Worm/ Eyeveg.m.5.B

#1 Hallo!
Mein Virenscanner AntiVir hat einen Wurm entdeckt, der sich nicht löschen lässt.
Hab auch gleich mal die Ergebnisse von Hijackthis mit dabei!

Hoffentlich kann mir jemand helfen??!!!

Logfile of HijackThis v1.99.1
Scan saved at 21:44:31, on 30.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\BearShare\BearShare.exe
C:\Programme\ScanSoft\OmniPageSE\opware32.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\eDonkey2000\eDonkey2000.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Gemeinsame Dateien\Windows\services32.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programme\XoftSpy\XoftSpy.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\ArcorOnline\Arcor.exe
C:\Programme\WinRAR\WinRAR.exe
C:\Dokumente und Einstellungen\Tobias\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Omnipage] C:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [eDonkey2000] C:\Programme\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [stnospy] C:\Programme\SinEspias\no-spy.exe /autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [services32] C:\Programme\Gemeinsame Dateien\Windows\mc-110-12-0000137.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {D3AB14DA-6183-4CBA-8600-D69AFAFA917F} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {D3AB14DA-6183-4CBA-8600-D69AFAFA917F} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF164096-9BAD-4717-8C08-A382FE34C6B9}: NameServer = 195.50.140.252 195.50.140.114
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe

#2 Maggie

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als list.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.--> die list.bat doppelt klicken--> kopiere den Text, der erscheint

cd\
dir "C:\Programme\Gemeinsame Dateien\Windows" >> files.txt
dir "C:\Programme\Gemeinsame Dateien" >> files.txt
notepad files.txt


----------------------------------
Maxifiles
http://virus-protect.org/artikel/spyware/maxifiles.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hallo und gutes Neues!
das hats mir ausgespuckt.


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D440-EDBC

Verzeichnis von C:\Programme\Gemeinsame Dateien\Windows

..
04.02.2004 14:06 45.136 psapi.dll
1 Datei(en) 45.136 Bytes
2 Verzeichnis(se), 6.842.900.480 Bytes frei
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D440-EDBC

Verzeichnis von C:\Programme\Gemeinsame Dateien

31.12.2005 16:37 .
31.12.2005 16:37 ..
03.12.2005 19:42 Adobe
02.11.2005 13:17 Adobe Systems Shared
09.07.2005 13:45 Ahead
09.07.2005 13:22 Designer
09.07.2005 12:03 Dienste
31.12.2005 19:35 Download
01.01.2006 00:49 InetGet
24.09.2005 20:05 InstallShield
13.08.2005 14:26 Java
24.09.2005 20:06 Microsoft Shared
09.07.2005 12:03 MSSoap
09.07.2005 18:56 ODBC
13.11.2005 12:28 ScanSoft Shared
31.12.2005 16:38 Softwin
09.07.2005 18:56 SpeechEngines
09.07.2005 13:22 System
01.01.2006 00:48 Windows
0 Datei(en) 0 Bytes
19 Verzeichnis(se), 6.842.896.384 Bytes frei

#4 öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [stnospy] C:\Programme\SinEspias\no-spy.exe /autorun
O4 - HKCU\..\Run: [services32] C:\Programme\Gemeinsame Dateien\Windows\mc-110-12-0000137.exe
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

PC neustarten

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot / Process all in List )--> anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\Programme\Gemeinsame Dateien\Windows\mc-110-12-0000137.exe
C:\Programme\SinEspias\no-spy.exe
C:\Programme\Gemeinsame Dateien\Windows\services32.exe

PC neustarten

deinstalliere / loesche:
C:\Programme\XoftSpy
C:\Programme\SinEspias

scanne mit ewido und kopiere hier den scanreport
http://virus-protect.org/ewido.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Hallo,

hier der Scan-Report:

---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Erstellt am: 21:10:07, 01.01.2006
+ Report-Checksumme: 15CBCAE6

+ Scanergebnis:

HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Gesäubert mit Backup
HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Gesäubert mit Backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Gesäubert mit Backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Gesäubert mit Backup
HKU\S-1-5-21-1417001333-776561741-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0} -> Spyware.RXToolbar : Gesäubert mit Backup
HKU\S-1-5-21-1417001333-776561741-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Gesäubert mit Backup
HKU\S-1-5-21-1417001333-776561741-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Gesäubert mit Backup
HKU\S-1-5-21-1417001333-776561741-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-90F0-F66AB581A933} -> Spyware.MyWebSearch : Gesäubert mit Backup
HKU\S-1-5-21-1417001333-776561741-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Gesäubert mit Backup
HKU\S-1-5-21-1417001333-776561741-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Gesäubert mit Backup
HKU\S-1-5-21-1417001333-776561741-839522115-1003\Software\Need2Find -> Spyware.Need2Find : Gesäubert mit Backup
HKU\S-1-5-21-1417001333-776561741-839522115-1003\Software\Need2Find\bar -> Spyware.Need2Find : Gesäubert mit Backup
:mozilla.19:C:\Dokumente und Einstellungen\Tobias\Anwendungsdaten\Mozilla\Firefox\Profiles\5uriiduc.default\cookies.txt -> Spyware.Cookie.Falkag : Gesäubert mit Backup
:mozilla.20:C:\Dokumente und Einstellungen\Tobias\Anwendungsdaten\Mozilla\Firefox\Profiles\5uriiduc.default\cookies.txt -> Spyware.Cookie.Falkag : Gesäubert mit Backup
:mozilla.21:C:\Dokumente und Einstellungen\Tobias\Anwendungsdaten\Mozilla\Firefox\Profiles\5uriiduc.default\cookies.txt -> Spyware.Cookie.Falkag : Gesäubert mit Backup
:mozilla.22:C:\Dokumente und Einstellungen\Tobias\Anwendungsdaten\Mozilla\Firefox\Profiles\5uriiduc.default\cookies.txt -> Spyware.Cookie.Falkag : Gesäubert mit Backup

C:\Dokumente und Einstellungen\Tobias\Cookies\tobias@ppms.popularix[2].txt -> Spyware.Cookie.Popularix : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Tobias\Cookies\tobias@www.etracker[1].txt -> Spyware.Cookie.Etracker : Gesäubert mit Backup
C:\Programme\Need2Find -> Spyware.Need2Find : Gesäubert mit Backup
C:\Programme\Need2Find\bar -> Spyware.Need2Find : Gesäubert mit Backup
C:\Programme\Need2Find\bar\History -> Spyware.Need2Find : Gesäubert mit Backup
C:\Programme\Need2Find\bar\History\search -> Spyware.Need2Find : Gesäubert mit Backup
C:\Programme\Need2Find\bar\Settings -> Spyware.Need2Find : Gesäubert mit Backup
C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Gesäubert mit Backup


::Report Ende

#6 deinstalliere ewido und lade Counterspy

Counterspy
http://virus-protect.org/counterspy.html

nach dem Scan muss man sich entscheiden für:

*Ignore
*Remove
*Quarantaine

poste den scanreport
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Leider zeigt es mir diese Fehlermeldung an, beim Dowloaden:

"Der Zugriff auf Windows Script Host wurde auf diesem Computer deaktiviert.
Wenden sie sich an Ihren Administrator, um weitere Details in Erfahrung zu bringen."

#8 schau mal beim xp-Antispy, und aktiviere die Funktion
__________
MfG Sabina

rund um die PC-Sicherheit

#9 seufz... kannst du nicht lesen ???
nach dem Scan muss man sich entscheiden für:

Zitat

*Ignore
*Remove
*Quarantaine

also..noch mal scannen .....--> ALLES loeschen lassen !!!
__________
MfG Sabina

rund um die PC-Sicherheit

#10 Sorry...

Spyware Scan Details
Start Date: 01.01.2006 23:26:34
End Date: 01.01.2006 23:53:21
Total Time: 26 mins 47 secs

Detected spyware

BearShare P2P more information...
Details: BearShare is a file sharing network. The free version installs a number of known spyware and adware programs.
Status: Deleted

Infected files detected
c:\programme\bearshare\bearshare.exe
c:\programme\bearshare\bsidle.dll
c:\programme\bearshare\bearshare.dat
c:\programme\bearshare\freepeers.ini
c:\programme\bearshare\history.txt
c:\programme\bearshare\install.log
c:\programme\bearshare\runmsc.dll
c:\programme\bearshare\unwise.exe
c:\programme\bearshare\unwise.ini
c:\programme\bearshare\webstats.bat
c:\programme\bearshare\webstats.exe
c:\programme\bearshare\webstats.ini
c:\programme\bearshare\db\config.bin
c:\programme\bearshare\db\connect.txt
c:\programme\bearshare\db\gnucache.dat
c:\programme\bearshare\db\gwebcache.dat
c:\programme\bearshare\db\hbcache.dat
c:\programme\bearshare\db\hostiles-chat.txt
c:\programme\bearshare\db\hostiles.txt
c:\programme\bearshare\db\library.2.db
c:\programme\bearshare\db\library.2.db.lastgoodload.bak
c:\programme\bearshare\db\library.db
c:\programme\bearshare\db\library.db.lastgoodload.bak
c:\programme\bearshare\db\searches.ini
c:\programme\bearshare\installer\bsinstallde.exe
c:\programme\bearshare\logs\hosts-state.txt
c:\programme\bearshare\logs\memory.txt
c:\programme\bearshare\logs\ordinal.txt
c:\programme\bearshare\logs\streams.txt
c:\programme\bearshare\sounds\notify.wav

Infected registry entries detected
HKEY_CLASSES_ROOT\gnufile
HKEY_CLASSES_ROOT\gnufile\shell\open\command "C:\Programme\BearShare\BearShare.exe" "%1"
HKEY_CLASSES_ROOT\gnufile gnutella
HKEY_CLASSES_ROOT\gnufile BrowserFlags 8
HKEY_CLASSES_ROOT\gnufile EditFlags 65536
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 C:\Programme\BearShare\RunMSC.dll
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR C:\Programme\BearShare\
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library
HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg
HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current C:\Programme\BearShare\sounds\notify.wav
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare BearShare
HKEY_LOCAL_MACHINE\software\bearshare
HKEY_LOCAL_MACHINE\software\bearshare InstallDir C:\Programme\BearShare
HKEY_LOCAL_MACHINE\software\classes\gnufile
HKEY_LOCAL_MACHINE\software\classes\gnufile\shell\open\command "C:\Programme\BearShare\BearShare.exe" "%1"
HKEY_LOCAL_MACHINE\software\classes\gnufile gnutella
HKEY_LOCAL_MACHINE\software\classes\gnufile BrowserFlags 8
HKEY_LOCAL_MACHINE\software\classes\gnufile EditFlags 65536
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 C:\Programme\BearShare\RunMSC.dll
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR C:\Programme\BearShare\
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayName BearShare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare UninstallString C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayVersion 5.0.2.5DE
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare HelpLink http://bearshare.de/Help/index.htm
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare Publisher Free Peers, Inc.
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare URLInfoAbout http://www.freepeers.com
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayIcon C:\Programme\BearShare\BearShare.exe,-128
HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg
HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_USERS\.default\appevents\schemes\apps\bearshare
HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current C:\Programme\BearShare\sounds\notify.wav
HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_USERS\.default\appevents\schemes\apps\bearshare BearShare
HKEY_USERS\s-1-5-18\appevents\eventlabels\bearsharechatnotifymsg
HKEY_USERS\s-1-5-18\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare
HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current C:\Programme\BearShare\sounds\notify.wav
HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_USERS\s-1-5-18\appevents\schemes\apps\bearshare BearShare


eDonkey2000 P2P more information...
Details: eDonkey2000 is a P2P file sharing program that bundles adware/spyware such as Webhancer, Web Search Toolbar and New.Net.
Status: Deleted

Infected files detected
c:\programme\edonkey2000\edonkey2000.exe
c:\programme\edonkey2000\5.html
c:\programme\edonkey2000\blacklist.txt
c:\programme\edonkey2000\contact.dat
c:\programme\edonkey2000\friend.met
c:\programme\edonkey2000\friend.met.bak
c:\programme\edonkey2000\keyring.dat
c:\programme\edonkey2000\keyring.dat.bak
c:\programme\edonkey2000\known.met
c:\programme\edonkey2000\known.met.bak
c:\programme\edonkey2000\layout.xml
c:\programme\edonkey2000\log.txt
c:\programme\edonkey2000\media.xml
c:\programme\edonkey2000\pref.xml
c:\programme\edonkey2000\server.met
c:\programme\edonkey2000\server.met.bak
c:\programme\edonkey2000\share.dat
c:\programme\edonkey2000\share.dat.bak
c:\programme\edonkey2000\svr-blacklist.txt
c:\programme\edonkey2000\uninstall_edonkey2000.exe
c:\programme\edonkey2000\uploadq.dat
c:\programme\edonkey2000\plugins\boost_thread-vc6-mt-1_31.dll
c:\programme\edonkey2000\plugins\btplugin.dll
c:\programme\edonkey2000\plugins\btplugin.ini
c:\programme\edonkey2000\plugins\easypreview.dll
c:\programme\edonkey2000\plugins\easypreview.txt
c:\programme\edonkey2000\plugins\ed2kie.dll
c:\programme\edonkey2000\plugins\httpprotocol.dll
c:\programme\edonkey2000\plugins\jpcplugin.ini
c:\programme\edonkey2000\plugins\jpcplugin5.dll
c:\programme\edonkey2000\plugins\launchmyapp.dll
c:\programme\edonkey2000\plugins\launchmyapp.ini
c:\programme\edonkey2000\plugins\leeme_esp.rtf
c:\programme\edonkey2000\plugins\lesemich_ger.rtf
c:\programme\edonkey2000\plugins\lma readme.txt
c:\programme\edonkey2000\plugins\readme_eng.rtf
c:\programme\edonkey2000\plugins\unrar.dll
c:\programme\edonkey2000\plugins\_libtorrent_bsd_licence.txt
c:\programme\edonkey2000\skins\default\add2keyring-dis.png
c:\programme\edonkey2000\skins\default\add2keyring-down.png
c:\programme\edonkey2000\skins\default\add2keyring-hover.png
c:\programme\edonkey2000\skins\default\add2keyring-up.png
c:\programme\edonkey2000\skins\default\arrow-down.png
c:\programme\edonkey2000\skins\default\arrow-up.png
c:\programme\edonkey2000\skins\default\background.png
c:\programme\edonkey2000\skins\default\console-big-down.png
c:\programme\edonkey2000\skins\default\console-big-hover.png
c:\programme\edonkey2000\skins\default\console-big-up.png
c:\programme\edonkey2000\skins\default\console-small-down.png
c:\programme\edonkey2000\skins\default\console-small-hover.png
c:\programme\edonkey2000\skins\default\console-small-up.png
c:\programme\edonkey2000\skins\default\download-dis.png
c:\programme\edonkey2000\skins\default\download-down.png
c:\programme\edonkey2000\skins\default\download-hover.png
c:\programme\edonkey2000\skins\default\download-up.png
c:\programme\edonkey2000\skins\default\ed2k-connect.png
c:\programme\edonkey2000\skins\default\ed2k-connected.png
c:\programme\edonkey2000\skins\default\ed2k-connecting.png
c:\programme\edonkey2000\skins\default\ed2k-disconnect.png
c:\programme\edonkey2000\skins\default\ed2k-disconnected.png
c:\programme\edonkey2000\skins\default\exclaim.png
c:\programme\edonkey2000\skins\default\folder-closed-both.png
c:\programme\edonkey2000\skins\default\folder-closed-childshared.png
c:\programme\edonkey2000\skins\default\folder-closed-shared.png
c:\programme\edonkey2000\skins\default\folder-closed-unshared.png
c:\programme\edonkey2000\skins\default\folder-go-up-level.png
c:\programme\edonkey2000\skins\default\folder-open-both.png
c:\programme\edonkey2000\skins\default\folder-open-childshared.png
c:\programme\edonkey2000\skins\default\folder-open-shared.png
c:\programme\edonkey2000\skins\default\folder-open-unshared.png
c:\programme\edonkey2000\skins\default\folder-refresh.png
c:\programme\edonkey2000\skins\default\generatecatalog-dis.png
c:\programme\edonkey2000\skins\default\generatecatalog-down.png
c:\programme\edonkey2000\skins\default\generatecatalog-hover.png
c:\programme\edonkey2000\skins\default\generatecatalog-up.png
c:\programme\edonkey2000\skins\default\launch-dis.png
c:\programme\edonkey2000\skins\default\launch-down.png
c:\programme\edonkey2000\skins\default\launch-hover.png
c:\programme\edonkey2000\skins\default\launch-up.png
c:\programme\edonkey2000\skins\default\little-back.png
c:\programme\edonkey2000\skins\default\main-help-down.png
c:\programme\edonkey2000\skins\default\main-help-hover.png
c:\programme\edonkey2000\skins\default\main-help-up.png
c:\programme\edonkey2000\skins\default\main-options-down.png
c:\programme\edonkey2000\skins\default\main-options-hover.png
c:\programme\edonkey2000\skins\default\main-options-up.png
c:\programme\edonkey2000\skins\default\main-register-down.png
c:\programme\edonkey2000\skins\default\main-register-hover.png
c:\programme\edonkey2000\skins\default\main-register-up.png
c:\programme\edonkey2000\skins\default\managekeyring-dis.png
c:\programme\edonkey2000\skins\default\managekeyring-down.png
c:\programme\edonkey2000\skins\default\managekeyring-hover.png
c:\programme\edonkey2000\skins\default\managekeyring-up.png
c:\programme\edonkey2000\skins\default\mediaplayer.png
c:\programme\edonkey2000\skins\default\moreres-dis.png
c:\programme\edonkey2000\skins\default\moreres-down.png
c:\programme\edonkey2000\skins\default\moreres-hover.png
c:\programme\edonkey2000\skins\default\moreres-up.png
c:\programme\edonkey2000\skins\default\on-connect.png
c:\programme\edonkey2000\skins\default\on-connected.png
c:\programme\edonkey2000\skins\default\on-connecting.mng
c:\programme\edonkey2000\skins\default\on-connecting.png
c:\programme\edonkey2000\skins\default\on-disconnect.png
c:\programme\edonkey2000\skins\default\on-disconnected.png
c:\programme\edonkey2000\skins\default\options-down.png
c:\programme\edonkey2000\skins\default\options-hover.png
c:\programme\edonkey2000\skins\default\options-up.png
c:\programme\edonkey2000\skins\default\preview.png
c:\programme\edonkey2000\skins\default\refresh-dis.png
c:\programme\edonkey2000\skins\default\refresh-down.png
c:\programme\edonkey2000\skins\default\refresh-hover.png
c:\programme\edonkey2000\skins\default\refresh-up.png
c:\programme\edonkey2000\skins\default\remove-dis.png
c:\programme\edonkey2000\skins\default\remove-down.png
c:\programme\edonkey2000\skins\default\remove-hover.png
c:\programme\edonkey2000\skins\default\remove-up.png
c:\programme\edonkey2000\skins\default\search-dis.png
c:\programme\edonkey2000\skins\default\search-down.png
c:\programme\edonkey2000\skins\default\search-hover.png
c:\programme\edonkey2000\skins\default\search-up.png
c:\programme\edonkey2000\skins\default\searching.mng
c:\programme\edonkey2000\skins\default\share-dis.png
c:\programme\edonkey2000\skins\default\share-down.png
c:\programme\edonkey2000\skins\default\share-hover.png
c:\programme\edonkey2000\skins\default\share-up.png
c:\programme\edonkey2000\skins\default\tab-catalogs-down.png
c:\programme\edonkey2000\skins\default\tab-catalogs-hover.png
c:\programme\edonkey2000\skins\default\tab-catalogs-up.png
c:\programme\edonkey2000\skins\default\tab-friends-down.png
c:\programme\edonkey2000\skins\default\tab-friends-hover.png
c:\programme\edonkey2000\skins\default\tab-friends-up.png
c:\programme\edonkey2000\skins\default\tab-home-down.png
c:\programme\edonkey2000\skins\default\tab-home-hover.png
c:\programme\edonkey2000\skins\default\tab-home-up.png
c:\programme\edonkey2000\skins\default\tab-media-down.png
c:\programme\edonkey2000\skins\default\tab-media-hover.png
c:\programme\edonkey2000\skins\default\tab-media-up.png
c:\programme\edonkey2000\skins\default\tab-search-down.png
c:\programme\edonkey2000\skins\default\tab-search-hover.png
c:\programme\edonkey2000\skins\default\tab-search-up.png
c:\programme\edonkey2000\skins\default\tab-servers-down.png
c:\programme\edonkey2000\skins\default\tab-servers-hover.png
c:\programme\edonkey2000\skins\default\tab-servers-up.png
c:\programme\edonkey2000\skins\default\tab-shared-down.png
c:\programme\edonkey2000\skins\default\tab-shared-hover.png
c:\programme\edonkey2000\skins\default\tab-shared-up.png
c:\programme\edonkey2000\skins\default\tab-stats-down.png
c:\programme\edonkey2000\skins\default\tab-stats-hover.png
c:\programme\edonkey2000\skins\default\tab-stats-up.png
c:\programme\edonkey2000\skins\default\tab-transfers-down.png
c:\programme\edonkey2000\skins\default\tab-transfers-hover.png
c:\programme\edonkey2000\skins\default\tab-transfers-up.png
c:\programme\edonkey2000\skins\default\ui.xml
c:\programme\edonkey2000\skins\default\unshare-dis.png
c:\programme\edonkey2000\skins\default\unshare-down.png
c:\programme\edonkey2000\skins\default\unshare-hover.png
c:\programme\edonkey2000\skins\default\unshare-up.png
c:\programme\edonkey2000\skins\default\x-down.png
c:\programme\edonkey2000\skins\default\x-hover.png
c:\programme\edonkey2000\skins\default\x-up.png
c:\programme\edonkey2000\temp\don't mess with temp files!!!!!.txt
c:\dokumente und einstellungen\tobias\anwendungsdaten\microsoft\internet explorer\quick launch\edonkey2000.lnk

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 C:\Programme\eDonkey2000\plugins\ed2kie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 ThreadingModel Both
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\ProgID eD2KDownloadManager.object.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\TypeLib {379919F2-1612-45B7-B9F4-773F6D5214F5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\VersionIndependentProgID eD2KDownloadManager.object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620} eD2K downloadManager object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run eDonkey2000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 DisplayName eDonkey2000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 UninstallString "C:\Programme\eDonkey2000\uninstall_eDonkey2000.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 DisplayIcon "C:\Programme\eDonkey2000\eDonkey2000.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 NoModify 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eDonkey2000 NoRepair 1


Adw.Regfreeze Adware more information...
Details: Adw.Regfreeze is a program used to repair registry errors in the Windows registy.
Status: Deleted

Infected files detected
c:\programme\regfreeze\bz.dll
c:\programme\regfreeze\httpreq.dll
c:\programme\regfreeze\regfreeze.exe
c:\programme\regfreeze\regfreeze.url
c:\programme\regfreeze\unins000.dat
c:\programme\regfreeze\unins000.exe
c:\programme\regfreeze\askmod\askmod.exe
c:\programme\regfreeze\bkcpy\freeze.list
c:\programme\regfreeze\help\help.chm
c:\programme\regfreeze\interface\interface.txt
c:\dokumente und einstellungen\tobias\desktop\regfreeze.lnk
C:\Dokumente und Einstellungen\Tobias\Lokale Einstellungen\Anwendungsdaten\RegFreeze\hijack.places


Adw.eXact.BargainBuddy Adware more information...
Details: BargainBuddy is a Browser Helper Object that watches the pages your browser requests and the terms you enter into a search engine web form. If a term matches a preset list of sites or keywords, BargainBuddy will display an ad.
Status: Deleted

Infected files detected
c:\windows\system32\exclean.exe

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BargainBuddy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BargainBuddy SlowInfoCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BargainBuddy Changed 0


AntivirusGold Potentially Unwanted Software more information...
Status: Deleted

Infected files detected
C:\Dokumente und Einstellungen\Tobias\Lokale Einstellungen\Temp\nsl5A.tmp\InstallOptions.dll


WhenU.SaveNow Adware more information...
Details: an advertising application that displays pop-up advertising on the desktop in response to users' surfing behavior.
Status: Deleted

Infected files detected
C:\Programme\BearShare\RunMSC.dll
C:\Programme\BearShare\Webstats.exe
C:\Programme\BearShare\Webstats.ini

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader.1\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader.1\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\clsid
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\curver
HKEY_LOCAL_MACHINE\software\classes\runmsc.loader\curver RunMSC.Loader.1
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\TypeLib {DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0} IACMFactory
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\TypeLib {DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086} IFetchExtractor
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\TypeLib {DF901432-1B9F-4F5B-9E56-301C553F9095}
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842} IFetchData


Overnet Adware Bundler more information...
Details: Overnet/eDonkey is a file sharing application that bundles third party adware and spyware with the free version.
Status: Deleted

Infected files detected
C:\Programme\eDonkey2000\Plugins\ed2kie.dll


KaZaA P2P more information...
Details: Kazaa is a Peer to Peer file sharing application that uses some adware advertising as well as installs a number of thrid party adware software on your computer.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Kazaa\Advanced
HKEY_CURRENT_USER\Software\Kazaa\Advanced ScWeeklyDate 28-9-2005
HKEY_CURRENT_USER\Software\Kazaa\Advanced Status Installed
HKEY_CURRENT_USER\software\kazaa
HKEY_CURRENT_USER\software\kazaa\Advanced ScWeeklyDate 28-9-2005
HKEY_CURRENT_USER\software\kazaa\Advanced Status Installed
HKEY_CURRENT_USER\software\kazaa\DontShow CloseToSystray 1
HKEY_CURRENT_USER\software\kazaa\DontShow CancelDownload 0
HKEY_CURRENT_USER\software\kazaa\DontShow PlaylistRemote 0
HKEY_CURRENT_USER\software\kazaa\DontShow SetDefaultHandler 0
HKEY_CURRENT_USER\software\kazaa\DontShow DeletePlaylistItems 0
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Download Width 0 164
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Download Width 1 82
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Download Width 2 82
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Download Width 3 82
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Download Width 4 191
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Download Width 5 82
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Download Width 6 164
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Download Width 7 82
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Download Width 8 164
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 0 237
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 1 108
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 2 80
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 3 50
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 4 50
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 5 70
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 6 72
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 7 82
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 8 60
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 9 64
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 10 60
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 11 76
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\EverythingWidth 12 180
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\MyKazaaStates Meine Medien 0
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\MyKazaaStates Audio:Meine Medien 1
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\MyKazaaStates Meine Kapsules 0
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\MyKazaaStates Meine Wiedergabelisten 1
HKEY_CURRENT_USER\software\kazaa\Kazaa Media Desktop\Settings WindowPos 0,3,-32000,-32000,-1,-1,22,29,886,628
HKEY_CURRENT_USER\software\kazaa\LocalContent DisableListFiles 1
HKEY_CURRENT_USER\software\kazaa\Promotions\Broadband BBDbLoc C:\Dokumente und Einstellungen\Tobias\Desktop\Db\bb.db
HKEY_CURRENT_USER\software\kazaa\Promotions\Broadband NullImageLoc C:\Dokumente und Einstellungen\Tobias\Desktop\broadband.gif
HKEY_CURRENT_USER\software\kazaa\Promotions\Broadband NullImageLoc2 C:\Dokumente und Einstellungen\Tobias\Desktop\broadband2.gif
HKEY_CURRENT_USER\software\kazaa\Promotions\Broadband BroadNagCount2 1
HKEY_CURRENT_USER\software\kazaa\Promotions\Broadband LastBBShown 1127933556
HKEY_CURRENT_USER\software\kazaa\Search 0 e|¦
HKEY_CURRENT_USER\software\kazaa\Search 1 ky· dƒág
HKEY_CURRENT_USER\software\kazaa\Search 2 slºv•
HKEY_CURRENT_USER\software\kazaa\Search 3 tl¾
HKEY_CURRENT_USER\software\kazaa\Search 4 tl¾,�ûlTS
HKEY_CURRENT_USER\software\kazaa\Search 5 slºv•
HKEY_CURRENT_USER\software\kazaa\Search 6 `{¸]h�âf
HKEY_CURRENT_USER\software\kazaa\Search 7 d¶,ˆõ k_
HKEY_CURRENT_USER\software\kazaa\Search 8 ~kÿmˆ´"Y@��ª}B
HKEY_CURRENT_USER\software\kazaa\Search 9 `{ºh�í
HKEY_CURRENT_USER\software\kazaa\Search 10 ezÿm•
HKEY_CURRENT_USER\software\kazaa\Search 11 lj¦]a…øc
HKEY_CURRENT_USER\software\kazaa\Search 12 lj¦]a…øcU
HKEY_CURRENT_USER\software\kazaa\Search 13 d¶]h�âf
HKEY_CURRENT_USER\software\kazaa\Search 14 f rÿ d‰´ cB
HKEY_CURRENT_USER\software\kazaa\Search 15 jl¼]x‰ælAH
HKEY_CURRENT_USER\software\kazaa\Search 16 cp¶`ÌÄuOD‹
HKEY_CURRENT_USER\software\kazaa\Search 17 pu¨]a‰´rV‘È HKEY_CURRENT_USER\software\kazaa\Search 18 puº]a‰´r
HKEY_CURRENT_USER\software\kazaa\Search 19 `l¾kÌðtRE
HKEY_CURRENT_USER\software\kazaa\Search 20 e ¼,‰ígQœÌ½y
HKEY_CURRENT_USER\software\kazaa\Search 21 e ¼,‰íg
HKEY_CURRENT_USER\software\kazaa\Search 22 e ¼
HKEY_CURRENT_USER\software\kazaa\Search 23 e ¼,‰íf
HKEY_CURRENT_USER\software\kazaa\Settings +
HKEY_CURRENT_USER\software\kazaa\Settings Date
HKEY_CURRENT_USER\software\kazaa\Settings UseCount 0
HKEY_CURRENT_USER\software\kazaa\Transfer +
HKEY_CURRENT_USER\software\kazaa\Transfer NoUploadLimitWhenIdle 1
HKEY_CURRENT_USER\software\kazaa\Transfer CacheHost 0
HKEY_CURRENT_USER\software\kazaa\Transfer CachePort 0
HKEY_CURRENT_USER\software\kazaa\Transfer CacheDiscoveryTime 1127933240
HKEY_CURRENT_USER\software\kazaa\Transfer DlDir0 C:\Dokumente und Einstellungen\Tobias\Desktop\My Shared Folder
HKEY_CURRENT_USER\software\kazaa Tmp 0
HKEY_CURRENT_USER\software\kazaa LastSearchHash
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\p2p networking
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\p2p networking SlowInfoCache
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\p2p networking Changed 0


Adw.Need2Find.Toolbar Toolbar more information...
Details: Adw.Need2Find.Toolbar is an IE plugin with its own Search Field.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\MSIEDe1egate.Application.2
HKEY_CLASSES_ROOT\MSIEDe1egate.Application.2\CLSID {0002DF01-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\MSIEDe1egate.Application.2 Internet Exp1orer (Ver 1.31995)


Adw.Maxifiles.Director Adware more information...
Details: ADW.Maxifiles.Director is a trojan which downloads adware-related files from various Web sites.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Director
HKEY_CURRENT_USER\Software\Director Affid mc-110-12-0000137
HKEY_CURRENT_USER\Software\Director BaseURL http://www.maxifiles.com/director
HKEY_CURRENT_USER\Software\Director Uid 5e0f04fc-9017-4f3f-802c-2f30e7cbc00e
HKEY_CURRENT_USER\Software\Director Request 1/1/2006 0:20:48


Claria.DashBar Cookie Cookie more information...
Details: DashBar cookie is a small text file placed on the user's computer after when visiting the Claria/GAIN DashBar website.
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\tobias\cookies\tobias@belnk[1].txt


CGI-Bin Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\tobias\cookies\tobias@cgi-bin[2].txt

#11 Maggie

nun mache bitte einen Onlinescan mit panda und kopiere hier den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#12 Hoffe, dass ist der richtige Report, is ein wenig kurz:


Incident Status Location

Adware:adware/maxifiles Not desinfected C:\PROGRAMME\GEMEINSAME DATEIEN\InetGet
Adware:adware/savenow Not desinfected Windows Registry
Possible Virus. Not desinfected C:\Programme\SlySoft\AnyDVD\AnyDVD 5.2.5.1 loader.exe

#13 ist ja ein gutes Zeichen, dass der Report kurz ist

loesche:
C:\PROGRAMME\GEMEINSAME DATEIEN\InetGet

TuneUp 2006 (30 Tage free) Shareware
http://virus-protect.org/reinigungstoolsregistry.html
wende an:
Cleanup repair -- TuneUp Diskcleaner
Cleanup repair -- Registry Cleaner

dann scanne noch mal mit panda
__________
MfG Sabina

rund um die PC-Sicherheit

#14 Hallo,

hier der 2. Scan:


Incident Status Location

Adware:adware/maxifiles Not desinfected C:\PROGRAMME\GEMEINSAME DATEIEN\Windows
Adware:adware/savenow Not desinfected Windows Registry
Possible Virus. Not desinfected C:\Programme\SlySoft\AnyDVD\AnyDVD 5.2.5.1 loader.exe

#15 loesche:
C:\PROGRAMME\GEMEINSAME DATEIEN\Windows

das andere kannst du dann ignorieren...es sei denn C:\Programme\SlySoft\AnyDVD ist wirklich Malware.... hast du das von einer ofiziellen Seite geladen ?
__________
MfG Sabina

rund um die PC-Sicherheit