Trojaner/Virus erstellt win**.tmp.exe dateien - folge: systemüberlastungThema ist geschlossen! |
||
---|---|---|
Thema ist geschlossen! |
||
#0
| ||
16.08.2006, 13:17
Ehrenmitglied
Beiträge: 29434 |
||
|
||
16.08.2006, 13:51
...neu hier
Beiträge: 8 |
#122
Verzeichnis von C:\Programme\Livemfcdroad
09.08.2006 04:16 <DIR> . 09.08.2006 04:16 <DIR> .. 0 Datei(en) 0 Bytes 2 Verzeichnis(se), 12.925.108.224 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Programme\Accoona 10.07.2005 23:32 <DIR> . 10.07.2005 23:32 <DIR> .. 03.05.2005 17:38 118.524 quiesce.exe 1 Datei(en) 118.524 Bytes 2 Verzeichnis(se), 12.925.108.224 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Programme\ToolBar888 06.08.2006 23:32 <DIR> . 06.08.2006 23:32 <DIR> .. 08.06.2006 17:00 45.056 Activate.exe 13.06.2006 17:00 114.688 MyToolBar.dll 06.08.2006 23:32 34.950 Uninst.exe 3 Datei(en) 194.694 Bytes 2 Verzeichnis(se), 12.925.108.224 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Programme\NewDotNet 04.10.2005 03:02 <DIR> . 04.10.2005 03:02 <DIR> .. 04.10.2005 03:01 167.936 newdotnet3_88.dll 1 Datei(en) 167.936 Bytes 2 Verzeichnis(se), 12.925.108.224 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe 09.08.2006 04:17 <DIR> . 09.08.2006 04:17 <DIR> .. 09.08.2006 04:18 15.526 bits plan.exe 1 Datei(en) 15.526 Bytes 2 Verzeichnis(se), 12.925.108.224 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad 16.08.2006 11:10 <DIR> . 16.08.2006 11:10 <DIR> .. 09.08.2006 04:17 368.586 cfibqyzy.exe 05.01.2006 19:06 365.958 ddodfrag.exe 09.08.2006 04:18 62.570 four setup ref program.exe 23.03.2006 23:21 365.959 fxivkxpr.exe 09.08.2006 04:18 10.498 isomodescr.exe 22.05.2006 15:52 368.586 ppjojoox.exe 05.08.2006 15:08 368.586 qebyahfd.exe 21.05.2006 12:09 368.586 snoefjms.exe 8 Datei(en) 2.279.329 Bytes 2 Verzeichnis(se), 12.925.104.128 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Show sect stupid anti 16.08.2006 12:34 <DIR> . 16.08.2006 12:34 <DIR> .. 0 Datei(en) 0 Bytes 2 Verzeichnis(se), 12.925.104.128 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Programme\Livemfcdroad 09.08.2006 04:16 <DIR> . 09.08.2006 04:16 <DIR> .. 0 Datei(en) 0 Bytes 2 Verzeichnis(se), 12.925.104.128 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Programme\Accoona 10.07.2005 23:32 <DIR> . 10.07.2005 23:32 <DIR> .. 03.05.2005 17:38 118.524 quiesce.exe 1 Datei(en) 118.524 Bytes 2 Verzeichnis(se), 12.925.104.128 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Programme\ToolBar888 06.08.2006 23:32 <DIR> . 06.08.2006 23:32 <DIR> .. 08.06.2006 17:00 45.056 Activate.exe 13.06.2006 17:00 114.688 MyToolBar.dll 06.08.2006 23:32 34.950 Uninst.exe 3 Datei(en) 194.694 Bytes 2 Verzeichnis(se), 12.925.104.128 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Programme\NewDotNet 04.10.2005 03:02 <DIR> . 04.10.2005 03:02 <DIR> .. 04.10.2005 03:01 167.936 newdotnet3_88.dll 1 Datei(en) 167.936 Bytes 2 Verzeichnis(se), 12.925.104.128 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe 09.08.2006 04:17 <DIR> . 09.08.2006 04:17 <DIR> .. 09.08.2006 04:18 15.526 bits plan.exe 1 Datei(en) 15.526 Bytes 2 Verzeichnis(se), 12.925.104.128 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad 16.08.2006 11:10 <DIR> . 16.08.2006 11:10 <DIR> .. 09.08.2006 04:17 368.586 cfibqyzy.exe 05.01.2006 19:06 365.958 ddodfrag.exe 09.08.2006 04:18 62.570 four setup ref program.exe 23.03.2006 23:21 365.959 fxivkxpr.exe 09.08.2006 04:18 10.498 isomodescr.exe 22.05.2006 15:52 368.586 ppjojoox.exe 05.08.2006 15:08 368.586 qebyahfd.exe 21.05.2006 12:09 368.586 snoefjms.exe 8 Datei(en) 2.279.329 Bytes 2 Verzeichnis(se), 12.925.104.128 Bytes frei Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Show sect stupid anti 16.08.2006 12:34 <DIR> . 16.08.2006 12:34 <DIR> .. 0 Datei(en) 0 Bytes 2 Verzeichnis(se), 12.925.104.128 Bytes frei |
|
|
||
16.08.2006, 14:27
Ehrenmitglied
Beiträge: 29434 |
#123
LaLaLand
1. Versteckte- und Systemdateien sichtbar machen http://virus-protect.org/invisible.html 2. LSPfix http://www.spychecker.com/program/lspfix.html - hake an: "I know what Im doing"--Remove - und loesche die newdotnet3_88.dll (eventuell musst du die dll von links nach rechts bringen) 3. spyfalcon.zip -> http://virus-protect.org/zip/spyfalcon.zip -> entpacken auf dem Desktop -> spyfalcon.reg ->doppeltklicken und der Registry mit "ja/yes" beifügen 3.1. wende Vundofix an http://virus-protect.org/artikel/tools/vundofixx.html 4. Avenger http://virus-protect.org/artikel/tools/avenger.html kopiere rein: Zitat registry keys to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten ** poste das log vom Avenger, was nach neustart erscheint 5. öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Zitat O4 - HKCU\..\Run: [boneshow] C:\DOKUME~1\Admin\ANWEND~1\LIVEMF~1\FileVga.exe6. PC neustarten (in den abgesicherten Modus) --> F8 drücken, wenn der PC hochfährt das ist notwendig, denn im Normalmodus kann man die Dateien nicht löschen. loeschen C:\Programme\WeatherCast C:\Programme\NewDotNet C:\Programme\ToolBar888 C:\Programme\Accoona C:\Programme\Livemfcdroad C:\Programme\Gemeinsame Dateien\{EC6ABA6F-0A71-1031-0816-020208060031} C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Show sect stupid anti 7. boote wieder in den normalmodus 8. Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften ---> Reiter Systemwiederherstellung ---> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. (dann wieder aktivieren) 9. Counterspy --> löscht die Eintraege in der Registry von MessengerPlus! 3 und Netpumper http://virus-protect.org/counterspy.html nach dem Scan muss man sich entscheiden für: *Remove poste den scanreport + poste noch mal ds 1. Log von Datfindbat __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
16.08.2006, 20:03
...neu hier
Beiträge: 8 |
#124
zu 1. war schon
zu 2. erledigt zu 3. erledigt zu 4. erledigt zu 5. ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Syntax error in line --- does not appear to be a valid registry path. Line will be ignored. Error code: 0 Line: HKEY_CURRENT_USER\Software\New.net ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\pxkpvrbf ******************* Script file located at: \??\C:\eyjvbrio.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\tasks\985C0F89931FD9B9.job deleted successfully. File C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\11xp4yto.exe not found! Deletion of file C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\11xp4yto.exe failed! Could not process line: C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\11xp4yto.exe Status: 0xc0000034 File C:\WINDOWS\system32\ATPartners.dll deleted successfully. File C:\WINDOWS\TEMP\win4.tmp.exe not found! Deletion of file C:\WINDOWS\TEMP\win4.tmp.exe failed! Could not process line: C:\WINDOWS\TEMP\win4.tmp.exe Status: 0xc0000034 File C:\WINDOWS\system32\tttss.ini not found! Deletion of file C:\WINDOWS\system32\tttss.ini failed! Could not process line: C:\WINDOWS\system32\tttss.ini Status: 0xc0000034 File C:\WINDOWS\system32\tttss.bak2 not found! Deletion of file C:\WINDOWS\system32\tttss.bak2 failed! Could not process line: C:\WINDOWS\system32\tttss.bak2 Status: 0xc0000034 File C:\WINDOWS\system32\mcrh.tmp deleted successfully. File C:\WINDOWS\system32\cool.exe deleted successfully. File C:\WINDOWS\system32\tttss.bak1 not found! Deletion of file C:\WINDOWS\system32\tttss.bak1 failed! Could not process line: C:\WINDOWS\system32\tttss.bak1 Status: 0xc0000034 File C:\WINDOWS\system32\ssttt.dll not found! Deletion of file C:\WINDOWS\system32\ssttt.dll failed! Could not process line: C:\WINDOWS\system32\ssttt.dll Status: 0xc0000034 File C:\WINDOWS\system32\iifccyy.dll deleted successfully. File C:\WINDOWS\system32\winemx32.dll deleted successfully. File C:\Programme\Gemeinsame Dateien\{EC6ABA6F-0A71-1031-0816-020208060031}\services.dll deleted successfully. File C:\WINDOWS\Temp\winB.tmp deleted successfully. File C:\WINDOWS\Temp\winD.tmp deleted successfully. File C:\Programme\Accoona\quiesce.exe deleted successfully. File C:\Programme\ToolBar888\Activate.exe deleted successfully. File C:\Programme\ToolBar888\MyToolBar.dll deleted successfully. File C:\Programme\ToolBar888\Uninst.exe deleted successfully. File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Close Curb Safe\bits plan.exe deleted successfully. File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\cfibqyzy.exe deleted successfully. File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\ddodfrag.exe deleted successfully. File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\four setup ref program.exe deleted successfully. File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\fxivkxpr.exe deleted successfully. File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\isomodescr.exe deleted successfully. File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\ppjojoox.exe deleted successfully. File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\qebyahfd.exe deleted successfully. File C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Livemfcdroad\snoefjms.exe deleted successfully. Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\new.net not found! Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\new.net failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\New.net not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\New.net failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\software\new.net not found! Deletion of registry key HKEY_LOCAL_MACHINE\software\new.net failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttt not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssttt failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winemx32 deleted successfully. Completed script processing. ******************* Finished! Terminate. zu 6. erledigt Nur C:\Programme\WeatherCast ... gab es nicht. zu 7. erledigt zu 8. erledigt zu 9. Spyware Scan Details Start Date: 16.08.2006 19:03:28 End Date: 16.08.2006 19:50:34 Total Time: 47 mins 6 secs Detected spyware C2.Lop Hijacker more information... Details: Lop is a group of spyware and hijacker programs that set your Internet Explorer start page and search features to use the site lop.com ('Live Online Portal') or one of its clone sites. Status: Quarantined Infected files detected c:\programme\adverts war*hier nicht!* P2P P2P Program more information... Details: war*hier nicht!* P2P is a file sharing program that allows the user to participate in online file sharing networks. Status: Ignored Infected files detected c:\programme\sp2 connection patcher\inst.log c:\programme\sp2 connection patcher\readme.txt c:\programme\sp2 connection patcher\uninstall.exe Infected registry entries detected HKEY_CLASSES_ROOT\war*hier nicht!* HKEY_CLASSES_ROOT\war*hier nicht!* URL:war*hier nicht!* protocol HKEY_CLASSES_ROOT\war*hier nicht!* URL Protocol HKEY_CLASSES_ROOT\war*hier nicht!* HKEY_CLASSES_ROOT\war*hier nicht!* URL:war*hier nicht!* Of1 HKEY_CLASSES_ROOT\war*hier nicht!* URL Protocol HKEY_CLASSES_ROOT\war*hier nicht!* HKEY_CLASSES_ROOT\war*hier nicht!* URL:war*hier nicht!* Of2 HKEY_CLASSES_ROOT\war*hier nicht!* URL Protocol HKEY_CLASSES_ROOT\war*hier nicht!* HKEY_CLASSES_ROOT\war*hier nicht!* URL:war*hier nicht!*_Query protocol HKEY_CLASSES_ROOT\war*hier nicht!* URL Protocol IEPlugin Adware (General) more information... Details: IEPlugin is an IE Browser Helper Object that monitors site addresses, content entered into forms, and even local filenames browsed, and pops up advertisements when it sees a targeted keyword. Status: Quarantined Infected files detected c:\windows\extract.exe StartPage.TimesSquare Hijacker more information... Details: StartPage.TimesSquare hijacks the IE start page and search pages and displays ads. Status: Quarantined Infected files detected c:\windows\teller2.chk Deskwizz/ZQuest Browser Plug-in more information... Details: Deskwizz/ZQuest is an adware application that tracks the user's browsing in order to display targeted advertising on the desktop. Status: Quarantined Infected files detected c:\windows\dh.ini DollarRevenue Adware (General) more information... Details: DollarRevenue is an adware program that spawns pop-up advertising on the desktop and downloads other adware. Status: Quarantined Infected files detected c:\windows\newname.dat Messenger Plus! Adware Bundler more information... Details: Messenger Plus! is a add-on for MSN Messenger. Messenger Plus! installs an OPTIONAL adware called C2Media which is also known as LOP.com. Status: Deleted Infected files detected E:\Programme\Messenger Plus! Live\Detoured.dll E:\Programme\Messenger Plus! Live\Events Style Sheet.xsl E:\Programme\Messenger Plus! Live\lame_enc.dll E:\Programme\Messenger Plus! Live\libsndfile.dll E:\Programme\Messenger Plus! Live\Log Viewer.exe E:\Programme\Messenger Plus! Live\MPScripts.dll E:\Programme\Messenger Plus! Live\MPTools.exe E:\Programme\Messenger Plus! Live\MsgPlusLive.dll E:\Programme\Messenger Plus! Live\MsgPlusLiveRes.dll Infected registry entries detected HKEY_CLASSES_ROOT\MsgPlus.Encrypted HKEY_CLASSES_ROOT\MsgPlus.Encrypted\DefaultIcon E:\Programme\Messenger Plus! Live\Log Viewer.exe,1 HKEY_CLASSES_ROOT\MsgPlus.Encrypted\shell\open\command "E:\Programme\Messenger Plus! Live\Log Viewer.exe" /ViewLog="%1" HKEY_CLASSES_ROOT\MsgPlus.Encrypted Encrypted Log File HKEY_LOCAL_MACHINE\Software\Patchou HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live AppDir E:\Programme\Messenger Plus! Live HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live LangDir E:\Programme\Messenger Plus! Live\Languages HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live InterfacesDir E:\Programme\Messenger Plus! Live\Interface HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live ScriptsDir E:\Programme\Messenger Plus! Live\Scripts HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live ResourcesDll MsgPlusLiveRes.dll HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live WorkerDll MsgPlusLive.dll HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live FirstInstallTime HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live SoftwareBuild 4240 HKEY_LOCAL_MACHINE\Software\Patchou\Messenger Plus! Live DefaultLangFile Lng_German.ini HKEY_CURRENT_USER\SOFTWARE\Patchou HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\LogViewer PosMaximised 0 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\LogViewer PosRect HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\BVIjSxFCxUeh Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\BVIjSxFCxUeh LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\BXZApMgaibRD Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\BXZApMgaibRD LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\DEcgzUjFHQkc Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\DEcgzUjFHQkc LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\DHUohOrKpIsk Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FBSnWqrNPYsk Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FBSnWqrNPYsk LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FBSnWqrNPYsk LastChat HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FOkmmfBDYpFR LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\FOkmmfBDYpFR Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\GhOpJBCtBWgy Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IjCtMggckzZL Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IjCtMggckzZL LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IsbTJLBDMdTF Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IsbTJLBDMdTF LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IskgyxFCxUeh Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ItSbIbJGbYsk Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IzGijQrGtJFH Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IzGijQrGtJFH LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\IzGijQrGtJFH LastChat HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\JSsbJSpPGtJW Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\JSsbJSpPGtJW LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\JSsbJSpPGtJW LastChat HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\LCnGtQsvWnDA Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\LCnGtQsvWnDA LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\LCnGtQsvWnDA LastChat HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\LUdUqlEucrRD Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ObJZIkhAvCmp Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ObJZIkhAvCmp LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ObRGvDAawxUf Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ObRGvDAawxUf LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\OuhArRFMvYia Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\OuhEaiembYia Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\PGatKxFCxMgy Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\PGatKxFCxMgy LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\PUhPYlLCrScu Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\PUhPYlLCrScu LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WibRObTTVEap Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WibRObTTVEap LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WibRObTTVEap LastChat HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WjKmtHAqynNK Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WjKmtHAqynNK LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WslSnKaijGqi Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WslSnKaijGqi LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WsunQbJEkasl Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\WsunQbJEkasl LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\XAwjBDAcrOyq Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\XAwjBDAcrOyq LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\XREgvVIapGgy LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\XREgvVIapGgy Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZIrTGvOqrDZM Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZIrTGvOqrDZM LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZIrTGvOqrDZM LastChat HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZMgzYfMorSme Email HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Contacts\ZMgzYfMorSme LastSeenOnline HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences OldPlusChecked 1 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences ContactWatchTime HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences FirstStart 0 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences NotifyAutoUpdate 1 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences SoundsAutoPlay 1 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences LockEnableShortcut 1 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences PopMailUpdateSystem 1 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences PopMailShowNotif 1 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences PopMailCheckDelay 5 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences ContactListCleanupFirstTime 0 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences ContactInfoPos HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences EventViewerMaximised 0 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences EventViewerPos HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live\power16@web.de\Preferences EventViewerLastShow HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live LanguageFile Lng_German.ini HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live MessengerStartTime HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live MessengerIsRTL 0 HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live DefaultUser power16@web.de HKEY_CURRENT_USER\SOFTWARE\Patchou\Messenger Plus! Live AutoUpdateTime HKEY_CLASSES_ROOT\MsgPlus.SoundPack HKEY_CLASSES_ROOT\MsgPlus.SoundPack\DefaultIcon E:\Programme\Messenger Plus! Live\MPTools.exe,2 HKEY_CLASSES_ROOT\MsgPlus.SoundPack\shell\open\command "E:\Programme\Messenger Plus! Live\MPTools.exe" /ImportSoundPack="%1" HKEY_CLASSES_ROOT\MsgPlus.SoundPack Messenger Plus! Sound Pack HKEY_CLASSES_ROOT\.ple HKEY_CLASSES_ROOT\.ple MsgPlus.Encrypted HKEY_CLASSES_ROOT\.plp HKEY_CLASSES_ROOT\.plp MsgPlus.SoundPack VX2.Transponder Browser Plug-in more information... Details: VX2 is an Internet Explorer Browser Helper Object that monitors web page requests and data entered into forms, sending this information to its home server, and opens pop-up advertisement windows. VX2 also collects and sends personal information. Status: Quarantined Infected registry entries detected HKEY_CLASSES_ROOT\f1.organizer.1 HKEY_CLASSES_ROOT\f1.organizer.1\CLSID {00000EF1-0786-4633-87C6-1AA7A44296DA} HKEY_CLASSES_ROOT\f1.organizer.1 F1 Organizer Class HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786} HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\0\win32 C:\WINDOWS\system32\ATPartners.dll HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\HELPDIR C:\WINDOWS\system32\ HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0 Favorite 1.0 Type Library HKEY_CLASSES_ROOT\f1.organizer HKEY_CLASSES_ROOT\f1.organizer\CLSID {00000EF1-0786-4633-87C6-1AA7A44296DA} HKEY_CLASSES_ROOT\f1.organizer\CurVer F1.Organizer.1 HKEY_CLASSES_ROOT\f1.organizer F1 Organizer Class BearShare P2P Program more information... Details: BearShare is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives. Status: Ignored Infected registry entries detected HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905} HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 e:\Programme\BearShare\RunMSC.dll HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR e:\Programme\BearShare\ HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InProcServer32 %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InProcServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} &Links HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} MenuTextPUI @browselc.dll,-13138 HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} hTBJOaq FavoriteMan Browser Plug-in more information... Details: FavoriteMan is an Internet Explorer Browser Helper Object (BHO) that intermittently connects to its controlling servers which may direct it to download and install other programs and add entries to the IE Favorites menu or background Desktop. Status: Quarantined Infected registry entries detected HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da} HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\InprocServer32 C:\WINDOWS\system32\ATPART~1.DLL HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\ProgID F1.Organizer.1 HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\TypeLib {EF100007-F409-426a-9E7C-CB211F2A9786} HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da}\VersionIndependentProgID F1.Organizer HKEY_CLASSES_ROOT\clsid\{00000ef1-0786-4633-87c6-1aa7a44296da} F1 Organizer Class HKEY_CLASSES_ROOT\f1.organizer\clsid HKEY_CLASSES_ROOT\f1.organizer\clsid {00000EF1-0786-4633-87C6-1AA7A44296DA} HKEY_CLASSES_ROOT\f1.organizer\curver HKEY_CLASSES_ROOT\f1.organizer\curver F1.Organizer.1 HKEY_CLASSES_ROOT\f1.organizer HKEY_CLASSES_ROOT\f1.organizer\CLSID {00000EF1-0786-4633-87C6-1AA7A44296DA} HKEY_CLASSES_ROOT\f1.organizer\CurVer F1.Organizer.1 HKEY_CLASSES_ROOT\f1.organizer F1 Organizer Class HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000ef1-0786-4633-87c6-1aa7a44296da} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000ef1-0786-4633-87c6-1aa7a44296da} NoExplorer 1 My Way Speedbar Potentially Unwanted Program more information... Details: MyWay Speedbar is a search toolbar that installs into Internet Explorer and Netscape Navigator, adding search functions and popup blocking. Status: Ignored Infected registry entries detected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} DownloadWare Adware (General) more information... Details: DownloadWare is a process that runs on Windows startup. If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. It may be installed through an ActiveX control. Status: Quarantined Infected registry entries detected HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786} HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\0\win32 C:\WINDOWS\system32\ATPartners.dll HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0\HELPDIR C:\WINDOWS\system32\ HKEY_CLASSES_ROOT\typelib\{ef100007-f409-426a-9e7c-cb211f2a9786}\1.0 Favorite 1.0 Type Library WhenU.Save Adware (General) more information... Details: WhenU.SaveNow is an adware application that displays pop-up advertising on the desktop in response to users' web browsing. Status: Quarantined Infected registry entries detected HKEY_CLASSES_ROOT\wusn.1 HKEY_CLASSES_ROOT\wusn.1 WUSN_Id HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97} HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905} HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97} ILoader EUniverse Updater Hijacker more information... Details: EUniverse is an adware program that runs at startup, generates popup ads, and performs a number of spyware related functions such as transmitting personal information and hijacking Internet Explorer. Status: Quarantined Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO DisplayName ATP HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO UninstallString regsvr32 /s /u C:\WINDOWS\system32\ATPartners.dll MyWebSearch Toolbar Potentially Unwanted Program more information... Details: MyWebSearch Toolbar is a customizable Internet Explorer search toolbar with various other tools. Status: Ignored Infected registry entries detected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib {29D67D3C-509A-4544-903F-C8C1B8236554} HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC} IMonitorEvents HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF} HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib {E47CAEE0-DEEA-464A-9326-3F2801535A4D} HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF} IF3PopupMenu HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel\CLSID {3E720452-B472-4954-B7AA-33069EB53906} HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel\CurVer MyWebSearch.HTMLPanel.1 HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel MyWebSearch HTML Panel HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin\CLSID {7473D294-B7BB-4f24-AE82-7E2CE94BB6A9} HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin\CurVer MyWebSearch.PseudoTransparentPlugin.1 HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin MyWebSearch Pseudo Transparent Plugin HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1 HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1\CLSID {7473D294-B7BB-4f24-AE82-7E2CE94BB6A9} HKEY_CLASSES_ROOT\MyWebSearch.PseudoTransparentPlugin.1 MyWebSearch Pseudo Transparent Plugin HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1 HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1\CLSID {3E720452-B472-4954-B7AA-33069EB53906} HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1 MyWebSearch HTML Panel Cram Toolbar Toolbar more information... Status: Quarantined Infected registry entries detected HKEY_CLASSES_ROOT\Interface\{9D5C62AE-57B0-43C3-BAE4-BA7908DF4386}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\Interface\{F5BB1D9A-DA7B-4C5B-8272-1554B814E97F}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE} HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\0\win32 C:\Programme\Cram Toolbar\untitled.dll HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\HELPDIR C:\Programme\Cram Toolbar\ HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0 Softomate 1.0 Type Library HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\0 HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}\1.0\0\win32 C:\Programme\Cram Toolbar\untitled.dll WhenU.WhenUSearch Low Risk Adware more information... Details: WhenU.WhenUSearch is a desktop search toolbar that displays links to advertised offers in response to users' surfing behavior and opens paid search results when users perform searches through the toolbar's search mechanism. Status: Ignored Infected registry entries detected HKEY_CLASSES_ROOT\WUSN.1 HKEY_CLASSES_ROOT\WUSN.1 WUSN_Id Trojan.WinlogonHook.Delf.A Trojan more information... Details: WinlogonHook.Delf.A is a backdoor trojan that gives an attacker the ability to control the infected machine without the user's knowledge. Status: Quarantined Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR Brnd 779 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR BPTV 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR LSTV HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR PSTV HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR BSTV HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR SSTV HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR SCLIST HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR SSLIST HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR Data 198486912 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR MSLIST Freeprod/Toolbar888 Toolbar more information... Details: Freeprod/Toolbar888 is an adware application that installs a Internet Explorer Toolbar and may hijack search results. Status: Quarantined Infected registry entries detected HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A} HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\InprocServer32 C:\Programme\ToolBar888\MyToolBar.dll HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\ProgID MyToolBar.MyToolBarObj.1 HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\TypeLib {CD2A09D7-EE7E-4c25-993C-C2678ECFAD01} HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\VersionIndependentProgID MyToolBar.MyToolBarObj HKEY_CLASSES_ROOT\CLSID\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A} ToolBar888 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBCC61FA-0221-4ccc-B409-CEE865CACA3A} HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208} HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\1.0\0\win32 C:\Programme\ToolBar888\MyToolBar.dll HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\1.0\HELPDIR C:\Programme\ToolBar888\ HKEY_CLASSES_ROOT\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\1.0 ToolBar888 1.0 Type Library HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj\CLSID {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj\CurVer MyToolBar.MyToolBarObj.1 HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj ToolBar888 HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj.1 HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj.1\CLSID {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} HKEY_CLASSES_ROOT\mytoolbar.mytoolbarobj.1 ToolBar888 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\iexplore Type 3 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\iexplore Count 47 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}\iexplore Time HKEY_CURRENT_USER\Software\MyToolBar ATDMT.com Cookie (General) more information... Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count Status: Deleted Infected cookies detected c:\dokumente und einstellungen\admin\cookies\admin@atdmt[2].txt Messenger Plus! 3.40 Beta Cookie (General) more information... Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count Status: Deleted Infected cookies detected c:\dokumente und einstellungen\admin\cookies\admin@mysearchnow[1].txt ---------------------------------------------------- Datentr„ger in Laufwerk C: ist Windows Volumeseriennummer: EC6A-BA6F Verzeichnis von C:\WINDOWS\system32 16.08.2006 19:54 20.218 ModemLog_ISDN Internet (PPP over ISDN).txt 16.08.2006 18:03 2.206 wpa.dbl 15.08.2006 13:22 9.022 ModemLog_ISDN Custom Config.txt 06.08.2006 23:49 43.520 CmdLineExt03.dll 03.08.2006 03:22 8.255.912 MRT.exe 02.08.2006 02:57 314.508 perfh009.dat 02.08.2006 02:57 40.836 perfc009.dat 02.08.2006 02:57 320.094 perfh007.dat 02.08.2006 02:57 729.988 PerfStringBackup.INI 02.08.2006 02:57 49.174 perfc007.dat 29.07.2006 19:32 48.936 sirenacm.dll 28.07.2006 13:28 3.075.072 mshtml.dll 27.07.2006 15:25 679.424 inetcomm.dll 25.07.2006 22:33 615.936 urlmon.dll 23.07.2006 17:16 57.384 avsda.dll 21.07.2006 10:29 72.704 hlink.dll 14.07.2006 17:38 332.288 netapi32.dll 14.07.2006 17:25 546.304 hhctrl.ocx 13.07.2006 15:34 8.494.592 shell32.dll 07.07.2006 14:55 155.568 FNTCACHE.DAT 06.07.2006 16:35 455 ws344069.ocx 06.07.2006 16:22 3.176 gafilter.sti 06.07.2006 16:22 4.808 gaeffect.sti 05.07.2006 12:55 1.057.792 kernel32.dll 26.06.2006 19:40 8.192 rasadhlp.dll 26.06.2006 19:40 148.480 dnsapi.dll 23.06.2006 13:10 664.576 wininet.dll 23.06.2006 13:10 448.512 mshtmled.dll 23.06.2006 13:10 532.480 mstime.dll 23.06.2006 13:10 1.494.016 shdocvw.dll 23.06.2006 13:10 474.624 shlwapi.dll 23.06.2006 13:10 146.432 msrating.dll 23.06.2006 13:10 39.424 pngfilt.dll 23.06.2006 13:10 55.808 extmgr.dll 23.06.2006 13:10 205.312 dxtrans.dll 23.06.2006 13:10 357.888 dxtmsft.dll 23.06.2006 13:10 1.056.256 danim.dll 23.06.2006 13:10 251.392 iepeers.dll 23.06.2006 13:10 152.064 cdfview.dll 23.06.2006 13:10 96.768 inseng.dll 23.06.2006 13:10 16.384 jsproxy.dll 23.06.2006 13:10 1.022.976 browseui.dll 23.06.2006 10:53 27.136 xpsp3res.dll 22.06.2006 12:47 181.248 rasmans.dll 19.06.2006 16:20 702.768 WgaLogon.dll 19.06.2006 16:19 571.184 LegitCheckControl.dll 19.06.2006 16:19 304.944 WgaTray.exe 01.06.2006 20:47 27.648 jgpl400.dll 01.06.2006 20:47 163.840 jgdw400.dll 19.05.2006 15:09 95.744 iphlpapi.dll 19.05.2006 15:09 112.128 dhcpcsvc.dll 18.05.2006 07:36 450.560 jscript.dll 04.05.2006 14:30 13 WinSys32.crc |
|
|
||
16.08.2006, 21:48
Ehrenmitglied
Beiträge: 29434 |
#125
LaLaLand
1. Counterspy killt immer nur einen Teil Dateien. Man muss also immer wieder den Quarantäne-Ordner von Counterspy leeren und wieder neu damit scannen, solange bis Counterspy nichts mehr findet. 2. scanne mit Panda und dann mit ewido und poste beide scanreporte http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
17.08.2006, 01:19
...neu hier
Beiträge: 8 |
#126
1. ok erledigt
2. Panda -------- Incident Status Location Adware:Adware/Mytoolbar Not disinfected C:\avenger\backup.zip[avenger/Activate.exe] Adware:Adware/NetPals Not disinfected C:\avenger\backup.zip[avenger/ATPartners.dll] Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/bits plan.exe] Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/cfibqyzy.exe] Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/ddodfrag.exe] Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/four setup ref program.exe] Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/fxivkxpr.exe] Spyware:Spyware/Virtumonde Not disinfected C:\avenger\backup.zip[avenger/iifccyy.dll] Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/isomodescr.exe] Adware:Adware/Mytoolbar Not disinfected C:\avenger\backup.zip[avenger/MyToolBar.dll] Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/ppjojoox.exe] Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/qebyahfd.exe] Adware:Adware/SecurityError Not disinfected C:\avenger\backup.zip[avenger/services.dll] Adware:Adware/Lop Not disinfected C:\avenger\backup.zip[avenger/snoefjms.exe] Adware:Adware/DollarRevenue Not disinfected C:\avenger\backup.zip[avenger/Uninst.exe][²ÜÇ\nsProcess.dll] Adware:Adware/SuperSpider Not disinfected C:\avenger\backup.zip[avenger/winemx32.dll] Spyware:Cookie/Statcounter Not disinfected C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\90cgnklp.default\cookies.txt[.statcounter.com/] Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\90cgnklp.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\Admin\Cookies\admin@atdmt[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Dokumente und Einstellungen\Admin\Cookies\admin@stats1.reliablestats[1].txt Adware:Adware/Lop Not disinfected C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\Drive Cash.exe Adware:Adware/Lop Not disinfected C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\RefDrive.exe Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard111.dat Adware:Adware/SaveNow Not disinfected E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome\whenu_ff.jar[content/overlay.js] Adware:Adware/SaveNow Not disinfected E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll Potentially unwanted tool:Application/MyWebSearch Not disinfected E:\Programme\Firefox\plugins\NPMyWebS.dll Adware:Adware/AbxSearch Not disinfected E:\Programme\Microsoft AntiSpyware\Quarantine\176E6A36-D4DE-4B76-A83C-9A7B01\14C0E104-18B0-442D-9C15-0B0C69 Spyware:Spyware/New.net Not disinfected E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\670F4F59-97B3-4EBD-8FDF-EF984B Spyware:Spyware/New.net Not disinfected E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\E93FBB77-4AF5-4D3A-85F3-97E11B Adware:Adware/NetPals Not disinfected G:\Download\Spiele\artmoney710eng.exe[Temp\adware.exe] ewido ------- bricht immer ab...und es steht nicht da warum. internet explorer schließt sich einfach. habs 3 mal versucht |
|
|
||
17.08.2006, 12:16
Ehrenmitglied
Beiträge: 29434 |
#127
LaLaLand
Avenger: Zitat Files to delete:neustarten, poste den report dann loesche alle backups vom avenger - C:\avenger\backup.zip, und loesche im abgesicherten modus: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five ------- scanne und poste den scanreport von option 1 und 2 http://virus-protect.org/artikel/tools/smitfrautfix.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
17.08.2006, 16:18
...neu hier
Beiträge: 8 |
#128
Avengen
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\jxohfewn ******************* Script file located at: \??\C:\WINDOWS\system32\tpqyeoqr.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\E93FBB77-4AF5-4D3A-85F3-97E11B deleted successfully. File E:\Programme\Microsoft AntiSpyware\Quarantine\176E6A36-D4DE-4B76-A83C-9A7B01\14C0E104-18B0-442D-9C15-0B0C69 deleted successfully. File E:\Programme\Microsoft AntiSpyware\Quarantine\BBA5C0CF-EFF0-44B0-8476-3F3723\670F4F59-97B3-4EBD-8FDF-EF984B deleted successfully. File C:\WINDOWS\keyboard111.dat deleted successfully. File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\Drive Cash.exe deleted successfully. File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachsettings1five\RefDrive.exe deleted successfully. File G:\Download\Spiele\artmoney710eng.exe deleted successfully. File E:\Programme\Firefox\plugins\NPMyWebS.dll deleted successfully. File E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll deleted successfully. File E:\Programme\Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome\whenu_ff.jar deleted successfully. Completed script processing. ******************* Finished! Terminate. ---------------------------------------- Report von option 1: SmitFraudFix v2.81 Scan done at 16:17:26,73, 17.08.2006 Run from C:\Dokumente und Einstellungen\Admin\Desktop\Wegen Virus\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Admin\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\Admin\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Programme »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Report von option 2 SmitFraudFix v2.81 Scan done at 15:41:34,67, 17.08.2006 Run from C:\Dokumente und Einstellungen\Admin\Desktop\Wegen Virus\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End |
|
|
||
17.08.2006, 21:55
Ehrenmitglied
Beiträge: 29434 |
#129
scanne bitte mit bitdefender und poste den report
http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.08.2006, 02:09
...neu hier
Beiträge: 8 |
#130
BitDefender Online Scanner - Echtzeit-Virenmeldung
Erstellt am: Fri, Aug 18, 2006 - 02:10:30 Prüf-Info Geprüfte Dateien 397292 Infizierte Dateien 3 Erkannte Viren Trojan.Dropper.Small.GT 1 GenPack:Trojan.Swizzor.GI 2 |
|
|
||
18.08.2006, 13:36
Ehrenmitglied
Beiträge: 29434 |
#131
es gibt auch einen Report, wo die pfade mit angezeigt werden, kannst du den hier posten ?
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
19.08.2006, 01:34
...neu hier
Beiträge: 8 |
#132
Oh das habe ich nicht mehr sorry und nun?
|
|
|
||
19.08.2006, 13:40
Ehrenmitglied
Beiträge: 29434 |
#133
LaLaLand
scanne und poste den report http://virus-protect.org/cureit.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
24.08.2006, 21:44
Member
Beiträge: 11 |
#134
So, ich hab das gleiche Problem, es werden immer diese win...tmp dateien erstellt.
Hab jetzt schon VundoFix drüberlaufen lassen, der hat was gefunden und gelöscht. Danach hab ich nochmal CLeanUp laufen lassen und dann wurden alle win... tmp dateien gelöscht, bloss, das problem besteht weiterhin . Ich häng einfach mal den HijackThis log an, bin mir nicht sicher ob er dir weiterhilft. Logfile of HijackThis v1.99.1 Scan saved at 21:46:25, on 24.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Alwil Software\Avast4\aswUpdSv.exe C:\Programme\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Programme\Alwil Software\Avast4\ashMaiSv.exe C:\Programme\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Programme\ICQLite\ICQLite.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\Logitech\SetPoint\SetPoint.exe C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\Felix Lehmann.MI6-FJXZHGFIEWD\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.de.netscape.com/de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.de.netscape.com/de/home/winsearch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.de.netscape.com/de/home/winsearch200.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ewetel.de R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.de.netscape.com/keyword/%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = EWE TEL R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.ewetel.de"); (C:\Program Files\Netscape\Users\prefs.js) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Programme\TGTSoft\StyleXP\TGT_BHO.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file) O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\RunServices: [] iexpl0res.exe O4 - HKCU\..\RunServices: [start uploading] smsss.exe O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O15 - Trusted Zone: http://locator1.cdn.imageservr.com O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142022346203 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142022332828 O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8A595470-95D2-4A01-9FAD-AE448954FFCC}: NameServer = 192.168.178.1 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\Sptisrv.exe O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe (file missing) O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
|
|
||
25.08.2006, 14:45
Ehrenmitglied
Beiträge: 29434 |
#135
Morgoth2k5
ist ein Backdoor auf dem Rechner...willst du reinigen ??? oder gleich formatieren........ Zitat O4 - HKCU\..\RunServices: [] iexpl0res.exe1. poste das log http://virus-protect.org/artikel/tools/combofix.html 2. stelle den CleanUp genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html 3. Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
erstelle eine neu.bat und poste den text
Zitat
__________
MfG Sabina
rund um die PC-Sicherheit