Browser macht unkontrollierte Popus und Hintergrund ist nicht mehr änderbar

Thema ist geschlossen!
Thema ist geschlossen!
#0
26.01.2006, 14:20
...neu hier

Beiträge: 9
#1 Hi,
ich habe das Problem das ich mir direkt nach dem Formatieren Viren und/oder Trojaner und Spamm Software eingefangen haben...

Nun hab ich gedacht das bekommt man einfach wieder weg und habe mal Antivir, Kaspersky, Spybot, Counterspy und AdAware durchlaufen lassen. Die Spammsoftware ist verschwunden nur macht mir das mit den Popups zu schaffen und ich kann meinen Windows Hintergrund nicht mehr verändern .. also habe ich gegoogelt und bin auf dieses Board gestoßen. Da habe ich auch gleich ein paar Beiträge gefunden zu diesem Thema aber irgendwie bin ich da auch nicht schlauer drauß geworden -.- ...

naja nun wollte ich mal Fragen ob mir hier irgendjemand helfen kann ...

hab mal dieses Log wie es im Beitrag steht hijackthis erstellt

Logfile of HijackThis v1.99.1
Scan saved at 14:05:31, on 26.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\Thread.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOKUME~1\Standard\LOKALE~1\Temp\Rar$EX00.375\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\t28u0cl9efq.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)

O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

zudem habe ich einige Screenshots meiner Probleme angehängt in einer .zip Datei

danke schon mal für eure Hilfe

Darkwarrior

Anhang: Probs.zip
Seitenanfang Seitenende
26.01.2006, 16:31
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Darkwarrior

das ist der Look2Me u.a.

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als list.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.--> die list.bat doppelt klicken--> kopiere den Text, der erscheint

cd\
dir "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders" >> files.txt
dir "C:\Programme\Gemeinsame Dateien" >> files.txt
notepad files.txt


------------------------------------------------------------------------------

stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

Kopiere diese 4 Textdateien. Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

Information:
http://virus-protect.org/artikel/spyware/inet20002.html
http://virus-protect.org/artikel/spyware/inet20099.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
26.01.2006, 18:41
...neu hier

Themenstarter

Beiträge: 9
#3 Hier die Daten:

list.bat:

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D482-698B

Verzeichnis von C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders

25.01.2006 20:44 <DIR> .
25.01.2006 20:44 <DIR> ..
25.01.2006 20:44 <DIR> 1031
25.01.2006 20:43 <DIR> 1033
14.02.2001 21:45 1.318.912 MSONSEXT.DLL
13.02.2001 00:23 58.784 MSOSV.DLL
20.03.1999 12:46 127.032 MSOWS407.DLL
05.06.1999 05:09 122.937 MSOWS409.DLL
06.08.2000 09:04 401.462 MSVCP60.DLL
22.01.2001 03:25 69.632 PKMAXCTL.DLL
22.01.2001 03:25 872.448 PKMCDO.DLL
22.01.2001 03:25 159.744 PKMCORE.DLL
07.02.2001 09:59 106.496 PKMFORMS.DLL
12.02.2001 04:01 692.224 PKMRES.DLL
22.01.2001 03:25 28.672 PKMSSTLB.DLL
22.01.2001 03:25 40.960 PKMTEMPL.DLL
22.01.2001 03:25 24.576 PKMTRACE.DLL
22.01.2001 03:25 86.016 PKMWS.DLL
22.01.2001 03:25 237.568 PROMDEMO.DLL
22.01.2001 03:25 184.320 SECMGR.DLL
22.01.2001 03:25 323.584 VAIDDMGR.DLL
22.01.2001 03:25 32.768 VAIMEM.DLL
18 Datei(en) 4.888.135 Bytes
4 Verzeichnis(se), 11.818.221.568 Bytes frei
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D482-698B

Verzeichnis von C:\Programme\Gemeinsame Dateien

25.01.2006 20:47 <DIR> .
25.01.2006 20:47 <DIR> ..
25.01.2006 20:43 <DIR> Designer
25.01.2006 19:47 <DIR> Dienste
25.01.2006 20:13 <DIR> InstallShield
25.01.2006 20:44 <DIR> Microsoft Shared
25.01.2006 19:47 <DIR> MSSoap
25.01.2006 19:41 <DIR> ODBC
25.01.2006 19:41 <DIR> SpeechEngines
25.01.2006 20:42 <DIR> System
25.01.2006 20:06 <DIR> Wise Installation Wizard
0 Datei(en) 0 Bytes
11 Verzeichnis(se), 11.818.221.568 Bytes frei
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D482-698B

Verzeichnis von C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders

25.01.2006 20:44 <DIR> .
25.01.2006 20:44 <DIR> ..
25.01.2006 20:44 <DIR> 1031
25.01.2006 20:43 <DIR> 1033
14.02.2001 21:45 1.318.912 MSONSEXT.DLL
13.02.2001 00:23 58.784 MSOSV.DLL
20.03.1999 12:46 127.032 MSOWS407.DLL
05.06.1999 05:09 122.937 MSOWS409.DLL
06.08.2000 09:04 401.462 MSVCP60.DLL
22.01.2001 03:25 69.632 PKMAXCTL.DLL
22.01.2001 03:25 872.448 PKMCDO.DLL
22.01.2001 03:25 159.744 PKMCORE.DLL
07.02.2001 09:59 106.496 PKMFORMS.DLL
12.02.2001 04:01 692.224 PKMRES.DLL
22.01.2001 03:25 28.672 PKMSSTLB.DLL
22.01.2001 03:25 40.960 PKMTEMPL.DLL
22.01.2001 03:25 24.576 PKMTRACE.DLL
22.01.2001 03:25 86.016 PKMWS.DLL
22.01.2001 03:25 237.568 PROMDEMO.DLL
22.01.2001 03:25 184.320 SECMGR.DLL
22.01.2001 03:25 323.584 VAIDDMGR.DLL
22.01.2001 03:25 32.768 VAIMEM.DLL
18 Datei(en) 4.888.135 Bytes
4 Verzeichnis(se), 11.855.077.376 Bytes frei
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D482-698B

Verzeichnis von C:\Programme\Gemeinsame Dateien

25.01.2006 20:47 <DIR> .
25.01.2006 20:47 <DIR> ..
25.01.2006 20:43 <DIR> Designer
25.01.2006 19:47 <DIR> Dienste
25.01.2006 20:13 <DIR> InstallShield
25.01.2006 20:44 <DIR> Microsoft Shared
25.01.2006 19:47 <DIR> MSSoap
25.01.2006 19:41 <DIR> ODBC
25.01.2006 19:41 <DIR> SpeechEngines
25.01.2006 20:42 <DIR> System
25.01.2006 20:06 <DIR> Wise Installation Wizard
0 Datei(en) 0 Bytes
11 Verzeichnis(se), 11.855.073.280 Bytes frei

system32.txt:

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D482-698B

Verzeichnis von C:\WINDOWS\system32

26.01.2006 18:36 39.291 nvapps.xml
26.01.2006 18:36 235.422 guard.tmp
26.01.2006 18:28 236.804 n28olcl31fq.dll
26.01.2006 14:02 235.422 n08o0al3edq.dll
26.01.2006 13:50 234.060 iyetcplc.dll

25.01.2006 21:53 311.740 perfh009.dat
25.01.2006 21:53 48.354 perfc007.dat
25.01.2006 21:53 316.924 perfh007.dat
25.01.2006 21:53 40.128 perfc009.dat
25.01.2006 21:53 723.744 PerfStringBackup.INI
25.01.2006 21:51 235.898 l8l60i3se8.dll
25.01.2006 21:51 114.968 FNTCACHE.DAT
25.01.2006 20:38 234.325 j4n2le5o1h.dll
25.01.2006 20:37 154 info.txt
25.01.2006 20:37 25.304 msnscps.dll

25.01.2006 19:53 2.206 wpa.dbl
25.01.2006 19:52 386 $winnt$.inf
25.01.2006 19:49 2.951 CONFIG.NT
25.01.2006 19:49 16.832 amcompat.tlb
25.01.2006 19:49 23.392 nscompat.tlb
25.01.2006 19:48 488 WindowsLogon.manifest
25.01.2006 19:48 488 logonui.exe.manifest
25.01.2006 19:48 749 nwc.cpl.manifest
25.01.2006 19:48 749 cdplayer.exe.manifest
25.01.2006 19:48 749 wuaucpl.cpl.manifest
25.01.2006 19:48 749 sapi.cpl.manifest
25.01.2006 19:48 749 ncpa.cpl.manifest
25.01.2006 19:46 21.740 emptyregdb.dat
25.01.2006 19:45 0 h323log.txt
04.01.2006 19:46 2.836.320 MRT.exe
29.12.2005 03:54 280.064 gdi32.dll
01.12.2005 04:31 1.492.480 shdocvw.dll


Temp:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D482-698B

Verzeichnis von C:\DOKUME~1\Standard\LOKALE~1\Temp

26.01.2006 18:36 49.152 ~DF700A.tmp
26.01.2006 18:36 32.768 ~DF1A1A.tmp
26.01.2006 18:36 16.384 ~DF29F0.tmp
26.01.2006 18:29 49.152 ~DFF03A.tmp
26.01.2006 18:28 32.768 ~DFA93E.tmp
26.01.2006 18:28 16.384 ~DFAD13.tmp
6 Datei(en) 196.608 Bytes
0 Verzeichnis(se), 11.855.085.568 Bytes frei

Windows:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D482-698B

Verzeichnis von C:\WINDOWS

26.01.2006 18:37 573 win.ini
26.01.2006 18:37 278 system.ini
26.01.2006 18:28 358.183 WindowsUpdate.log
26.01.2006 18:28 0 0.log
26.01.2006 18:28 2.048 bootstat.dat
26.01.2006 14:58 2.184 SchedLgU.Txt
26.01.2006 14:58 216 wiadebug.log
26.01.2006 14:13 50 wiaservc.log
26.01.2006 14:01 110.222 ntbtlog.txt
26.01.2006 13:51 26 Lic.xxx
25.01.2006 22:42 0 nsreg.dat

25.01.2006 22:42 107.132 UninstallFirefox.exe
25.01.2006 22:42 2.258 mozver.dat
25.01.2006 21:59 4.268 KB887797.log
25.01.2006 21:49 290.580 iis6.log
25.01.2006 21:49 89.854 comsetup.log
25.01.2006 21:49 52.718 ntdtcsetup.log
25.01.2006 21:49 13.197 ocmsn.log
25.01.2006 21:49 12.448 tabletoc.log
25.01.2006 21:49 1.374 imsins.log
25.01.2006 21:49 111.743 tsoc.log
25.01.2006 21:49 35.867 KB912919.log
25.01.2006 21:49 16.787 MedCtrOC.log
25.01.2006 21:49 41.778 netfxocm.log
25.01.2006 21:49 119.708 ocgen.log
25.01.2006 21:49 11.779 msgsocm.log
25.01.2006 21:49 234.118 FaxSetup.log
25.01.2006 21:49 78.432 msmqinst.log
25.01.2006 21:49 16.880 updspapi.log
25.01.2006 21:49 1.374 imsins.BAK

25.01.2006 21:07 9.519 KB898461.log
25.01.2006 21:07 9.602 KB893803v2.log
25.01.2006 20:52 1.229 wmsetup.log
25.01.2006 20:45 400 ODBC.INI
25.01.2006 20:38 0 winsysupd31.dat
25.01.2006 20:38 43 drsmartload2.dat
25.01.2006 20:37 780 hosts
25.01.2006 20:37 37.592 country.exe
25.01.2006 20:36 0 uniq

25.01.2006 19:57 3.797 Ascd_tmp.ini
25.01.2006 19:53 829 OEWABLog.txt
25.01.2006 19:53 833.678 setuplog.txt
25.01.2006 19:52 8.192 REGLOCS.OLD
25.01.2006 19:52 177.454 setupact.log
25.01.2006 19:49 0 control.ini
25.01.2006 19:49 316.640 WMSysPr9.prx
25.01.2006 19:49 4.161 ODBCINST.INI
25.01.2006 19:48 749 WindowsShell.Manifest
25.01.2006 19:47 1.023 sessmgr.setup.log
25.01.2006 19:46 37 vbaddin.ini
25.01.2006 19:46 36 vb.ini
25.01.2006 19:46 133 DtcInstall.log
25.01.2006 19:45 200 cmsetacl.log
25.01.2006 19:43 0 Sti_Trace.log
25.01.2006 19:41 1.348 regopt.log
25.01.2006 19:41 0 setuperr.log

sys.txt:

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D482-698B

Verzeichnis von C:\

26.01.2006 18:40 0 sys.txt
26.01.2006 18:39 6.518 system.txt
26.01.2006 18:39 540 systemtemp.txt
26.01.2006 18:37 95.594 system32.txt
26.01.2006 18:37 211 boot.ini
26.01.2006 18:31 2.080 files.txt
26.01.2006 18:28 704.643.072 pagefile.sys
26.01.2006 13:55 0 23990098.$$$
26.01.2006 13:55 4 AVPCallback.log
25.01.2006 22:33 242 messanger.ini
25.01.2006 19:49 0 AUTOEXEC.BAT
25.01.2006 19:49 0 MSDOS.SYS
25.01.2006 19:49 0 CONFIG.SYS
25.01.2006 19:49 0 IO.SYS
Seitenanfang Seitenende
27.01.2006, 00:39
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Darkwarrior

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\t28u0cl9efq.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)

---------------------------------------------------------------------

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren:

C:\WINDOWS\inet20010\services.exe
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\n28olcl31fq.dll
C:\WINDOWS\system32\n08o0al3edq.dll
C:\WINDOWS\system32\iyetcplc.dll
C:\WINDOWS\system32\l8l60i3se8.dll
C:\WINDOWS\system32\j4n2le5o1h.dll
C:\WINDOWS\system32\t28u0cl9efq.dll
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\msnscps.dll
C:\WINDOWS\winsysupd31.dat
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\hosts
C:\WINDOWS\country.exe
C:\WINDOWS\uniq
C:\23990098.$$$

PC neustarten

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

loesche:
C:\WINDOWS\inet20099

Download win32delfkil.exe
: http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil Close all windows, open the win32delfkil folder and double click on fix.bat. --> windelf.txt hier posten

wende CleanUp noch einmal an

http://virus-protect.org/cleanup.html

spysweeper (trial) --> scanne und kopiere hier den scanreport
http://virus-protect.org/spysweeper.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
27.01.2006, 11:49
...neu hier

Themenstarter

Beiträge: 9
#5 windelf.txt:

************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

Notify key
----------

Spy Sweeper:

********
11:28: | Start of Session, Freitag, 27. Januar 2006 |
11:28: Spy Sweeper started
11:28: Sweep initiated using definitions version 606
11:29: Starting Memory Sweep
11:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:31: Memory Sweep Complete, Elapsed Time: 00:01:58
11:31: Starting Registry Sweep
11:31: Found Adware: coolwebsearch (cws)
11:31: HKU\S-1-5-21-1801674531-1957994488-682003330-1003\software\microsoft\internet explorer\keywords\ (17 subtraces) (ID = 109820)
11:31: HKU\S-1-5-21-1801674531-1957994488-682003330-1003\software\microsoft\internet explorer\sites\ (16 subtraces) (ID = 109822)
11:31: Found Trojan Horse: komforochka smtp relay
11:31: HKU\S-1-5-21-1801674531-1957994488-682003330-1003\software\microsoft\internet explorer\keywords\ (17 subtraces) (ID = 1035782)
11:31: Registry Sweep Complete, Elapsed Time:00:00:09
11:31: Starting Cookie Sweep
11:31: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:31: Starting File Sweep
11:31: aa219dc4-702a-4318-86b4-77e09a (ID = 220754)
11:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:31: Found Adware: look2me
11:31: guard.tmp (ID = 159)
11:31: iyetcplc.dll (ID = 159)
11:31: kqduk.dll (ID = 159)
11:31: k0080adued080.dll (ID = 159)
11:31: guard.tmp (ID = 159)
11:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:32: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:32: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:33: ir22l5fo1.dll (ID = 159)
11:33: l8l60i3se8.dll (ID = 159)
11:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:34: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:34: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:34: j4n2le5o1h.dll (ID = 159)
11:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:35: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:35: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:36: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:36: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\sfdb.dat:kavichs". Zugriff verweigert
11:36: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\policy\policy.dat:kavichs". Zugriff verweigert
11:36: Warning: Failed to open file "c:\dokumente und einstellungen\standard\anwendungsdaten\mozilla\firefox\profiles\090kiod8.default\cookies.txt:kavichs". Zugriff verweigert
11:37: File Sweep Complete, Elapsed Time: 00:06:02
11:37: Full Sweep has completed. Elapsed time 00:08:19
11:37: Traces Found: 62
11:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:37: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:37: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:38: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:38: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:39: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:39: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:40: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:40: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:41: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:43: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:44: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:45: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:45: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:46: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:46: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:47: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
11:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
11:48: Removal process initiated
11:48: Quarantining All Traces: komforochka smtp relay
11:48: Quarantining All Traces: look2me
11:48: look2me is in use. It will be removed on reboot.
11:48: kqduk.dll is in use. It will be removed on reboot.
11:48: k0080adued080.dll is in use. It will be removed on reboot.
11:48: ir22l5fo1.dll is in use. It will be removed on reboot.
11:48: Quarantining All Traces: coolwebsearch (cws)
11:48: Removal process completed. Elapsed time 00:00:32
********
11:28: | Start of Session, Freitag, 27. Januar 2006 |
11:28: Spy Sweeper started
11:28: Your spyware definitions have been updated.
11:28: | End of Session, Freitag, 27. Januar 2006 |
Seitenanfang Seitenende
27.01.2006, 15:12
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 scanne mit panda und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
28.01.2006, 13:35
...neu hier

Themenstarter

Beiträge: 9
#7 Incident Status Location

Adware:adware/cws.yexe Not disinfected C:\messanger.ini
Spyware:Cookie/2o7.net Not disinfected C:\Dokumente und Einstellungen\Standard\Cookies\standard@2o7[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.adtech.de/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WinFixer Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.winfixer.com/]
Spyware:Cookie/Zedo Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.rn11.com/]
Spyware:Cookie/Adtech Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[]
Spyware:Cookie/2o7.net Not disinfected C:\Dokumente und Einstellungen\Standard\Cookies\standard@2o7[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-1801674531-1957994488-682003330-1003\Dc14\Process.exe
Seitenanfang Seitenende
28.01.2006, 15:25
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 loesche:
C:\messanger.ini
cws.yexe

L2mfix--> kopiere hier das Log von Option 1
http://virus-protect.org/l2mfix.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
31.01.2006, 21:58
...neu hier

Themenstarter

Beiträge: 9
#9 L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ir22l5fo1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{63996F04-BBAB-6D07-768D-ABAF9DB01B28}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschaften fr Multimediadatei"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite fr Dokumente"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Grafikkarten"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Bildschirme"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Anzeigeverschiebung"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung fr Datentr„gerkopien"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen fr Microsoft Windows-Netzwerkobjekte"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen fr die Dateikomprimierung"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung fr Webdrucker"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen fr die Verschlsselung"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung fr HyperTerminal-Icons"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen fr Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverknpfung"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausfhren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Eigenschaftenseite fr vorherige Versionen"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Vorherige Versionen"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begráungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abzgen ber das Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverknpfung"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"="TuneUp Shredder Shell Context Menu Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}"=""
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webordner"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}"=""
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{122D3A91-C9BD-4CE7-B772-0B03E76C522D}"=""
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}\InprocServer32]
@="C:\\WINDOWS\\system32\\sesbkup.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}\InprocServer32]
@="C:\\WINDOWS\\system32\\kqduk.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{122D3A91-C9BD-4CE7-B772-0B03E76C522D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{122D3A91-C9BD-4CE7-B772-0B03E76C522D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{122D3A91-C9BD-4CE7-B772-0B03E76C522D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{122D3A91-C9BD-4CE7-B772-0B03E76C522D}\InprocServer32]
@="C:\\WINDOWS\\system32\\iyetcplc.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Thu 24 Nov 2005 0:58:28 A.... 1.022.464 998,50 K
danim.dll Sat 5 Nov 2005 4:16:24 A.... 1.056.256 1,00 M
gdi32.dll Thu 29 Dec 2005 3:54:38 A.... 280.064 273,50 K
mshtml.dll Thu 24 Nov 2005 0:58:28 A.... 3.013.632 2,87 M
shdocvw.dll Thu 1 Dec 2005 4:31:06 A.... 1.492.480 1,42 M
urlmon.dll Sat 5 Nov 2005 4:16:28 A.... 606.208 592,00 K

6 items found: 6 files, 0 directories.
Total of file sizes: 7.471.104 bytes 7,13 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: D482-698B

Verzeichnis von C:\WINDOWS\System32

28.01.2006 13:40 <DIR> dllcache
25.01.2006 19:52 <DIR> Microsoft
0 Datei(en) 0 Bytes
2 Verzeichnis(se), 11.607.703.552 Bytes frei
Seitenanfang Seitenende
01.02.2006, 00:25
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 Darkwarrior

nun arbeite Option 2 ab und poste nach neustart und scan den Scanreport ;)

+

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
01.02.2006, 13:56
...neu hier

Themenstarter

Beiträge: 9
#11 L2mfix 010406
Creating Account.
Der Befehl wurde erfolgreich ausgefhrt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 640 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 728 'winlogon.exe'
Killing PID 728 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 584 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1040 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratoren ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ir22l5fo1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}\InprocServer32]
@="C:\\WINDOWS\\system32\\sesbkup.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}\InprocServer32]
@="C:\\WINDOWS\\system32\\kqduk.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{122D3A91-C9BD-4CE7-B772-0B03E76C522D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{122D3A91-C9BD-4CE7-B772-0B03E76C522D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{122D3A91-C9BD-4CE7-B772-0B03E76C522D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{122D3A91-C9BD-4CE7-B772-0B03E76C522D}\InprocServer32]
@="C:\\WINDOWS\\system32\\iyetcplc.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}"=-
"{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}"=-
"{122D3A91-C9BD-4CE7-B772-0B03E76C522D}"=-
[-HKEY_CLASSES_ROOT\CLSID\{7F4AE98E-2F18-4B9C-A29F-701E7ABF3519}]
[-HKEY_CLASSES_ROOT\CLSID\{7E2D5B5D-8252-4392-A4B4-DF81E6943BDF}]
[-HKEY_CLASSES_ROOT\CLSID\{122D3A91-C9BD-4CE7-B772-0B03E76C522D}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/122D3A91-C9BD-4CE7-B772-0B03E76C522D.reg (212 bytes security) (deflated 70%)
adding: backregs/7E2D5B5D-8252-4392-A4B4-DF81E6943BDF.reg (212 bytes security) (deflated 70%)
adding: backregs/7F4AE98E-2F18-4B9C-A29F-701E7ABF3519.reg (212 bytes security) (deflated 69%)
adding: backregs/notibac.reg (188 bytes security) (deflated 87%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)
Seitenanfang Seitenende
01.02.2006, 14:53
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 Darkwarrior

scanne mit Spysweeper (trial) und poste den scanreport
http://virus-protect.org/spysweeper.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
04.02.2006, 13:05
...neu hier

Themenstarter

Beiträge: 9
#13 ********
12:55: | Start of Session, Samstag, 4. Februar 2006 |
12:55: Spy Sweeper started
12:55: Sweep initiated using definitions version 611
12:55: Starting Memory Sweep
12:58: Memory Sweep Complete, Elapsed Time: 00:02:20
12:58: Starting Registry Sweep
12:58: Found Adware: dollarrevenue
12:58: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
12:58: Registry Sweep Complete, Elapsed Time:00:00:13
12:58: Starting Cookie Sweep
12:58: Found Spy Cookie: 2o7.net cookie
12:58: standard@2o7[1].txt (ID = 1957)
12:58: Found Spy Cookie: yieldmanager cookie
12:58: standard@ad.yieldmanager[1].txt (ID = 3751)
12:58: Found Spy Cookie: atwola cookie
12:58: standard@atwola[1].txt (ID = 2255)
12:58: Found Spy Cookie: belnk cookie
12:58: standard@belnk[1].txt (ID = 2292)
12:58: standard@dist.belnk[2].txt (ID = 2293)
12:58: Found Spy Cookie: realmedia cookie
12:58: standard@realmedia[2].txt (ID = 3235)
12:58: Found Spy Cookie: zedo cookie
12:58: standard@zedo[1].txt (ID = 3762)
12:58: Cookie Sweep Complete, Elapsed Time: 00:00:02
12:58: Starting File Sweep
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\reports\rptmngbak.i0000:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\reports\rptmngbak.i0001:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\reports\rptmngbak.i0100:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\reports\rptmngbak.i0101:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\reports\rptmngbak.i0200:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\reports\rptmngbak.i0201:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\reports\rptmngbak.reph:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\reports\rptmngbak.repi:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\reports\rptmngbak.rept:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\all users\anwendungsdaten\kaspersky anti-virus personal pro\5.0\sfdb.dat:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\standard\lokale einstellungen\anwendungsdaten\mozilla\firefox\profiles\090kiod8.default\cache\bf318600d01:kavichs". Zugriff verweigert
13:02: Warning: Failed to open file "c:\dokumente und einstellungen\standard\lokale einstellungen\temp\acr22.tmp:kavichs". Zugriff verweigert
13:03: File Sweep Complete, Elapsed Time: 00:04:56
13:03: Full Sweep has completed. Elapsed time 00:07:35
13:03: Traces Found: 9
13:05: Removal process initiated
13:05: Quarantining All Traces: dollarrevenue
13:05: Quarantining All Traces: 2o7.net cookie
13:05: Quarantining All Traces: atwola cookie
13:05: Quarantining All Traces: belnk cookie
13:05: Quarantining All Traces: realmedia cookie
13:05: Quarantining All Traces: yieldmanager cookie
13:05: Quarantining All Traces: zedo cookie
13:05: Removal process completed. Elapsed time 00:00:03
********
12:54: | Start of Session, Samstag, 4. Februar 2006 |
12:54: Spy Sweeper started
12:55: Your spyware definitions have been updated.
12:55: | End of Session, Samstag, 4. Februar 2006 |
Seitenanfang Seitenende
04.02.2006, 15:22
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 Darkwarrior

* Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
http://virus-protect.org/systemwiederherstellung.html
(nach der Reinigung wiederaktivieren)

* suche: C:\!KillBox
und loesche alle dort befindlichen Dateien manuell

* scanne mit panda und kopiere den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
05.02.2006, 17:10
...neu hier

Themenstarter

Beiträge: 9
#15 Incident Status Location

Spyware:Cookie/2o7.net Not disinfected C:\Dokumente und Einstellungen\Standard\Cookies\standard@2o7[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Dokumente und Einstellungen\Standard\Cookies\standard@zedo[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[fe.lea.lycos.de/]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Adtech Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Doubleclick Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Bfast Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WinFixer Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.winfixer.com/]
Spyware:Cookie/Zedo Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[.rn11.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Dokumente und Einstellungen\Standard\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\cookies.txt[]
Spyware:Cookie/2o7.net Not disinfected C:\Dokumente und Einstellungen\Standard\Cookies\standard@2o7[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Dokumente und Einstellungen\Standard\Cookies\standard@zedo[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Standard\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\090kiod8.default\Cache\C16DFCFBd01[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\l2mfix.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\l2mfix\l2mfix\Process.exe
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
  • »
  • »
  • »
  • »
  • »