder --> Doppelklick: RunThis.bat
warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)
suche smitfiles.txt und kopiere die Textdatei in den Thread

dann poste winpfind noch mal, ich will sehen, ob die oleext.dll geloescht wurde, oder ob ich es manuell anweisen muss
__________
MfG Sabina

rund um die PC-Sicherheit

#9 so, hier die smitfiles.txt


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1184 'explorer.exe'
Killing PID 1184 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~


hier der winpfindscan

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 18.08.2001 12:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
WinShutDown 14.04.1998 09:00:00 64000 C:\WINDOWS\SYSTEM32\PFAUTO8.DLL
WinShutDown 14.04.1998 09:00:00 68096 C:\WINDOWS\SYSTEM32\PRAUTO8.DLL
WinShutDown 14.04.1998 09:00:00 68096 C:\WINDOWS\SYSTEM32\QPAUTO8.DLL
Umonitor 18.08.2001 12:00:00 659456 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 18.08.2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
WinShutDown 14.04.1998 09:00:00 72192 C:\WINDOWS\SYSTEM32\WPAUTO8.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
27.12.2005 17:39:18 S 2048 C:\WINDOWS\bootstat.dat
27.12.2005 17:41:08 H 1024 C:\WINDOWS\system32\config\default.LOG
27.12.2005 17:39:26 H 1024 C:\WINDOWS\system32\config\SAM.LOG
27.12.2005 17:40:26 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
27.12.2005 17:50:46 H 1024 C:\WINDOWS\system32\config\software.LOG
27.12.2005 17:40:26 H 1024 C:\WINDOWS\system32\config\system.LOG
26.12.2005 16:33:02 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\4TQNSTUZ\desktop.ini
26.12.2005 16:33:02 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ECZGZFJD\desktop.ini
26.12.2005 16:33:02 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\KJSSST5X\desktop.ini
26.12.2005 16:33:02 HS 67 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\X05ZSGSP\desktop.ini
27.12.2005 17:39:26 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 18.08.2001 12:00:00 68096 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 18.08.2001 12:00:00 563712 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 18.08.2001 12:00:00 133120 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 18.08.2001 12:00:00 152064 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 18.08.2001 12:00:00 295936 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 18.08.2001 12:00:00 123392 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29.08.2002 02:41:00 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18.08.2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 18.08.2001 12:00:00 566272 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 18.08.2001 12:00:00 259072 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18.08.2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 18.08.2001 12:00:00 111616 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intersil Corporation 17.01.2002 00:29:14 296022 C:\WINDOWS\SYSTEM32\PRISMCFG.cpl
Microsoft Corporation 18.08.2001 12:00:00 275456 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18.08.2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 18.08.2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 18.08.2001 12:00:00 68096 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 18.08.2001 12:00:00 563712 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 18.08.2001 13:00:00 133120 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 18.08.2001 12:00:00 152064 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 18.08.2001 12:00:00 295936 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 18.08.2001 12:00:00 123392 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29.08.2002 02:41:00 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 18.08.2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18.08.2001 12:00:00 566272 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18.08.2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18.08.2001 12:00:00 259072 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18.08.2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 18.08.2001 12:00:00 111616 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 18.08.2001 12:00:00 151552 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 18.08.2001 12:00:00 275456 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 18.08.2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18.08.2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
27.05.2004 17:17:16 481 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Corel DAD 8.LNK
22.08.2002 17:47:40 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
26.11.2003 20:43:14 1718 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
22.08.2002 17:37:48 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
22.08.2002 17:47:40 HS 84 C:\Dokumente und Einstellungen\oem\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
22.08.2002 17:37:48 HS 62 C:\Dokumente und Einstellungen\oem\Anwendungsdaten\desktop.ini
24.04.2005 11:56:34 39104 C:\Dokumente und Einstellungen\oem\Anwendungsdaten\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programme\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83BD3F}
= shellwp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1} = F:\Corel\Suite8\Programs\PFSE80.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programme\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1} = F:\Corel\Suite8\Programs\PFSE80.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Programme\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton AntiVirus\NavShExt.dll
{855F3B16-6D32-4fe6-8A56-BBB695989046} = ICQ Toolbar : C:\Programme\ICQToolbar\toolbaru.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
ButtonText = ICQ Lite : C:\Programme\ICQLite\ICQLite.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
ButtonText = @shdoclc.dll,-866 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton AntiVirus\NavShExt.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton AntiVirus\NavShExt.dll
{855F3B16-6D32-4FE6-8A56-BBB695989046} = ICQ Toolbar : C:\Programme\ICQToolbar\toolbaru.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CARPService carpserv.exe
LaunchApp Alaunch
ATIModeChange Ati2mdxx.exe
AtiPTA atiptaxx.exe
SynTPLpr C:\Programme\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Programme\Synaptics\SynTP\SynTPEnh.exe
NAV Agent C:\PROGRA~1\NORTON~1\navapw32.exe
LManager C:\PROGRA~1\LAUNCH~1\CPLBBL16.EXE
LyraPJProfiler "C:\Programme\Thomson Multimedia\Thomson Lyra Personal Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Software Update "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HP Component Manager "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
ICQ Lite C:\Programme\ICQLite\ICQLite.exe -minimize

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
MSMSGS "C:\Programme\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
ICQ Lite C:\Programme\ICQLite\ICQLite.exe -trayboot

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 27.12.2005 17:52:27

#10 Dieterbr

Counterspy
http://virus-protect.org/counterspy.html
nach dem Scan muss man sich entscheiden für:
*Ignore
*Remove
*Quarantaine
wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab )
__________
MfG Sabina

rund um die PC-Sicherheit

#11 Spyware Scan Details
Start Date: 28.12.2005 22:19:41
End Date: 28.12.2005 22:51:49
Total Time: 32 mins 8 secs

Detected spyware

eDonkey2000 P2P more information...
Details: eDonkey2000 is a P2P file sharing program that bundles adware/spyware such as Webhancer, Web Search Toolbar and New.Net.
Status: Ignored

Infected files detected
c:\programme\edonkey2000\5.html
c:\programme\edonkey2000\blacklist.txt

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 C:\Programme\eDonkey2000\plugins\ed2kie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 ThreadingModel Both
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\ProgID eD2KDownloadManager.object.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\TypeLib {379919F2-1612-45B7-B9F4-773F6D5214F5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\VersionIndependentProgID eD2KDownloadManager.object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620} eD2K downloadManager object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 DisplayName eDonkey2000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 UninstallString "C:\Programme\eDonkey2000\uninstall_eDonkey2000.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 DisplayIcon "C:\Programme\eDonkey2000\eDonkey2000.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 NoModify 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 NoRepair 1


Spyware.SearchAssistant Spyware more information...
Status: Deleted

Infected files detected
c:\dokumente und einstellungen\oem\favoriten\sites about\ab scissor.url
c:\dokumente und einstellungen\oem\favoriten\sites about\broadband comparison.url
c:\dokumente und einstellungen\oem\favoriten\sites about\credit counseling.url
c:\dokumente und einstellungen\oem\favoriten\sites about\credit report.url
c:\dokumente und einstellungen\oem\favoriten\sites about\crm software.url
c:\dokumente und einstellungen\oem\favoriten\sites about\debt credit card.url
c:\dokumente und einstellungen\oem\favoriten\sites about\escorts.url
c:\dokumente und einstellungen\oem\favoriten\sites about\fha.url
c:\dokumente und einstellungen\oem\favoriten\sites about\health insurance.url
c:\dokumente und einstellungen\oem\favoriten\sites about\help desk software.url
c:\dokumente und einstellungen\oem\favoriten\sites about\insurance home.url
c:\dokumente und einstellungen\oem\favoriten\sites about\loan for debt consolidation.url
c:\dokumente und einstellungen\oem\favoriten\sites about\loan for people with bad credit.url
c:\dokumente und einstellungen\oem\favoriten\sites about\marketing email.url
c:\dokumente und einstellungen\oem\favoriten\sites about\mortgage insurance.url
c:\dokumente und einstellungen\oem\favoriten\sites about\mortgage life insurance.url
c:\dokumente und einstellungen\oem\favoriten\sites about\nevada corporations.url
c:\dokumente und einstellungen\oem\favoriten\sites about\online betting site.url
c:\dokumente und einstellungen\oem\favoriten\sites about\online gambling casino.url
c:\dokumente und einstellungen\oem\favoriten\sites about\online instant loan.url
c:\dokumente und einstellungen\oem\favoriten\sites about\order phentermine.url
c:\dokumente und einstellungen\oem\favoriten\sites about\payroll advance.url
c:\dokumente und einstellungen\oem\favoriten\sites about\personal loans online.url
c:\dokumente und einstellungen\oem\favoriten\sites about\personal loans with bad credit.url
c:\dokumente und einstellungen\oem\favoriten\sites about\prescription drugs rx online.url
c:\dokumente und einstellungen\oem\favoriten\sites about\refinancing my mortgage.url
c:\dokumente und einstellungen\oem\favoriten\sites about\tahoe vacation rental.url
c:\dokumente und einstellungen\oem\favoriten\sites about\unsecured bad credit loans.url
c:\dokumente und einstellungen\oem\favoriten\sites about\videos.url
c:\dokumente und einstellungen\oem\favoriten\sites about\what is hydrocodone.url


Accoona.Toolbar Toolbar more information...
Details: The Accoona Toolbar is a Internet Explorer toolbar that is bundled and installed with other programs.
Status: Deleted

Infected files detected
c:\programme\accoona\quiesce.exe
c:\programme\accoona\tbquiesce.exe


Pot.WinHound Misc more information...
Details: WinHound is a rogue anti-spyware application and is typically installed as part of a drive by installation. WinHound will automatically scans a system for spyware infection and prompts user to register in order to clean the system.
Status: Deleted

Infected files detected
C:\System Volume Information\_restore{03B785E4-7911-4769-A5B9-0000D3AE5130}\RP139\A0057864.dll
C:\System Volume Information\_restore{03B785E4-7911-4769-A5B9-0000D3AE5130}\RP139\A0057869.exe
C:\System Volume Information\_restore{03B785E4-7911-4769-A5B9-0000D3AE5130}\RP139\A0057870.dll

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound\WinHound InstallationID {B277B898-5F99-4E76-A3C3-163B27D87B70}
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound VersionInfo APP_VER=1.0.2.1 DATABASE_VER=1.0.2.1 DATE=17/12/05 SIGNATURES=55989
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound RegistrationUrl http://www.winhound.com/register/142.0.2
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound C:\Programme\WinHound
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound InstallDir C:\Programme\WinHound
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound DatabaseFile C:\Programme\WinHound\sig.dat
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound ResourceDll C:\Programme\WinHound\rc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound SCAN_DEPTH 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound SCAN_PRIORITY 0
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound QuarantineLocation C:\Programme\WinHound\Trash
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound MinOnStartup 0
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound ScanOnStartup 0
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound StartAtWinStartup 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound EnableRTMonitoring 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound AlwaysBlockChanges 0
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound AlwaysBlockWhenNoAV 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound PerformUpdate 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound UpdateInterval 3
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound MGuid {D1A4E2F8-9D3F-4236-BEF0-0A7CDE2FD74B}
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound\WinHound InstallationID {B277B898-5F99-4E76-A3C3-163B27D87B70}
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound VersionInfo APP_VER=1.0.2.1 DATABASE_VER=1.0.2.1 DATE=17/12/05 SIGNATURES=55989
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound RegistrationUrl http://www.winhound.com/register/142.0.2
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound C:\Programme\WinHound
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound InstallDir C:\Programme\WinHound
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound DatabaseFile C:\Programme\WinHound\sig.dat
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound ResourceDll C:\Programme\WinHound\rc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound SCAN_DEPTH 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound SCAN_PRIORITY 0
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound QuarantineLocation C:\Programme\WinHound\Trash
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound MinOnStartup 0
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound ScanOnStartup 0
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound StartAtWinStartup 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound EnableRTMonitoring 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound AlwaysBlockChanges 0
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound AlwaysBlockWhenNoAV 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound PerformUpdate 1
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound UpdateInterval 3
HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound MGuid {D1A4E2F8-9D3F-4236-BEF0-0A7CDE2FD74B}


CoolWebSearch Browser Hijacker more information...
Details: CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.
Status: Deleted

Infected files detected
c:\dokumente und einstellungen\oem\favoriten\only sex website.url
c:\dokumente und einstellungen\oem\favoriten\search the web.url
c:\dokumente und einstellungen\oem\favoriten\seven days of free porn.url


NewDotNet Browser Plug-in more information...
Details: New.Net is an Internet Explorer spyware/hijacker plug-in that adds subdomains of 'new.net' to your name resolution system (Windows’ Host file), resulting in what appear to be extra top-level domains (.shop, and so on) being resolvable.
Status: Deleted

Infected files detected
C:\!KillBox\NDNuninstall6_38.exe
C:\!KillBox\NDNuninstall6_98.exe
C:\System Volume Information\_restore{03B785E4-7911-4769-A5B9-0000D3AE5130}\RP135\A0057656.dll
C:\System Volume Information\_restore{03B785E4-7911-4769-A5B9-0000D3AE5130}\RP140\A0058195.exe
C:\System Volume Information\_restore{03B785E4-7911-4769-A5B9-0000D3AE5130}\RP140\A0058209.exe
C:\System Volume Information\_restore{03B785E4-7911-4769-A5B9-0000D3AE5130}\RP140\A0058212.exe
C:\WINDOWS\NDNuninstall6_98.exe


Overnet Adware Bundler more information...
Details: Overnet/eDonkey is a file sharing application that bundles third party adware and spyware with the free version.
Status: Ignored

Infected files detected
C:\Programme\eDonkey2000\Plugins\ed2kie.dll


Unclassified.Spyware.Loader Spyware more information...
Details: Spyware.Loader is spyware that is set to automatically start when Windows loads up by hiding itself in a number of different startup locations.
Status: Deleted

Infected files detected
C:\Programme\TM 420 screensaver\insthlp.dat


Claria Adware more information...
Details: Claria's Gator eWallet is an ad supported program that can automatically fill in passwords and other form-elements on Web pages.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
HKEY_CLASSES_ROOT\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} uets
HKEY_CLASSES_ROOT\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} GEF 64
HKEY_CLASSES_ROOT\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} GMG CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} uets
HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} GEF 64
HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} GMG CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\software\gator.com
HKEY_LOCAL_MACHINE\software\gator.com\Gator\dyn PdpFirstStart 841:NEW
HKEY_LOCAL_MACHINE\software\gator.com\Gator\stat Guid CBBDF56B-E582-47D7-84E3-64C1834E17DB


Claria.DashBar Adware Installer more information...
Details: DashBar is an ad supported search toolbar from the GAIN Network.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn PdpFirstStart 841:NEW
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat Guid CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} uets
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GEF 64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GMG CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn PdpFirstStart 841:NEW
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat Guid CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn PdpFirstStart 841:NEW
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat Guid CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} uets
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GEF 64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GMG CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn PdpFirstStart 841:NEW
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat Guid CBBDF56B-E582-47D7-84E3-64C1834E17DB


gator Adware more information...
Details: Display pop up ads
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn PdpFirstStart 841:NEW
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat Guid CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn PdpFirstStart 841:NEW
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat Guid CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} uets
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GEF 64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GMG CBBDF56B-E582-47D7-84E3-64C1834E17DB


Claria.WeatherScope Adware Installer more information...
Details: WeatherScope is an ad supported application that displays the local temperature on your system tray. Clicking on the icon in the system tray opens the application, which then displays current weather conditions and forcasts.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn PdpFirstStart 841:NEW
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat Guid CBBDF56B-E582-47D7-84E3-64C1834E17DB


Claria.PrecisionTime Adware Installer more information...
Details: Precision Time is an ad supported program that synchronizes your computer's clock with the US Atomic time at regular intervals.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} uets
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GEF 64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GMG CBBDF56B-E582-47D7-84E3-64C1834E17DB


Claria.DateManager Adware Installer more information...
Details: Date Manager is an adware program that runs in the system tray displaying the current date, can display a calendar and reminders.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} uets
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GEF 64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} GMG CBBDF56B-E582-47D7-84E3-64C1834E17DB


CWS.NS3 Browser Hijacker more information...
Details: This is a CoolWebSearch hijacker.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa DisplayName Home Search Assistent
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/HomeSearchAssistant.html"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se DisplayName Search Extender
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/SearchExtender.html"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw DisplayName Shopping Wizard
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/ShoppingWizard.html"


Looking-For.Home Search Assistant Browser Modifier more information...
Details: Home Search Assistant is an Internet Explorer browser helper object that was recently identified by the SpyNet community; research is currently under way to further identify its risks.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SW DisplayName Shopping Wizard
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 Service 11Fßä#·ºÄÖ`I
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 Class LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000 ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ 11Fßä#·ºÄÖ`I ObjectName LocalSystem


Claria.GAIN Adware more information...
Details: Claria's GAIN network consists of several applications inlcuding Gator eWallet, GotSmiley, ScreenSeenes, WebSecureAlert, DashBar, Weatherscope, Date Manager and Precision Time.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn PdpFirstStart 841:NEW
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat Guid CBBDF56B-E582-47D7-84E3-64C1834E17DB
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn PdpFirstStart 841:NEW


CWS.AboutBlank Browser Hijacker more information...
Details: This is a CoolWebSearch hijacker.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/HomeSearchAssistant.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/SearchExtender.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE DisplayName Search Extender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/ShoppingWizard.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW DisplayName Shopping Wizard


Adw.PSGuard Adware more information...
Details: PSGuard is a fraudulent anti-spyware program which uses desktop advertising to scare users into paying for the product.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}


Trojan.intell32 Trojan more information...
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}

#12 Dieterbr

deaktiviere die Systemwiederherstellung...dann aktiviere sie wieder
http://virus-protect.org/systemwiederherstellung.html


http://virus-protect.org/multiavtool.html
klicke "3" McAfee -- es erscheint ein leeres DOS-Fenster.
- man muss eingeben, was gescannt werden soll

- C:\Windows\System32 dann beginnt der Scan, man sollte dann auch scannen lassen:
- C:\Windows
- C:\
------------------------------------------------------------------
poste die Logs



Info
http://virus-protect.org/artikel/spyware/trojanagenteo.html
__________
MfG Sabina

rund um die PC-Sicherheit