Trojaner/Virus erstellt win**.tmp.exe dateien - folge: systemüberlastung

Thema ist geschlossen!
Thema ist geschlossen!
#0
16.08.2006, 13:17
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#121 LaLaLand

erstelle eine neu.bat und poste den text

Zitat

cd\
dir "C:\Programme\Livemfcdroad" >>files.txt
dir "C:\Programme\Accoona" >>files.txt
dir "C:\Programme\ToolBar888" >>files.txt
dir "C:\Programme\NewDotNet" >>files.txt
dir "C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe" >>files.txt
dir "C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad" >>files.txt
dir "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Show sect stupid anti" >>files.txt
notepad files.txt

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
16.08.2006, 13:51
...neu hier

Beiträge: 8
#122 Verzeichnis von C:\Programme\Livemfcdroad

09.08.2006 04:16 <DIR> .
09.08.2006 04:16 <DIR> ..
0 Datei(en) 0 Bytes
2 Verzeichnis(se), 12.925.108.224 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Programme\Accoona

10.07.2005 23:32 <DIR> .
10.07.2005 23:32 <DIR> ..
03.05.2005 17:38 118.524 quiesce.exe
1 Datei(en) 118.524 Bytes
2 Verzeichnis(se), 12.925.108.224 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Programme\ToolBar888

06.08.2006 23:32 <DIR> .
06.08.2006 23:32 <DIR> ..
08.06.2006 17:00 45.056 Activate.exe
13.06.2006 17:00 114.688 MyToolBar.dll
06.08.2006 23:32 34.950 Uninst.exe
3 Datei(en) 194.694 Bytes
2 Verzeichnis(se), 12.925.108.224 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Programme\NewDotNet

04.10.2005 03:02 <DIR> .
04.10.2005 03:02 <DIR> ..
04.10.2005 03:01 167.936 newdotnet3_88.dll
1 Datei(en) 167.936 Bytes
2 Verzeichnis(se), 12.925.108.224 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe

09.08.2006 04:17 <DIR> .
09.08.2006 04:17 <DIR> ..
09.08.2006 04:18 15.526 bits plan.exe
1 Datei(en) 15.526 Bytes
2 Verzeichnis(se), 12.925.108.224 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad

16.08.2006 11:10 <DIR> .
16.08.2006 11:10 <DIR> ..
09.08.2006 04:17 368.586 cfibqyzy.exe
05.01.2006 19:06 365.958 ddodfrag.exe
09.08.2006 04:18 62.570 four setup ref program.exe
23.03.2006 23:21 365.959 fxivkxpr.exe
09.08.2006 04:18 10.498 isomodescr.exe
22.05.2006 15:52 368.586 ppjojoox.exe
05.08.2006 15:08 368.586 qebyahfd.exe
21.05.2006 12:09 368.586 snoefjms.exe
8 Datei(en) 2.279.329 Bytes
2 Verzeichnis(se), 12.925.104.128 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Show sect stupid anti

16.08.2006 12:34 <DIR> .
16.08.2006 12:34 <DIR> ..
0 Datei(en) 0 Bytes
2 Verzeichnis(se), 12.925.104.128 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Programme\Livemfcdroad

09.08.2006 04:16 <DIR> .
09.08.2006 04:16 <DIR> ..
0 Datei(en) 0 Bytes
2 Verzeichnis(se), 12.925.104.128 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Programme\Accoona

10.07.2005 23:32 <DIR> .
10.07.2005 23:32 <DIR> ..
03.05.2005 17:38 118.524 quiesce.exe
1 Datei(en) 118.524 Bytes
2 Verzeichnis(se), 12.925.104.128 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Programme\ToolBar888

06.08.2006 23:32 <DIR> .
06.08.2006 23:32 <DIR> ..
08.06.2006 17:00 45.056 Activate.exe
13.06.2006 17:00 114.688 MyToolBar.dll
06.08.2006 23:32 34.950 Uninst.exe
3 Datei(en) 194.694 Bytes
2 Verzeichnis(se), 12.925.104.128 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Programme\NewDotNet

04.10.2005 03:02 <DIR> .
04.10.2005 03:02 <DIR> ..
04.10.2005 03:01 167.936 newdotnet3_88.dll
1 Datei(en) 167.936 Bytes
2 Verzeichnis(se), 12.925.104.128 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe

09.08.2006 04:17 <DIR> .
09.08.2006 04:17 <DIR> ..
09.08.2006 04:18 15.526 bits plan.exe
1 Datei(en) 15.526 Bytes
2 Verzeichnis(se), 12.925.104.128 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad

16.08.2006 11:10 <DIR> .
16.08.2006 11:10 <DIR> ..
09.08.2006 04:17 368.586 cfibqyzy.exe
05.01.2006 19:06 365.958 ddodfrag.exe
09.08.2006 04:18 62.570 four setup ref program.exe
23.03.2006 23:21 365.959 fxivkxpr.exe
09.08.2006 04:18 10.498 isomodescr.exe
22.05.2006 15:52 368.586 ppjojoox.exe
05.08.2006 15:08 368.586 qebyahfd.exe
21.05.2006 12:09 368.586 snoefjms.exe
8 Datei(en) 2.279.329 Bytes
2 Verzeichnis(se), 12.925.104.128 Bytes frei
Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Show sect stupid anti

16.08.2006 12:34 <DIR> .
16.08.2006 12:34 <DIR> ..
0 Datei(en) 0 Bytes
2 Verzeichnis(se), 12.925.104.128 Bytes frei
Seitenanfang Seitenende
16.08.2006, 14:27
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#123 LaLaLand

1.
Versteckte- und Systemdateien sichtbar machen
http://virus-protect.org/invisible.html

2.
LSPfix
http://www.spychecker.com/program/lspfix.html
- hake an: "I know what Im doing"--Remove
- und loesche die newdotnet3_88.dll (eventuell musst du die dll von links nach rechts bringen)

3.
spyfalcon.zip -> http://virus-protect.org/zip/spyfalcon.zip -> entpacken auf dem Desktop -> spyfalcon.reg ->doppeltklicken und der Registry mit "ja/yes" beifügen

3.1. wende Vundofix an
http://virus-protect.org/artikel/tools/vundofixx.html

4.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\new.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\New.net
HKEY_LOCAL_MACHINE\software\new.net
HKEY_CURRENT_USER\Software\New.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winemx32

Files to delete:

C:\WINDOWS\tasks\985C0F89931FD9B9.job
C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\11xp4yto.exe
C:\WINDOWS\system32\ATPartners.dll
C:\WINDOWS\TEMP\win4.tmp.exe
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\cool.exe
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\iifccyy.dll
C:\WINDOWS\system32\winemx32.dll
C:\Programme\Gemeinsame Dateien\{EC6ABA6F-0A71-1031-0816-020208060031}\services.dll
C:\WINDOWS\Temp\winB.tmp
C:\WINDOWS\Temp\winD.tmp
C:\Programme\Accoona\quiesce.exe
C:\Programme\ToolBar888\Activate.exe
C:\Programme\ToolBar888\MyToolBar.dll
C:\Programme\ToolBar888\Uninst.exe
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe\bits plan.exe
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\cfibqyzy.exe
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\ddodfrag.exe
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\four setup ref program.exe
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\fxivkxpr.exe
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\isomodescr.exe
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\ppjojoox.exe
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\qebyahfd.exe
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\snoefjms.exe

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste das log vom Avenger, was nach neustart erscheint

5.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O4 - HKCU\..\Run: [boneshow] C:\DOKUME~1\Admin\ANWEND~1\LIVEMF~1\FileVga.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNfox000

6.
PC neustarten (in den abgesicherten Modus) --> F8 drücken, wenn der PC hochfährt
das ist notwendig, denn im Normalmodus kann man die Dateien nicht löschen.

loeschen

C:\Programme\WeatherCast
C:\Programme\NewDotNet
C:\Programme\ToolBar888
C:\Programme\Accoona
C:\Programme\Livemfcdroad
C:\Programme\Gemeinsame Dateien\{EC6ABA6F-0A71-1031-0816-020208060031}
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Show sect stupid anti

7.
boote wieder in den normalmodus


8.
Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften ---> Reiter Systemwiederherstellung ---> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. (dann wieder aktivieren)

9.
Counterspy --> löscht die Eintraege in der Registry von MessengerPlus! 3 und Netpumper
http://virus-protect.org/counterspy.html
nach dem Scan muss man sich entscheiden für:
*Remove

poste den scanreport

+
poste noch mal ds 1. Log von Datfindbat
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
16.08.2006, 20:03
...neu hier

Beiträge: 8
#124 zu 1. war schon

zu 2. erledigt

zu 3. erledigt

zu 4. erledigt

zu 5.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\New.net


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pxkpvrbf

*******************

Script file located at: \??\C:\eyjvbrio.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\tasks\985C0F89931FD9B9.job deleted successfully.


File C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\11xp4yto.exe not found!
Deletion of file C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\11xp4yto.exe failed!

Could not process line:
C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\11xp4yto.exe
Status: 0xc0000034

File C:\WINDOWS\system32\ATPartners.dll deleted successfully.


File C:\WINDOWS\TEMP\win4.tmp.exe not found!
Deletion of file C:\WINDOWS\TEMP\win4.tmp.exe failed!

Could not process line:
C:\WINDOWS\TEMP\win4.tmp.exe
Status: 0xc0000034



File C:\WINDOWS\system32\tttss.ini not found!
Deletion of file C:\WINDOWS\system32\tttss.ini failed!

Could not process line:
C:\WINDOWS\system32\tttss.ini
Status: 0xc0000034



File C:\WINDOWS\system32\tttss.bak2 not found!
Deletion of file C:\WINDOWS\system32\tttss.bak2 failed!

Could not process line:
C:\WINDOWS\system32\tttss.bak2
Status: 0xc0000034

File C:\WINDOWS\system32\mcrh.tmp deleted successfully.
File C:\WINDOWS\system32\cool.exe deleted successfully.


File C:\WINDOWS\system32\tttss.bak1 not found!
Deletion of file C:\WINDOWS\system32\tttss.bak1 failed!

Could not process line:
C:\WINDOWS\system32\tttss.bak1
Status: 0xc0000034



File C:\WINDOWS\system32\ssttt.dll not found!
Deletion of file C:\WINDOWS\system32\ssttt.dll failed!

Could not process line:
C:\WINDOWS\system32\ssttt.dll
Status: 0xc0000034

File C:\WINDOWS\system32\iifccyy.dll deleted successfully.
File C:\WINDOWS\system32\winemx32.dll deleted successfully.
File C:\Programme\Gemeinsame Dateien\{EC6ABA6F-0A71-1031-0816-020208060031}\services.dll deleted successfully.
File C:\WINDOWS\Temp\winB.tmp deleted successfully.
File C:\WINDOWS\Temp\winD.tmp deleted successfully.
File C:\Programme\Accoona\quiesce.exe deleted successfully.
File C:\Programme\ToolBar888\Activate.exe deleted successfully.
File C:\Programme\ToolBar888\MyToolBar.dll deleted successfully.
File C:\Programme\ToolBar888\Uninst.exe deleted successfully.
File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe\bits plan.exe deleted successfully.
File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\cfibqyzy.exe deleted successfully.
File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\ddodfrag.exe deleted successfully.
File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\four setup ref program.exe deleted successfully.
File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\fxivkxpr.exe deleted successfully.
File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\isomodescr.exe deleted successfully.
File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\ppjojoox.exe deleted successfully.
File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\qebyahfd.exe deleted successfully.
File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\snoefjms.exe deleted successfully.


Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\new.net not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\new.net failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\New.net not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\New.net failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\new.net not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\new.net failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttt not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttt failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winemx32 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

zu 6. erledigt

Nur C:\Programme\WeatherCast ... gab es nicht.

zu 7. erledigt

zu 8. erledigt

zu 9.

Spyware Scan Details
Start Date: 16.08.2006 19:03:28
End Date: 16.08.2006 19:50:34
Total Time: 47 mins 6 secs

Detected spyware

C2.Lop Hijacker more information...
Details: Lop is a group of spyware and hijacker programs that set your Internet Explorer start page and search features to use the site lop.com ('Live Online Portal') or one of its clone sites.
Status: Quarantined

Infected files detected
c:\programme\adverts


war*hier nicht!* P2P P2P Program more information...
Details: war*hier nicht!* P2P is a file sharing program that allows the user to participate in online file sharing networks.
Status: Ignored

Infected files detected
c:\programme\sp2 connection patcher\inst.log
c:\programme\sp2 connection patcher\readme.txt
c:\programme\sp2 connection patcher\uninstall.exe

Infected registry entries detected
HKEY_CLASSES_ROOT\war*hier nicht!*
HKEY_CLASSES_ROOT\war*hier nicht!* URL:war*hier nicht!* protocol
HKEY_CLASSES_ROOT\war*hier nicht!* URL Protocol
HKEY_CLASSES_ROOT\war*hier nicht!*
HKEY_CLASSES_ROOT\war*hier nicht!* URL:war*hier nicht!* Of1
HKEY_CLASSES_ROOT\war*hier nicht!* URL Protocol
HKEY_CLASSES_ROOT\war*hier nicht!*
HKEY_CLASSES_ROOT\war*hier nicht!* URL:war*hier nicht!* Of2
HKEY_CLASSES_ROOT\war*hier nicht!* URL Protocol
HKEY_CLASSES_ROOT\war*hier nicht!*
HKEY_CLASSES_ROOT\war*hier nicht!* URL:war*hier nicht!*_Query protocol
HKEY_CLASSES_ROOT\war*hier nicht!* URL Protocol


IEPlugin Adware (General) more information...
Details: IEPlugin is an IE Browser Helper Object that monitors site addresses, content entered into forms, and even local filenames browsed, and pops up advertisements when it sees a targeted keyword.
Status: Quarantined

Infected files detected
c:\windows\extract.exe


StartPage.TimesSquare Hijacker more information...
Details: StartPage.TimesSquare hijacks the IE start page and search pages and displays ads.
Status: Quarantined

Infected files detected
c:\windows\teller2.chk


Deskwizz/ZQuest Browser Plug-in more information...
Details: Deskwizz/ZQuest is an adware application that tracks the user's browsing in order to display targeted advertising on the desktop.
Status: Quarantined

Infected files detected
c:\windows\dh.ini


DollarRevenue Adware (General) more information...
Details: DollarRevenue is an adware program that spawns pop-up advertising on the desktop and downloads other adware.
Status: Quarantined

Infected files detected
c:\windows\newname.dat


Messenger Plus! Adware Bundler more information...
Details: Messenger Plus! is a add-on for MSN Messenger. Messenger Plus! installs an OPTIONAL adware called C2Media which is also known as LOP.com.
Status: Deleted

Infected files detected
E:\Programme\Messenger Plus! Live\Detoured.dll
E:\Programme\Messenger Plus! Live\Events Style Sheet.xsl
E:\Programme\Messenger Plus! Live\lame_enc.dll
E:\Programme\Messenger Plus! Live\libsndfile.dll
E:\Programme\Messenger Plus! Live\Log Viewer.exe
E:\Programme\Messenger Plus! Live\MPScripts.dll
E:\Programme\Messenger Plus! Live\MPTools.exe
E:\Programme\Messenger Plus! Live\MsgPlusLive.dll
E:\Programme\Messenger Plus! Live\MsgPlusLiveRes.dll

Infected registry entries detected
HKEY_CLASSES_ROOT\MsgPlus.Encrypted
HKEY_CLASSES_ROOT\MsgPlus.Encrypted\DefaultIcon E:\Programme\Messenger Plus! Live\Log Viewer.exe,1
HKEY_CLASSES_ROOT\MsgPlus.Encrypted\shell\open\command "E:\Programme\Messenger Plus! Live\Log Viewer.exe" /ViewLog="%1"
HKEY_CLASSES_ROOT\MsgPlus.Encrypted Encrypted Log File
HKEY_LOCAL_MACHINE\Software\Patchou
HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live AppDir E:\Programme\Messenger Plus! Live
HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live LangDir E:\Programme\Messenger Plus! Live\Languages
HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live InterfacesDir E:\Programme\Messenger Plus! Live\Interface
HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live ScriptsDir E:\Programme\Messenger Plus! Live\Scripts
HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live ResourcesDll MsgPlusLiveRes.dll
HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live WorkerDll MsgPlusLive.dll
HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live FirstInstallTime
HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live SoftwareBuild 4240
HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live DefaultLangFile Lng_German.ini
HKEY_CURRENT_USER\SOFTWARE\Patchou
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\LogViewer PosMaximised 0
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\LogViewer PosRect
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\BVIjSxFCxUeh Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\BVIjSxFCxUeh LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\BXZApMgaibRD Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\BXZApMgaibRD LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\DEcgzUjFHQkc Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\DEcgzUjFHQkc LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\DHUohOrKpIsk Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FBSnWqrNPYsk Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FBSnWqrNPYsk LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FBSnWqrNPYsk LastChat
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FOkmmfBDYpFR LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FOkmmfBDYpFR Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\GhOpJBCtBWgy Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IjCtMggckzZL Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IjCtMggckzZL LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IsbTJLBDMdTF Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IsbTJLBDMdTF LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IskgyxFCxUeh Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ItSbIbJGbYsk Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IzGijQrGtJFH Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IzGijQrGtJFH LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IzGijQrGtJFH LastChat
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\JSsbJSpPGtJW Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\JSsbJSpPGtJW LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\JSsbJSpPGtJW LastChat
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\LCnGtQsvWnDA Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\LCnGtQsvWnDA LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\LCnGtQsvWnDA LastChat
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\LUdUqlEucrRD Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ObJZIkhAvCmp Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ObJZIkhAvCmp LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ObRGvDAawxUf Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ObRGvDAawxUf LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\OuhArRFMvYia Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\OuhEaiembYia Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\PGatKxFCxMgy Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\PGatKxFCxMgy LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\PUhPYlLCrScu Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\PUhPYlLCrScu LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WibRObTTVEap Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WibRObTTVEap LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WibRObTTVEap LastChat
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WjKmtHAqynNK Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WjKmtHAqynNK LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WslSnKaijGqi Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WslSnKaijGqi LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WsunQbJEkasl Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WsunQbJEkasl LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\XAwjBDAcrOyq Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\XAwjBDAcrOyq LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\XREgvVIapGgy LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\XREgvVIapGgy Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZIrTGvOqrDZM Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZIrTGvOqrDZM LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZIrTGvOqrDZM LastChat
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZMgzYfMorSme Email
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZMgzYfMorSme LastSeenOnline
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences OldPlusChecked 1
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences ContactWatchTime
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences FirstStart 0
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences NotifyAutoUpdate 1
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences SoundsAutoPlay 1
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences LockEnableShortcut 1
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences PopMailUpdateSystem 1
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences PopMailShowNotif 1
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences PopMailCheckDelay 5
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences ContactListCleanupFirstTime 0
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences ContactInfoPos
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences EventViewerMaximised 0
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences EventViewerPos
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences EventViewerLastShow
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live LanguageFile Lng_German.ini
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live MessengerStartTime
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live MessengerIsRTL 0
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live DefaultUser power16@web.de
HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live AutoUpdateTime
HKEY_CLASSES_ROOT\MsgPlus.SoundPack
HKEY_CLASSES_ROOT\MsgPlus.SoundPack\DefaultIcon E:\Programme\Messenger Plus! Live\MPTools.exe,2
HKEY_CLASSES_ROOT\MsgPlus.SoundPack\shell\open\command "E:\Programme\Messenger Plus! Live\MPTools.exe" /ImportSoundPack="%1"
HKEY_CLASSES_ROOT\MsgPlus.SoundPack Messenger Plus! Sound Pack
HKEY_CLASSES_ROOT\.ple
HKEY_CLASSES_ROOT\.ple MsgPlus.Encrypted
HKEY_CLASSES_ROOT\.plp
HKEY_CLASSES_ROOT\.plp MsgPlus.SoundPack


VX2.Transponder Browser Plug-in more information...
Details: VX2 is an Internet Explorer Browser Helper Object that monitors web page requests and data entered into forms, sending this information to its home server, and opens pop-up advertisement windows. VX2 also collects and sends personal information.
Status: Quarantined

Infected registry entries detected
HKEY_CLASSES_ROOT\f1.organizer.1
HKEY_CLASSES_ROOT\f1.organizer.1\CLSID {00000EF1-0786-4633-87C6-1AA7A44296DA}
HKEY_CLASSES_ROOT\f1.organizer.1 F1 Organizer Class
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\0\win32 C:\WINDOWS\system32\ATPartners.dll
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\HELPDIR C:\WINDOWS\system32\
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0 Favorite 1.0 Type Library
HKEY_CLASSES_ROOT\f1.organizer
HKEY_CLASSES_ROOT\f1.organizer\CLSID {00000EF1-0786-4633-87C6-1AA7A44296DA}
HKEY_CLASSES_ROOT\f1.organizer\CurVer F1.Organizer.1
HKEY_CLASSES_ROOT\f1.organizer F1 Organizer Class


BearShare P2P Program more information...
Details: BearShare is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Ignored

Infected registry entries detected
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 e:\Programme\BearShare\RunMSC.dll
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR e:\Programme\BearShare\
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InProcServer32 %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InProcServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} &Links
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} MenuTextPUI @browselc.dll,-13138
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} hTBJOaq


FavoriteMan Browser Plug-in more information...
Details: FavoriteMan is an Internet Explorer Browser Helper Object (BHO) that intermittently connects to its controlling servers which may direct it to download and install other programs and add entries to the IE Favorites menu or background Desktop.
Status: Quarantined

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}
HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\InprocServer32 C:\WINDOWS\system32\ATPART~1.DLL
HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\ProgID F1.Organizer.1
HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\TypeLib {EF100007-F409-426a-9E7C-CB211F2A9786}
HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\VersionIndependentProgID F1.Organizer
HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da} F1 Organizer Class
HKEY_CLASSES_ROOT\f1.organizer\clsid
HKEY_CLASSES_ROOT\f1.organizer\clsid {00000EF1-0786-4633-87C6-1AA7A44296DA}
HKEY_CLASSES_ROOT\f1.organizer\curver
HKEY_CLASSES_ROOT\f1.organizer\curver F1.Organizer.1
HKEY_CLASSES_ROOT\f1.organizer
HKEY_CLASSES_ROOT\f1.organizer\CLSID {00000EF1-0786-4633-87C6-1AA7A44296DA}
HKEY_CLASSES_ROOT\f1.organizer\CurVer F1.Organizer.1
HKEY_CLASSES_ROOT\f1.organizer F1 Organizer Class
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000ef1-0786-4633-87c6-1aa7a44296da}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000ef1-0786-4633-87c6-1aa7a44296da} NoExplorer 1


My Way Speedbar Potentially Unwanted Program more information...
Details: MyWay Speedbar is a search toolbar that installs into Internet Explorer and Netscape Navigator, adding search functions and popup blocking.
Status: Ignored

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}


DownloadWare Adware (General) more information...
Details: DownloadWare is a process that runs on Windows startup. If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. It may be installed through an ActiveX control.
Status: Quarantined

Infected registry entries detected
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\0\win32 C:\WINDOWS\system32\ATPartners.dll
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\HELPDIR C:\WINDOWS\system32\
HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0 Favorite 1.0 Type Library


WhenU.Save Adware (General) more information...
Details: WhenU.SaveNow is an adware application that displays pop-up advertising on the desktop in response to users' web browsing.
Status: Quarantined

Infected registry entries detected
HKEY_CLASSES_ROOT\wusn.1
HKEY_CLASSES_ROOT\wusn.1 WUSN_Id
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97} ILoader


EUniverse Updater Hijacker more information...
Details: EUniverse is an adware program that runs at startup, generates popup ads, and performs a number of spyware related functions such as transmitting personal information and hijacking Internet Explorer.
Status: Quarantined

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO DisplayName ATP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO UninstallString regsvr32 /s /u C:\WINDOWS\system32\ATPartners.dll


MyWebSearch Toolbar Potentially Unwanted Program more information...
Details: MyWebSearch Toolbar is a customizable Internet Explorer search toolbar with various other tools.
Status: Ignored

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib {29D67D3C-509A-4544-903F-C8C1B8236554}
HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} IMonitorEvents
HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib {E47CAEE0-DEEA-464A-9326-3F2801535A4D}
HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF} IF3PopupMenu
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel\CLSID {3E720452-B472-4954-B7AA-33069EB53906}
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel\CurVer MyWebSearch.HTMLPanel.1
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel MyWebSearch HTML Panel
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin\CLSID {7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin\CurVer MyWebSearch.PseudoTransparentPlugin.1
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin MyWebSearch Pseudo Transparent Plugin
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1\CLSID {7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}
HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1 MyWebSearch Pseudo Transparent Plugin
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1\CLSID {3E720452-B472-4954-B7AA-33069EB53906}
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1 MyWebSearch HTML Panel


Cram Toolbar Toolbar more information...
Status: Quarantined

Infected registry entries detected
HKEY_CLASSES_ROOT\Interface\{9D5C62AE-57B0-43C3-BAE4-BA7908DF4386}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{F5BB1D9A-DA7B-4C5B-8272-1554B814E97F}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}
HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\0\win32 C:\Programme\Cram Toolbar\untitled.dll
HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\HELPDIR C:\Programme\Cram Toolbar\
HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0 Softomate 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\0\win32 C:\Programme\Cram Toolbar\untitled.dll


WhenU.WhenUSearch Low Risk Adware more information...
Details: WhenU.WhenUSearch is a desktop search toolbar that displays links to advertised offers in response to users' surfing behavior and opens paid search results when users perform searches through the toolbar's search mechanism.
Status: Ignored

Infected registry entries detected
HKEY_CLASSES_ROOT\WUSN.1
HKEY_CLASSES_ROOT\WUSN.1 WUSN_Id


Trojan.WinlogonHook.Delf.A Trojan more information...
Details: WinlogonHook.Delf.A is a backdoor trojan that gives an attacker the ability to control the infected machine without the user's knowledge.
Status: Quarantined

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR Brnd 779
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR BPTV 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR LSTV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR PSTV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR BSTV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR SSTV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR SCLIST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR SSLIST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR Data 198486912
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR MSLIST


Freeprod/Toolbar888 Toolbar more information...
Details: Freeprod/Toolbar888 is an adware application that installs a Internet Explorer Toolbar and may hijack search results.
Status: Quarantined

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}
HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\InprocServer32 C:\Programme\ToolBar888\MyToolBar.dll
HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\ProgID MyToolBar.MyToolBarObj.1
HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\TypeLib {CD2A09D7-EE7E-4c25-993C-C2678ECFAD01}
HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\VersionIndependentProgID MyToolBar.MyToolBarObj
HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A} ToolBar888
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBCC61FA-0221-4ccc-B409-CEE865CACA3A}
HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}
HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\1.0\0\win32 C:\Programme\ToolBar888\MyToolBar.dll
HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\1.0\HELPDIR C:\Programme\ToolBar888\
HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\1.0 ToolBar888 1.0 Type Library
HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj
HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj\CLSID {CBCC61FA-0221-4ccc-B409-CEE865CACA3A}
HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj\CurVer MyToolBar.MyToolBarObj.1
HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj ToolBar888
HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj.1
HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj.1\CLSID {CBCC61FA-0221-4ccc-B409-CEE865CACA3A}
HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj.1 ToolBar888
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\iexplore Type 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\iexplore Count 47
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\iexplore Time
HKEY_CURRENT_USER\Software\MyToolBar


ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\admin\cookies\admin@atdmt[2].txt


Messenger Plus! 3.40 Beta Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\admin\cookies\admin@mysearchnow[1].txt

----------------------------------------------------


Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: EC6A-BA6F

Verzeichnis von C:\WINDOWS\system32

16.08.2006 19:54 20.218 ModemLog_ISDN Internet (PPP over ISDN).txt
16.08.2006 18:03 2.206 wpa.dbl
15.08.2006 13:22 9.022 ModemLog_ISDN Custom Config.txt
06.08.2006 23:49 43.520 CmdLineExt03.dll
03.08.2006 03:22 8.255.912 MRT.exe
02.08.2006 02:57 314.508 perfh009.dat
02.08.2006 02:57 40.836 perfc009.dat
02.08.2006 02:57 320.094 perfh007.dat
02.08.2006 02:57 729.988 PerfStringBackup.INI
02.08.2006 02:57 49.174 perfc007.dat
29.07.2006 19:32 48.936 sirenacm.dll
28.07.2006 13:28 3.075.072 mshtml.dll
27.07.2006 15:25 679.424 inetcomm.dll
25.07.2006 22:33 615.936 urlmon.dll
23.07.2006 17:16 57.384 avsda.dll
21.07.2006 10:29 72.704 hlink.dll
14.07.2006 17:38 332.288 netapi32.dll
14.07.2006 17:25 546.304 hhctrl.ocx
13.07.2006 15:34 8.494.592 shell32.dll
07.07.2006 14:55 155.568 FNTCACHE.DAT
06.07.2006 16:35 455 ws344069.ocx
06.07.2006 16:22 3.176 gafilter.sti
06.07.2006 16:22 4.808 gaeffect.sti
05.07.2006 12:55 1.057.792 kernel32.dll
26.06.2006 19:40 8.192 rasadhlp.dll
26.06.2006 19:40 148.480 dnsapi.dll
23.06.2006 13:10 664.576 wininet.dll
23.06.2006 13:10 448.512 mshtmled.dll
23.06.2006 13:10 532.480 mstime.dll
23.06.2006 13:10 1.494.016 shdocvw.dll
23.06.2006 13:10 474.624 shlwapi.dll
23.06.2006 13:10 146.432 msrating.dll
23.06.2006 13:10 39.424 pngfilt.dll
23.06.2006 13:10 55.808 extmgr.dll
23.06.2006 13:10 205.312 dxtrans.dll
23.06.2006 13:10 357.888 dxtmsft.dll
23.06.2006 13:10 1.056.256 danim.dll
23.06.2006 13:10 251.392 iepeers.dll
23.06.2006 13:10 152.064 cdfview.dll
23.06.2006 13:10 96.768 inseng.dll
23.06.2006 13:10 16.384 jsproxy.dll
23.06.2006 13:10 1.022.976 browseui.dll
23.06.2006 10:53 27.136 xpsp3res.dll
22.06.2006 12:47 181.248 rasmans.dll
19.06.2006 16:20 702.768 WgaLogon.dll
19.06.2006 16:19 571.184 LegitCheckControl.dll
19.06.2006 16:19 304.944 WgaTray.exe
01.06.2006 20:47 27.648 jgpl400.dll
01.06.2006 20:47 163.840 jgdw400.dll
19.05.2006 15:09 95.744 iphlpapi.dll
19.05.2006 15:09 112.128 dhcpcsvc.dll
18.05.2006 07:36 450.560 jscript.dll
04.05.2006 14:30 13 WinSys32.crc
Seitenanfang Seitenende
16.08.2006, 21:48
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#125 LaLaLand

1.
Counterspy killt immer nur einen Teil Dateien. Man muss also immer wieder den Quarantäne-Ordner von Counterspy leeren und wieder neu damit scannen, solange bis Counterspy nichts mehr findet.

2.
scanne mit Panda und dann mit ewido und poste beide scanreporte
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
17.08.2006, 01:19
...neu hier

Beiträge: 8
#126 1. ok erledigt
2.

Panda
--------

Incident Status Location

Adware:Adware/Mytoolbar Not disinfected C:\avenger\backup.zip[avenger/Activate.exe]
Adware:Adware/NetPals Not disinfected C:\avenger\backup.zip[avenger/ATPartners.dll]
Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/bits plan.exe]
Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/cfibqyzy.exe]
Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/ddodfrag.exe]
Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/four setup ref program.exe]
Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/fxivkxpr.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\avenger\backup.zip[avenger/iifccyy.dll]
Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/isomodescr.exe]
Adware:Adware/Mytoolbar Not disinfected C:\avenger\backup.zip[avenger/MyToolBar.dll]
Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/ppjojoox.exe]
Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/qebyahfd.exe]
Adware:Adware/SecurityError Not disinfected C:\avenger\backup.zip[avenger/services.dll]
Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/snoefjms.exe]
Adware:Adware/DollarRevenue Not disinfected C:\avenger\backup.zip[avenger/Uninst.exe][²ÜÇ\nsProcess.dll]
Adware:Adware/SuperSpider Not disinfected C:\avenger\backup.zip[avenger/winemx32.dll]
Spyware:Cookie/Statcounter Not disinfected C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\90cgnklp.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\90cgnklp.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\Admin\Cookies\admin@atdmt[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Dokumente und Einstellungen\Admin\Cookies\admin@stats1.reliablestats[1].txt
Adware:Adware/Lop Not disinfected C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\Drive Cash.exe
Adware:Adware/Lop Not disinfected C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\RefDrive.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard111.dat
Adware:Adware/SaveNow Not disinfected E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome\whenu_ff.jar[content/overlay.js]
Adware:Adware/SaveNow Not disinfected E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected E:\Programme\Firefox\plugins\NPMyWebS.dll
Adware:Adware/AbxSearch Not disinfected E:\Programme\Microsoft AntiSpyware\Quarantine\176E6A36-D4DE-4B76-A83C-9A7B01\14C0E104-18B0-442D-9C15-0B0C69
Spyware:Spyware/New.net Not disinfected E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\670F4F59-97B3-4EBD-8FDF-EF984B
Spyware:Spyware/New.net Not disinfected E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\E93FBB77-4AF5-4D3A-85F3-97E11B
Adware:Adware/NetPals Not disinfected G:\Download\Spiele\artmoney710eng.exe[Temp\adware.exe]


ewido
-------

bricht immer ab...und es steht nicht da warum.
internet explorer schließt sich einfach. habs 3 mal versucht
Seitenanfang Seitenende
17.08.2006, 12:16
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#127 LaLaLand

Avenger:

Zitat

Files to delete:

E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\E93FBB77-4AF5-4D3A-85F3-97E11B
E:\Programme\Microsoft AntiSpyware\Quarantine\176E6A36-D4DE-4B76-A83C-9A7B01\14C0E104-18B0-442D-9C15-0B0C69
E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\670F4F59-97B3-4EBD-8FDF-EF984B
C:\WINDOWS\keyboard111.dat
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\Drive Cash.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\RefDrive.exe
G:\Download\Spiele\artmoney710eng.exe
E:\Programme\Firefox\plugins\NPMyWebS.dll
E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll
E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome\whenu_ff.jar
neustarten, poste den report

dann loesche alle backups vom avenger - C:\avenger\backup.zip, und loesche im abgesicherten modus:
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five

-------

scanne und poste den scanreport von option 1 und 2
http://virus-protect.org/artikel/tools/smitfrautfix.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
17.08.2006, 16:18
...neu hier

Beiträge: 8
#128 Avengen


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jxohfewn

*******************

Script file located at: \??\C:\WINDOWS\system32\tpqyeoqr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\E93FBB77-4AF5-4D3A-85F3-97E11B deleted successfully.
File E:\Programme\Microsoft AntiSpyware\Quarantine\176E6A36-D4DE-4B76-A83C-9A7B01\14C0E104-18B0-442D-9C15-0B0C69 deleted successfully.
File E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\670F4F59-97B3-4EBD-8FDF-EF984B deleted successfully.
File C:\WINDOWS\keyboard111.dat deleted successfully.
File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\Drive Cash.exe deleted successfully.
File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\RefDrive.exe deleted successfully.
File G:\Download\Spiele\artmoney710eng.exe deleted successfully.
File E:\Programme\Firefox\plugins\NPMyWebS.dll deleted successfully.
File E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll deleted successfully.
File E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome\whenu_ff.jar deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


----------------------------------------

Report von option 1:

SmitFraudFix v2.81

Scan done at 16:17:26,73, 17.08.2006
Run from C:\Dokumente und Einstellungen\Admin\Desktop\Wegen Virus\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Admin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\Admin\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Report von option 2

SmitFraudFix v2.81

Scan done at 15:41:34,67, 17.08.2006
Run from C:\Dokumente und Einstellungen\Admin\Desktop\Wegen Virus\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Seitenanfang Seitenende
17.08.2006, 21:55
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#129 scanne bitte mit bitdefender und poste den report
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.08.2006, 02:09
...neu hier

Beiträge: 8
#130 BitDefender Online Scanner - Echtzeit-Virenmeldung
Erstellt am: Fri, Aug 18, 2006 - 02:10:30
Prüf-Info
Geprüfte Dateien
397292
Infizierte Dateien
3
Erkannte Viren
Trojan.Dropper.Small.GT
1
GenPack:Trojan.Swizzor.GI
2
Seitenanfang Seitenende
18.08.2006, 13:36
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#131 es gibt auch einen Report, wo die pfade mit angezeigt werden, kannst du den hier posten ?
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.08.2006, 01:34
...neu hier

Beiträge: 8
#132 Oh das habe ich nicht mehr sorry und nun?
Seitenanfang Seitenende
19.08.2006, 13:40
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#133 LaLaLand

scanne und poste den report
http://virus-protect.org/cureit.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
24.08.2006, 21:44
Member

Beiträge: 11
#134 So, ich hab das gleiche Problem, es werden immer diese win...tmp dateien erstellt.

Hab jetzt schon VundoFix drüberlaufen lassen, der hat was gefunden und gelöscht. Danach hab ich nochmal CLeanUp laufen lassen und dann wurden alle win... tmp dateien gelöscht, bloss, das problem besteht weiterhin ;) .

Ich häng einfach mal den HijackThis log an, bin mir nicht sicher ob er dir weiterhilft.


Logfile of HijackThis v1.99.1
Scan saved at 21:46:25, on 24.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Felix Lehmann.MI6-FJXZHGFIEWD\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.de.netscape.com/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.de.netscape.com/de/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.de.netscape.com/de/home/winsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ewetel.de
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.de.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = EWE TEL
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.ewetel.de"); (C:\Program Files\Netscape\Users\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Programme\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunServices: [] iexpl0res.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe

O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142022346203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142022332828
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A595470-95D2-4A01-9FAD-AE448954FFCC}: NameServer = 192.168.178.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Seitenanfang Seitenende
25.08.2006, 14:45
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#135 Morgoth2k5

ist ein Backdoor auf dem Rechner...willst du reinigen ??? oder gleich formatieren........

Zitat

O4 - HKCU\..\RunServices: [] iexpl0res.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
1.
poste das log
http://virus-protect.org/artikel/tools/combofix.html

2.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

3.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende