Winfix oder verwanter bringt mich zum wahnsinn

#1 seit heute gehen bei mir ständig verschiedenste url's auf und ab und zu werde ich aufgefordert winfix 2005 zu erwerben. habe nun schon einige tutorials zum entfernen durchgemacht aber es schein sich um eine unterart zu handeln. es finden sich z.b. keine der ordner von winfix die in diversen foren beschrieben sind, auch die meisten registry einträge finden sich nicht. hier mein hijack log ich hoffe es kann mir jemand helfen:

Zusatzinfo: auffallend viele adressen beinhalten "yyy102.html"

Logfile of HijackThis v1.99.1
Scan saved at 22:43:18, on 07.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\avmclient\avmbtservice.exe
C:\Programme\avmclient\AvmObexService.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\TELES\skyDSL\Proxy\craxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\TELES\skyDSL\tskymtpc.exe
C:\Programme\TELES\skyDSL\tkpsrv.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Motherboard Monitor 5\MBM5.EXE
C:\Programme\avmclient\bluefritz.exe
C:\Programme\avmclient\AvmObex.exe
C:\Programme\avmclient\AvmObex.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programme\Logitech\MediaLife\MediaLifeService.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Anti-Blaxx\Anti-Blaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
C:\Programme\Gemeinsame Dateien\Nokia\Tools\NclTray.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTvRc.exe
C:\Programme\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\DLink\Bluetooth Software\BTTray.exe
C:\Programme\jalcds\jaLCDs.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Pixoria\Konfabulator\Konfabulator.exe
C:\Programme\Pixoria\Konfabulator\Konfabulator.exe
C:\Programme\Pixoria\Konfabulator\Konfabulator.exe
C:\Programme\Pixoria\Konfabulator\Konfabulator.exe
C:\Programme\Pixoria\Konfabulator\Konfabulator.exe
C:\Programme\Pixoria\Konfabulator\Konfabulator.exe
C:\Programme\Pixoria\Konfabulator\Konfabulator.exe
C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE
C:\jvm\jre1.4\1.4\bin\javaw.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Programme\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MBM 5] "C:\Programme\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVMBlueClient] C:\Programme\avmclient\bluefritz.exe
O4 - HKLM\..\Run: [AVMBLUEOBEX] C:\Programme\avmclient\AvmObex.exe -pushclient -ftpclient
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Programme\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DataLayer] C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programme\Gemeinsame Dateien\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Programme\VideoraiPodConverter\VideoraConverter.exe -t
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTvRc.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Programme\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Konfabulator.lnk = C:\Programme\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: QCast Station.LNK = C:\Programme\BroadQ\QCastStation.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: jaLCDs (2).lnk = C:\Programme\jalcds\jaLCDs.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Alles mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Mit FDM herunterladen - file://C:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Webseiten mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: skyDSL++ - {F7522CA2-3DDA-11d3-8560-0060977792B1} - C:\Programme\TELES\skyDSL\sky2sky.exe
O9 - Extra button: skyDSL- - - {F7522CA8-3DDA-11d3-8560-0060977792B1} - C:\Programme\TELES\skyDSL\sky2fon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programme\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\skysocks.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{41A14147-CA56-463E-9EA0-F1E3B569CE77}: NameServer = 192.168.111.111
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVM BT Connection Service - AVM Berlin - C:\Programme\avmclient\avmbtservice.exe
O23 - Service: AVM BT PAN Service - AVM Berlin - C:\Programme\avmclient\panapp.exe
O23 - Service: AVM BT OBEX Service (AvmObexService) - AVM Berlin - C:\Programme\avmclient\AvmObexService.exe
O23 - Service: Bonjour Dienst (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PMounter - Unknown owner - C:\WINDOWS\system32\PMounter.exe
O23 - Service: Radmin Communication Server (rcomsrv) - Unknown owner - C:\WINDOWS\system32\rcomsrv30\rcomsrv.exe" /service (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: skyDSL-Proxy (tntcraxy) - Unknown owner - C:\Programme\TELES\skyDSL\Proxy\craxy.exe" service (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programme\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TridiaVNC Server (winvnc) - Tridia Corporation - C:\Programme\TridiaVNC\win32\WinVNC.exe

#2 dark-hawk

wende CleanUp genau nach Anleitung auf der Seite an
http://virus-protect.org/cleanup.html

datfindbat (kopiere die 4 Textdateien)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 ok, danke für die schnelle antwort.
übrigens hat "Microsoft AntiSpyware" bisher als einziges tool überhaupt erkannt das "look2me" auf meinem system war/ist es wurde von dem tool zwar entfernt (laut dem tool) es finden "look2me" nun auch nichtmehr, aber die url's gehen auf wie zuvor auch. besonders gewundert hat mich dass das MS tool "look2me" gefunden hat obwohl das symantec-tool nichts deartiges gefunden hat.

hier der gewünschte inhalt der dateien:

system32.txt:

c:windows\system32
08.01.2006 01:37 235.576 iYsrecst.dll
08.01.2006 01:37 13.646 wpa.dbl
07.01.2006 22:13 235.576 guard.tmp
07.01.2006 19:55 235.576 ilput.dll
07.01.2006 12:30 235.607 ir5331.dll
29.12.2005 03:54 280.064 gdi32.dll
21.12.2005 19:14 87 nt32200ax.dll
18.12.2005 21:36 86.016 pxwma.dll
18.12.2005 21:36 53.248 pxhpinst.exe
18.12.2005 21:36 286.720 pxwave.dll
18.12.2005 21:36 143.360 pxmas.dll
18.12.2005 21:36 462.848 px.dll
18.12.2005 01:17 45 initdebug.nfo
16.12.2005 18:29 386.448 perfh009.dat
16.12.2005 18:29 54.956 perfc009.dat
16.12.2005 18:29 397.694 perfh007.dat
16.12.2005 18:29 65.946 perfc007.dat
16.12.2005 18:29 916.170 PerfStringBackup.INI
14.12.2005 18:53 34.064 lhacm.acm
09.12.2005 01:21 2.723.680 MRT.exe
07.12.2005 18:05 716.800 divxdec.ax
07.12.2005 18:05 573.952 DivX.dll
07.12.2005 18:05 679.936 divx_xx07.dll
07.12.2005 18:05 679.936 divx_xx0c.dll
07.12.2005 18:05 663.552 divx_xx11.dll
05.12.2005 21:51 10.716 dsm_ja.qm
05.12.2005 21:51 15.331 dsm_de.qm
05.12.2005 21:51 15.172 dsm_fr.qm
02.12.2005 22:28 41.237 nvapps.xml
02.12.2005 18:03 7.006 jupdate-1.5.0_06-b05.log
01.12.2005 12:14 86.091 S32EVNT1.DLL
01.12.2005 04:31 1.492.480 shdocvw.dll
24.11.2005 00:58 1.022.464 browseui.dll
24.11.2005 00:58 3.013.632 mshtml.dll
23.11.2005 05:00 778.240 DivXsm.exe
23.11.2005 05:00 4.276 divxsm.tlb
15.11.2005 20:14 13.312 ceutil.dll
15.11.2005 19:42 122.880 rapi.dll
15.11.2005 12:12 117.976 hashlib.dll
15.11.2005 12:12 126.680 GCCollection.dll
15.11.2005 12:12 95.448 gcUnCompress.dll
14.11.2005 17:45 306.808 FNTCACHE.DAT
11.11.2005 14:49 180.224 nvuaudio.exe
11.11.2005 14:49 180.224 nvuenet.exe
11.11.2005 14:49 180.224 nvugart.exe

systemtemp.txt:

Verzeichnis von C:\DOKUME~1\DARK-H~1\LOKALE~1\Temp

08.01.2006 01:40 16.384 Perflib_Perfdata_1708.dat
08.01.2006 01:39 16.384 Perflib_Perfdata_eec.dat
08.01.2006 01:39 32.768 ~DFF137.tmp
08.01.2006 01:39 282 WCESLog.log
08.01.2006 01:39 559 WCESCOMM.LOG
08.01.2006 01:39 32.768 ~DFDC72.tmp
08.01.2006 01:39 32.768 ~DF8D4A.tmp
08.01.2006 01:38 32.768 ~DF8B5C.tmp

system.txt:

Verzeichnis von C:\WINDOWS

08.01.2006 01:38 0 0.log
08.01.2006 01:37 2.048 bootstat.dat
08.01.2006 01:36 1.805.201 WindowsUpdate.log
07.01.2006 22:32 202 NeroDigital.ini
07.01.2006 22:17 619.621 setupapi.log
07.01.2006 22:12 149.108 ntbtlog.txt
07.01.2006 20:13 50.912 iconu.exe
07.01.2006 20:07 24.296 icont.exe
07.01.2006 12:33 0 enewsletterpro1.dat
07.01.2006 01:27 596 win.ini
07.01.2006 01:27 227 system.ini
06.01.2006 19:10 38 drsmartloadb.dat
06.01.2006 19:00 438.991 iis6.log
06.01.2006 19:00 167.892 tsoc.log
06.01.2006 19:00 128.524 comsetup.log
06.01.2006 19:00 77.263 ntdtcsetup.log
06.01.2006 19:00 1.355 imsins.log
06.01.2006 19:00 18.576 tabletoc.log
06.01.2006 19:00 20.076 ocmsn.log
06.01.2006 19:00 10.972 KB912919.log
06.01.2006 19:00 62.350 netfxocm.log
06.01.2006 19:00 184.391 ocgen.log
06.01.2006 19:00 25.851 medctroc.Log
06.01.2006 19:00 18.124 msgsocm.log
06.01.2006 19:00 350.250 FaxSetup.log
06.01.2006 19:00 118.594 msmqinst.log
06.01.2006 19:00 21.474 updspapi.log
04.01.2006 19:47 0 drsmartloadb1.dat
04.01.2006 19:47 0 timessquare1.dat
04.01.2006 19:47 69.888 banmanpro.exe
04.01.2006 19:47 41.216 enewsletterpro.exe
04.01.2006 19:43 50 wiaservc.log
04.01.2006 19:43 216 wiadebug.log
21.12.2005 19:14 32 ntcheck3232bx.dll
16.12.2005 23:25 0 PestPatrol5.INI
16.12.2005 23:00 145 installer.exe
15.12.2005 22:05 997 avmcoins.log
14.12.2005 17:53 9.891 KB910437.log
14.12.2005 17:53 15.855 KB905915.log
12.12.2005 19:08 4.753 KB909394.log
12.12.2005 19:08 11.666 KB894476.log
12.12.2005 19:06 193.711 setupact.log
17.11.2005 22:53 113.326 DirectX.log
09.11.2005 22:52 11.746 KB896424.log
07.11.2005 20:18 1.224 MeineTraffic_Uninstall.ins
06.11.2005 15:59 8.192 REGULOCS.OLD
05.11.2005 22:58 19 SoundConverter.INI
04.11.2005 19:08 21.004 KB902400.log
04.11.2005 19:07 11.585 KB896688.log
04.11.2005 15:00 12.663 KB901017.log
04.11.2005 15:00 13.668 KB900725.log
04.11.2005 15:00 10.834 KB904706.log
01.11.2005 23:17 988 vpd.properties
01.11.2005 21:59 11.112 KB899589.log
01.11.2005 21:58 11.624 KB905414.log
29.10.2005 13:10 11.819 KB905749.log
02.10.2005 10:01 3.251 mozver.dat
01.10.2005 19:51 2.557 identitydb.obj
22.09.2005 16:55 43.798 wmsetup.log
21.09.2005 20:16 75 cdplayer.ini
08.09.2005 18:30 121 GEARInstall.log
30.08.2005 18:37 0 PowerReg.dat
29.08.2005 14:42 90 ML.log
29.08.2005 14:41 316.640 WMSysPr9.prx
29.08.2005 14:41 86 ke.log
24.08.2005 22:57 57.344 uneng.exe
22.08.2005 18:03 11.944 SYMEVENT.LOG
17.08.2005 18:59 0 WinPM.INI
10.08.2005 21:16 18.685 KB899587.log
10.08.2005 21:16 18.183 KB899591.log
10.08.2005 21:16 18.297 KB893756.log
10.08.2005 21:16 17.644 KB896423.log
10.08.2005 21:15 18.190 KB896727.log
10.08.2005 21:15 13.526 KB899588.log
10.08.2005 21:15 5.438 KB885884.log
10.08.2005 20:30 13.208 KB894391.log
09.08.2005 15:31 1.209.767 setupapi.log.0.old
01.08.2005 15:37 145.783 UNNeroVision.cfg

sys.txt:

Verzeichnis von C:\

08.01.2006 01:48 0 sys.txt
08.01.2006 01:46 9.645 system.txt
08.01.2006 01:44 666 systemtemp.txt
08.01.2006 01:41 113.260 system32.txt
08.01.2006 01:36 1.610.141.696 hiberfil.sys
08.01.2006 01:36 1.610.612.736 pagefile.sys
07.01.2006 20:11 11 direct.txt
07.01.2006 19:00 127.432 noscript.exe
07.01.2006 01:27 211 boot.ini
15.12.2005 22:07 192 BcBtRmv.log
02.10.2005 11:24 532 hpfr5550.xml
02.10.2005 11:24 17.931 hpfr5550.log
01.09.2005 15:44 6.184 devicetable.log
30.08.2005 19:34 62 savedir.ini
13.07.2005 12:13 3.026 skysetup.log
10.07.2005 12:45 27.262.976 VIRTPART.DAT
09.07.2005 17:33 47.564 NTDETECT.COM
09.07.2005 17:33 251.184 ntldr
09.07.2005 17:04 0 CONFIG.SYS
09.07.2005 17:04 0 IO.SYS
09.07.2005 17:04 0 MSDOS.SYS
09.07.2005 17:04 0 AUTOEXEC.BAT
02.04.2003 13:00 4.952 bootfont.bin

#4 Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten --> kopiere das Ergebnis in das Sicherheitsforum
http://www.virustotal.com/flash/index_en.html

c:\windows\system32\gdi32.dll
c:\noscript.exe
c:\windows\system32\nt32200ax.dll
c:\windows\ntcheck3232bx.dll


------------------------------------------------------------------------

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

c:\windows\system32\iYsrecst.dll
c:\windows\system32\guard.tmp
c:\windows\system32\ilput.dll

c:\windows\system32\ir5331.dll --> schreibe die korrekte dll per Hand: i r l o l 5 3 3 1.dll (ohne Zwischenraum)...ich musste es so schreiben, weil sonst ein erscheint

C:\WINDOWS\drsmartloadb1.dat
C:\WINDOWS\timessquare1.dat
C:\WINDOWS\banmanpro.exe
C:\WINDOWS\enewsletterpro.exe
C:\WINDOWS\iconu.exe
C:\WINDOWS\icont.exe
C:\WINDOWS\enewsletterpro1.dat
C:\WINDOWS\drsmartloadb.dat

pc neustarten

L2MRemover.zip - Look2Me Remover
http://www.simplytech.it/L2MRemover/index_de.htm

Entpacke das Programm mit einem Ziptool
in den neu zu erstellenden Ordner C:\Programme\Look2meRemover.

1. Klicke auf die L2MRemover.exe, um das Programm zu starten.
2. Klicke auf "About" "Check for updates..." im Menu des Programms und aktualisiere das Programm.
3. Drücke auf den "Scan" Button und lasse dein gesamtes System, Speicher und Registry scannen.

(Wenn es eine bekannte Variante der Malware findet, wird es sie ermitteln und sie unbrauchbar machen, indem es den ST-Code während des Scannens in die Malware injiziert. Dann wird es die Registry Schlüssel auflisten, die die Malware bei jedem Systemstart neu laden.)

4. Betätige den "Delete Keys" Button, um die Registry von den Schlüsseln zu bereinigen, die dafür sorgen, dass die Malware sich mit jedem Neustart wieder neu auflädt.

(Wenn dir das Entfernen der Registerschlüssel zu riskant ist, kannst du ein Häkchen setzen bei "Save before delete", damit ein Backuo-File *.reg gespeichert werden kann, für den Fall, dass du die gelöschten Schlüssel neu erstellen möchtest.)

Hinweis: Der "Look2me Remover" entfernt nur die Variationen der Look2Me Malware, die seit November 2005 im Umlauf sind.

5. Speichere das Logfile des Removers

-----------------------------------------------

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

L2mfix
http://virus-protect.org/l2mfix.html
arbeite Option 2 ab und nache dem Boten und neustart+ scannen, kopiere hier den scanreport
__________
MfG Sabina

rund um die PC-Sicherheit

#5 nochmals danke, bisher sieht es sehr gut aus, keine popups mehr.
hier die verschiedenen log's :

VirusTotal:


This is a report processed by VirusTotal on 01/08/2006 at 14:57:58 (CET) after scanning the file "gdi32.dll" file.

Antivirus Version Update Result
AntiVir 6.33.0.75 01.06.2006 no virus found
Avast 4.6.695.0 01.06.2006 no virus found
AVG 718 01.06.2006 no virus found
Avira 6.33.0.75 01.06.2006 no virus found
BitDefender 7.2 01.08.2006 no virus found
CAT-QuickHeal 8.00 01.05.2006 no virus found
ClamAV devel-20051123 01.06.2006 no virus found
DrWeb 4.33 01.08.2006 no virus found
eTrust-Iris 7.1.194.0 01.06.2006 no virus found
eTrust-Vet 12.4.1.0 01.06.2006 no virus found
Ewido 3.5 01.07.2006 no virus found
Fortinet 2.54.0.0 01.07.2006 no virus found
F-Prot 3.16c 01.07.2006 no virus found
Ikarus 0.2.59.0 01.05.2006 no virus found
Kaspersky 4.0.2.24 01.08.2006 no virus found
McAfee 4669 01.06.2006 no virus found
NOD32v2 1.1356 01.08.2006 no virus found
Norman 5.70.10 01.06.2006 no virus found
Panda 9.0.0.4 01.08.2006 no virus found
Sophos 4.01.0 01.07.2006 no virus found
Symantec 8.0 01.08.2006 no virus found
TheHacker 5.9.2.069 01.06.2006 no virus found
UNA 1.83 01.06.2006 no virus found
VBA32 3.10.5 01.06.2006 no virus found

This is a report processed by VirusTotal on 01/08/2006 at 15:00:16 (CET) after scanning the file "noscript.exe" file.

Antivirus Version Update Result
AntiVir 6.33.0.75 01.06.2006 no virus found
Avast 4.6.695.0 01.06.2006 no virus found
AVG 718 01.06.2006 no virus found
Avira 6.33.0.75 01.06.2006 no virus found
BitDefender 7.2 01.08.2006 no virus found
CAT-QuickHeal 8.00 01.05.2006 no virus found
ClamAV devel-20051123 01.06.2006 no virus found
DrWeb 4.33 01.08.2006 no virus found
eTrust-Iris 7.1.194.0 01.06.2006 no virus found
eTrust-Vet 12.4.1.0 01.06.2006 no virus found
Ewido 3.5 01.07.2006 no virus found
Fortinet 2.54.0.0 01.07.2006 no virus found
F-Prot 3.16c 01.07.2006 no virus found
Ikarus 0.2.59.0 01.05.2006 no virus found
Kaspersky 4.0.2.24 01.08.2006 no virus found
McAfee 4669 01.06.2006 no virus found
NOD32v2 1.1356 01.08.2006 no virus found
Norman 5.70.10 01.06.2006 no virus found
Panda 9.0.0.4 01.08.2006 no virus found
Sophos 4.01.0 01.07.2006 no virus found
Symantec 8.0 01.08.2006 no virus found
TheHacker 5.9.2.069 01.06.2006 no virus found
UNA 1.83 01.06.2006 no virus found
VBA32 3.10.5 01.06.2006 no virus found

This is a report processed by VirusTotal on 01/08/2006 at 15:24:00 (CET) after scanning the file "nt32200ax1.dll" file.
Antivirus
Version
Update
Result
AntiVir
6.33.0.75
01.06.2006
no virus found
Avast
4.6.695.0
01.06.2006
no virus found
AVG
718
01.06.2006
no virus found
Avira
6.33.0.75
01.06.2006
no virus found
BitDefender
7.2
01.08.2006
no virus found
CAT-QuickHeal
8.00
01.05.2006
no virus found
ClamAV
devel-20051123
01.06.2006
no virus found
DrWeb
4.33
01.08.2006
no virus found
eTrust-Iris
7.1.194.0
01.06.2006
no virus found
eTrust-Vet
12.4.1.0
01.06.2006
no virus found
Ewido
3.5
01.08.2006
no virus found
Fortinet
2.54.0.0
01.07.2006
no virus found
F-Prot
3.16c
01.07.2006
no virus found
Ikarus
0.2.59.0
01.05.2006
no virus found
Kaspersky
4.0.2.24
01.08.2006
no virus found
McAfee
4669
01.06.2006
no virus found
NOD32v2
1.1356
01.08.2006
no virus found
Norman
5.70.10
01.06.2006
no virus found
Panda
9.0.0.4
01.08.2006
no virus found
Sophos
4.01.0
01.07.2006
no virus found
Symantec
8.0
01.08.2006
no virus found
TheHacker
5.9.2.069
01.06.2006
no virus found
UNA
1.83
01.06.2006
no virus found
VBA32
3.10.5
01.06.2006
no virus found

This is a report processed by VirusTotal on 01/08/2006 at 15:24:10 (CET) after scanning the file "ntcheck3232bx1.dll" file.
Antivirus
Version
Update
Result
AntiVir
6.33.0.75
01.06.2006
no virus found
Avast
4.6.695.0
01.06.2006
no virus found
AVG
718
01.06.2006
no virus found
Avira
6.33.0.75
01.06.2006
no virus found
BitDefender
7.2
01.08.2006
no virus found
CAT-QuickHeal
8.00
01.05.2006
no virus found
ClamAV
devel-20051123
01.06.2006
no virus found
DrWeb
4.33
01.08.2006
no virus found
eTrust-Iris
7.1.194.0
01.06.2006
no virus found
eTrust-Vet
12.4.1.0
01.06.2006
no virus found
Ewido
3.5
01.08.2006
no virus found
Fortinet
2.54.0.0
01.07.2006
no virus found
F-Prot
3.16c
01.07.2006
no virus found
Ikarus
0.2.59.0
01.05.2006
no virus found
Kaspersky
4.0.2.24
01.08.2006
no virus found
McAfee
4669
01.06.2006
no virus found
NOD32v2
1.1356
01.08.2006
no virus found
Norman
5.70.10
01.06.2006
no virus found
Panda
9.0.0.4
01.08.2006
no virus found
Sophos
4.01.0
01.07.2006
no virus found
Symantec
8.0
01.08.2006
no virus found
TheHacker
5.9.2.069
01.06.2006
no virus found
UNA
1.83
01.06.2006
no virus found
VBA32
3.10.5
01.06.2006
no virus found

This is a report processed by VirusTotal on 01/08/2006 at 15:28:53 (CET) after scanning the file "ntcheck3232bx.dll" file.
Antivirus
Version
Update
Result
AntiVir
6.33.0.75
01.06.2006
no virus found
Avast
4.6.695.0
01.06.2006
no virus found
AVG
718
01.06.2006
no virus found
Avira
6.33.0.75
01.06.2006
no virus found
BitDefender
7.2
01.08.2006
no virus found
CAT-QuickHeal
8.00
01.05.2006
no virus found
ClamAV
devel-20051123
01.06.2006
no virus found
DrWeb
4.33
01.08.2006
no virus found
eTrust-Iris
7.1.194.0
01.06.2006
no virus found
eTrust-Vet
12.4.1.0
01.06.2006
no virus found
Ewido
3.5
01.08.2006
no virus found
Fortinet
2.54.0.0
01.07.2006
no virus found
F-Prot
3.16c
01.07.2006
no virus found
Ikarus
0.2.59.0
01.05.2006
no virus found
Kaspersky
4.0.2.24
01.08.2006
no virus found
McAfee
4669
01.06.2006
no virus found
NOD32v2
1.1356
01.08.2006
no virus found
Norman
5.70.10
01.06.2006
no virus found
Panda
9.0.0.4
01.08.2006
no virus found
Sophos
4.01.0
01.07.2006
no virus found
Symantec
8.0
01.08.2006
no virus found
TheHacker
5.9.2.069
01.06.2006
no virus found
UNA
1.83
01.06.2006
no virus found
VBA32
3.10.5
01.06.2006
no virus found


----------------------------------------------------------------------------------------------------------------------------------------

L2MRemover:

15:15:24 -> WARNING! The program must be stopped and the system re-started before continue...
15:15:32 -> Start scanning procedures...
15:15:32 -> Start checking running tasks...
15:16:26 -> Malware found in memory: guard.tmp,wvwfax.dll, (belonging to category: Look2Me)
15:18:07 -> End of the scan process. Now delete the keys found!!
15:18:32 -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF2D44A9-7F5A-47AB-985D-2CC3C1815765}\InprocServer32\@ deleted!
15:18:32 -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A844B571-4FA4-47CF-84BB-5F8F6393EA2B}\InprocServer32\@ deleted!
15:18:32 -> HKEY_CLASSES_ROOT\CLSID\{BF2D44A9-7F5A-47AB-985D-2CC3C1815765}\InprocServer32\@ deleted!
15:18:32 -> HKEY_CLASSES_ROOT\CLSID\{A844B571-4FA4-47CF-84BB-5F8F6393EA2B}\InprocServer32\@ deleted!
15:18:38 -> Key(s) deleted! Please, reboot the machine now!

----------------------------------------------------------------------------------------------------------------------------------------
l2mfix:

C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 364 'explorer.exe'
.
.
.
Killing PID 364 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2680 'rundll32.exe'
.
.
.
Killing PID 2680 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\guard.tmp
1 Datei(en) kopiert.
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: guard.tmp (188 bytes security) (deflated 5%)
adding: clear.reg (188 bytes security) (deflated 46%)
adding: savedir.ini (188 bytes security) (deflated 3%)
adding: lo2.txt (188 bytes security) (deflated 87%)
adding: sys.txt (188 bytes security) (deflated 59%)
adding: system.txt (188 bytes security) (deflated 71%)
adding: system32.txt (188 bytes security) (deflated 79%)
adding: systemtemp.txt (188 bytes security) (deflated 56%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (deflated 30%)
adding: test3.txt (188 bytes security) (deflated 30%)
adding: test5.txt (188 bytes security) (deflated 30%)
adding: xfind.txt (188 bytes security) (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BF2D44A9-7F5A-47AB-985D-2CC3C1815765}"=-
"{A844B571-4FA4-47CF-84BB-5F8F6393EA2B}"=-
"{4C3DCDA5-C883-4144-931B-FEB6B6F235E7}"=-
[-HKEY_CLASSES_ROOT\CLSID\{BF2D44A9-7F5A-47AB-985D-2CC3C1815765}]
[-HKEY_CLASSES_ROOT\CLSID\{A844B571-4FA4-47CF-84BB-5F8F6393EA2B}]
[-HKEY_CLASSES_ROOT\CLSID\{4C3DCDA5-C883-4144-931B-FEB6B6F235E7}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


#6 es muesste wieder alles in Ordnung sein, nicht wahr

da aber der PC noch mit anderer Malware verseucht war:

http://virus-protect.org/multiavtool.html
klicke "3" - McAfee -- es erscheint ein leeres DOS-Fenster.
- man muss eingeben, was gescannt werden soll
- C:\Windows\System32 dann beginnt der Scan, man sollte dann auch scannen lassen:
- C:\Windows
- C:\

kopiere die 3 Scanreporte

---------------------------------------------------------------------------
scanne mit panda und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#7 ok, hier erstmal die ergebnisse von McAfee, Panda dauert noch etwas ;-)

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4669 created Jan 06 2006
Scanning for 169582 viruses, trojans and variants.
Virus Scan Results




01/08/2006 18:38:53


Options:
"C:\WINDOWS\SYSTEM32" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: []
C:\WINDOWS\SYSTEM32\admdll.dll ... Found potentially unwanted program RemAdm-RemoteAdmin.
C:\WINDOWS\SYSTEM32\kill.exe ... Found potentially unwanted program ProcKill-AN.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\raddrv.dll ... Found potentially unwanted program RemAdm-RemoteAdmin.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\r_server.exe ... Found potentially unwanted program RemAdm-RemoteAdmin.
Scanning C:\WINDOWS\SYSTEM32\*.*
C:\WINDOWS\SYSTEM32\admdll.dll ... Found potentially unwanted program RemAdm-RemoteAdmin.
C:\WINDOWS\SYSTEM32\r_server.exe ... Found potentially unwanted program RemAdm-RemoteAdmin.

A file(s) requires a reboot to complete the repair.
You are recommended to reboot the computer.

Summary report on C:\WINDOWS\SYSTEM32\*.*
File(s)
Total files: ........... 7669
Clean: ................. 7659
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 2
Non-critical Error(s): 1

------------------------------------------------------------------------------------------------

01/08/2006 18:49:03


Options:
"C:\WINDOWS\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: []
C:\WINDOWS\kill.exe ... Found potentially unwanted program ProcKill-AN.
The file or process has been deleted.
Scanning C:\WINDOWS\*.*
C:\WINDOWS\system32\admdll.dll ... Found potentially unwanted program RemAdm-RemoteAdmin.
C:\WINDOWS\system32\r_server.exe ... Found potentially unwanted program RemAdm-RemoteAdmin.

A file(s) requires a reboot to complete the repair.
You are recommended to reboot the computer.

Summary report on C:\WINDOWS\*.*
File(s)
Total files: ........... 29258
Clean: ................. 29247
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 1

------------------------------------------------------------------------------------------------

Scanning C: []
C:\backup.zip\GUARD.TMP ... Found potentially unwanted program Adware-Look2Me.
Scanning C:\*.*
C:\backup.zip\GUARD.TMP ... Found potentially unwanted program Adware-Look2Me.
C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\Content.IE5\0DINCT6N\AppWrap[1].exe ... Found potentially unwanted program Adware-NicTech.
The file or process has been deleted.
C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\Content.IE5\0PANWHQ7\AppWrap[1].exe\AppWrap[1].exe ... Found the QUrl-3 trojan !!!
The file or process has been deleted.
C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G1EV0LIF\AppWrap[1].exe\AppWrap[1].exe ... Found the QUrl-3 trojan !!!
The file or process has been deleted.
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Atari\Civilization III Conquests\Conquests online mit Gamespy Arcade spielen!.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\EA GAMES\Battlefield 2\Battlefield 2 online mit GameSpy Arcade spielen.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\EA GAMES\Battlefield 2 Special Forces\Battlefield 2 Special Forces online mit GameSpy Arcade spielen.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\Dokumente und Einstellungen\Dark-Hawk\Desktop\Radmin.rar\RADMIN VIEWER 3.0.ZIP\RADMIN.EXE ... Found potentially unwanted program RemAdm-RemoteAdmin.
C:\Dokumente und Einstellungen\Dark-Hawk\Lokale Einstellungen\Temporary Internet Files\LLF3KA3B\ESD5QNKC\Offline\i\0000057d.rar\RADMIN VIEWER 3.0.ZIP\RADMIN.EXE ... Found potentially unwanted program RemAdm-RemoteAdmin.
C:\Dokumente und Einstellungen\Dark-Hawk\Startmenü\Programme\GameSpy Arcade\GameSpy Arcade Help.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\Dokumente und Einstellungen\Dark-Hawk\Startmenü\Programme\GameSpy Arcade\GameSpy Arcade Website.url ... Found potentially unwanted program Adware-GameSpyArcade.url.
The file or process has been deleted.
C:\Dokumente und Einstellungen\Dark-Hawk\Startmenü\Programme\GameSpy Arcade\GameSpy.com Gaming's Homepage.url ... Found potentially unwanted program Adware-GameSpyArcade.url.
The file or process has been deleted.
C:\Dokumente und Einstellungen\Dark-Hawk\Startmenü\Programme\GameSpy Arcade\Register GameSpy Arcade.url ... Found potentially unwanted program Adware-GameSpyArcade.url.
The file or process has been deleted.
C:\Programme\GameSpy Arcade\GameSpy Arcade Help.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\Programme\GameSpy Arcade\GameSpy Arcade Website.url ... Found potentially unwanted program Adware-GameSpyArcade.url.
The file or process has been deleted.
C:\Programme\GameSpy Arcade\GameSpy.com Gaming's Homepage.url ... Found potentially unwanted program Adware-GameSpyArcade.url.
The file or process has been deleted.
C:\Programme\GameSpy Arcade\GSAPak.exe ... Found potentially unwanted program Adware-GameSpyArcade.
The file or process has been deleted.
C:\Programme\GameSpy Arcade\pw32.dll ... Found potentially unwanted program Adware-GameSpyArcade.
The file or process has been deleted.
C:\Programme\GameSpy Arcade\Register GameSpy Arcade.url ... Found potentially unwanted program Adware-GameSpyArcade.url.
The file or process has been deleted.
C:\Programme\GameSpy Arcade\Services\_common\PortraitLoader.dll ... Found potentially unwanted program Adware-GameSpyArcade.
The file or process has been deleted.
C:\Programme\Radmin\raddrv.dll ... Found potentially unwanted program RemAdm-RemoteAdmin.
The file or process has been deleted.
C:\Programme\Radmin\r_server.exe ... Found potentially unwanted program RemAdm-RemoteAdmin.
The file or process has been deleted.
C:\RECYCLER\S-1-5-21-299502267-616249376-839522115-1003\Dc21.exe\KILL.EXE ... Found potentially unwanted program ProcKill-AN.
C:\RECYCLER\S-1-5-21-299502267-616249376-839522115-500\Dc1.url ... Found the QUrl-3.url trojan !!!
The file or process has been deleted.
C:\RECYCLER\S-1-5-21-299502267-616249376-839522115-500\Dc2.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\RECYCLER\S-1-5-21-299502267-616249376-839522115-500\Dc3.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\RECYCLER\S-1-5-21-299502267-616249376-839522115-500\Dc4.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\RECYCLER\S-1-5-21-299502267-616249376-839522115-500\Dc54.com ... Found potentially unwanted program Adware-NicTech.
The file or process has been deleted.
C:\WINDOWS\system32\admdll.dll ... Found potentially unwanted program RemAdm-RemoteAdmin.
C:\WINDOWS\system32\r_server.exe ... Found potentially unwanted program RemAdm-RemoteAdmin.

A file(s) requires a reboot to complete the repair.
You are recommended to reboot the computer.

Summary report on C:\*.*
File(s)
Total files: ........... 378108
Clean: ................. 377842
Possibly Infected: ..... 3
Cleaned: ............... 0
Deleted: ............... 24
Non-critical Error(s): 2

#8 erst einmal starte den PC neu, damit der scanner alle gefundenen Dateien loescht.

dann loesche....falls es noch vorhanden ist...
C:\backup.zip
__________
MfG Sabina

rund um die PC-Sicherheit

#9 ok, hab ich gemacht bevor ich panda gestartet hatte.
aber ich bin echt schockiert, die antivirentools wie norton und co. finden ja wirklich vergleichsweise wenig. zum glück bin ich eh grad dabei auf apple umzusteigen, da ist das ja bisher noch recht unkritisch mit viren usw.
panda hat ein viertel meines systems gescannt und hat bisher folgendes gefunden:

Detected Disinfected
Virus 3 3
Spyware 33 0
Hacking Tools and potentially
unwanted tools 2 0

#10 panda zeigt auch den Pfad der Viren an.... (der groesste Teil wird zum Systemrestore gehoeren....)
__________
MfG Sabina

rund um die PC-Sicherheit

#11 ok hier nun der pandascan, da einiges aus den firefox cache stammt hab ich die firefoxdaten wie cookies cache usw schonmal gelöscht.


Incident Status Location

Spyware:Cookie/Paypopup Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.paypopup.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.adtech.de/]
Spyware:Cookie/BurstNet Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.centrport.net/]
Spyware:Cookie/Com.com Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.com.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/SpyLog Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Yadro Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Bilbo.counted Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[bilbo.counted.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[fe.lea.lycos.de/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[server.iad.liveperson.net/hc/31953349]
Adware:Adware/Look2Me Not disinfected C:\backup.zip[guard.tmp]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\zipxetrc.default\cookies.txt[]
Spyware:Cookie/Paypopup Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\3tr7yvf5.default\cookies.txt[31953349]
Virus:W32/Bugbear Disinfected Persönliche Ordner\Posteingang\Ihre Auktion ist beendet - Artikelnr. 1628423722 (elektronischer fahrtregler jamara hf-40 II)\photo.exe
Virus:W32/Sober.AH.worm Disinfected Persönliche Ordner\Posteingang\Sehr geehrter Ebay-Kunde\Ebay-User32603_RegC.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Disinfected Persönliche Ordner\Posteingang\SMTP Mail gescheitert\Email_text.zip[File-packed_dataInfo.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-299502267-616249376-839522115-1003\Dc12\VundoFix\process.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\RECYCLER\S-1-5-21-299502267-616249376-839522115-1003\Dc21.exe[kill.exe]
Virus:W32/Bugbear Disinfected Persönliche Ordner\Posteingang\Ihre Auktion ist beendet - Artikelnr. 1628423722 (elektronischer fahrtregler jamara hf-40 II)\photo.exe
Dialerialer.Gen Not disinfected Persönliche Ordner\Junk-E-Mail\Dark-hawk, Family sex archive volume 2.1\family-sex-private-archive-click-here.exe
Virus:Trj/Downloader.S Disinfected Persönliche Ordner\Junk-E-Mail\Re: Your balance application\www.usbank.com.stats.personals.balance.pif.pif
Virus:W32/Dumaru.Y.worm Disinfected Persönliche Ordner\Junk-E-Mail\Important information for you. Read it immediately !\ATT00002.txt[myphoto.jpg .exe]
Virus:W32/Sober.E.worm Disinfected Persönliche Ordner\Junk-E-Mail\Hi\Text7501.zip[Graphic_Textdocument.pif]
Potentially unwanted tool:Application/Processor Not disinfected G:\l2mfix\Process.exe

#12 W32/Sober.E.worm ...schau an....
-------------------------------------------
loesche alle "boesen" Cookies unter:
C:\Dokumente und Einstellungen\Dark-Hawk\Anwendungsdaten\Mozilla\Firefox\Profiles\
--------------------------------------------

Zitat

so kann man die Mail restlos aus der Inbox zu entfernen:
1. Mail aus Inbox löschen
2. Mülleimer leeren
3. Inbox komprimieren (Datei-Menü)

Hintergrund: Die gesamte Inbox ist auf der Festplatte als eine einzige Datei abgelegt. Darin stehen alle Mails untereinander, und auch die "gelöschten" Mails bleiben stehen (nur sind sie als gelöscht markiert). Erst durch das Komprimieren werden tatsächlich Teile aus der Datei entfernt.
http://virus-protect.org/artikel/newsletter/deutbkfraud.html

Persönliche Ordner\Posteingang\Ihre Auktion ist beendet - Artikelnr. 1628423722 (elektronischer fahrtregler jamara hf-40 II)\photo.exe

Persönliche Ordner\Posteingang\Sehr geehrter Ebay-Kunde\Ebay-User32603_RegC.zip[File-packed_dataInfo.exe

Persönliche Ordner\Junk-E-Mail\Dark-hawk, Family sex archive volume 2.1\family-sex-private-archive-click-here.exe

Persönliche Ordner\Junk-E-Mail\Re: Your balance application\www.usbank.com.stats.personals.balance.pif.pif

Persönliche Ordner\Junk-E-Mail\Important information for you. Read it immediately !\ATT00002.txt

Persönliche Ordner\Junk-E-Mail\Hi\Text7501.zip
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Ok, vielen dank. jetzt sollte ich erstmal den mist los sein.
kannst du mir ettl. antiviren software empfehlen die wirklich hält was sie verspricht?
norton antivirus 2005 hat mich jedenfallst nicht beschützt...

#14 dark-hawk

bester Schutz: gewisse Seiten meiden

Eingeschränktes Benutzerkonto/Administratorrechte unter Windows
http://virus-protect.org/administrator.html

http://virus-protect.org/ms.html
Microsoft Windows Antispy --> den Guard aktivieren

Kaspersky-Antivirus (ist das beste, was ich derzeit kenne, allerdings solltest du dann den Norton restlos deinstallieren)
http://virus-protect.org/antivirshare.html
manchmal wird das System mit kaspersky langsam...probiere es aus... du hast ja eine Testzeit

Alles Gute fuer dich + PC
__________
MfG Sabina

rund um die PC-Sicherheit