Mein pc dreht durch !!! popups ohne endeThema ist geschlossen! |
||
---|---|---|
Thema ist geschlossen! |
||
#0
| ||
17.03.2006, 19:01
Member
Beiträge: 18 |
||
|
||
17.03.2006, 19:24
Member
Beiträge: 11 |
#2
Gaar .. ich kann Hijackthis nicht leiden .. was findet ihr nur alle daran??
-Saug dir mal den CCleaner .. der säubert deinen PC von deinen Templates usw. damit sich die Malware nicht nach dem löschen gerade wieder installiert. www.download.com noch nicht weg? -Als nächstes saugst du dir Hitman2pro .. das installiert alle gängigen Antispam programme und führt sie automatisch durch www.hitmanpro.nl -jetzt ziehst du dir AntiVir personal Edition und machst das Update www.download.com -wenn du nicht gerade irgendeine gecrackte Windows version hast zieh dir das ServicePack 2 und alle Sicherheitsupdates .. die beugen Malware vor .. wenn das über microsoft nicht klappt kannst du dir das Servicepack auch manuell runterladen (musst nur bei google suchen) Also bei mir hat kein Virus die Prozedur überlebt |
|
|
||
18.03.2006, 01:07
Ehrenmitglied
Beiträge: 29434 |
#3
Harbs
Viel Sinn macht es nicht, das reinigen zu wollen, du hast die den PC selbst zerstoert, weil du per P2P auf alles klickst, was da glaenzt............. Zitat I downloaded pirated Software from P2P and now I post my Hijack log whiningstelle den CleanUp genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html Kopiere diese 4 Textdateien. Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.03.2006, 02:44
Member
Themenstarter Beiträge: 18 |
#4
was soll ich mit den textdateien machen ??
sry ... aber das check ich net:::::::::::: Verzeichnis von C:\WINDOWS\system32 18.03.2006 02:30 36.055 vsconfig.xml 18.03.2006 02:29 235.933 bspanui.dll 18.03.2006 02:29 27.436 kspydoc.log 18.03.2006 02:29 0 Sweeper.cfg 18.03.2006 02:27 233.968 hrjq0515e.dll 18.03.2006 02:24 235.933 ir6ul5j91.dll 17.03.2006 13:48 233.968 kldhu.dll 17.03.2006 12:56 2 stera.job 17.03.2006 12:55 2 stera.log 17.03.2006 04:42 234.137 q8psli7718.dll 16.03.2006 13:39 236.216 aamen32.dll 15.03.2006 20:02 2 cmd.com 15.03.2006 20:02 2 regedit.com 15.03.2006 20:02 2 taskkill.com 15.03.2006 20:02 2 tasklist.com 15.03.2006 20:02 2 tracert.com 15.03.2006 20:02 2 ping.com 15.03.2006 20:02 2 netstat.com 15.03.2006 18:34 290 n.bat 15.03.2006 18:33 28.713 astr.exe 15.03.2006 18:33 75.813 xxx.exe 15.03.2006 18:33 28.032 dr.exe 15.03.2006 18:33 0 taskkill.exe 10.03.2006 01:10 4.799.320 MRT.exe 27.02.2006 01:06 4.212 zllictbl.dat 22.02.2006 15:11 233.576 FNTCACHE.DAT 04.02.2006 13:34 43.520 CmdLineExt03.dll 31.01.2006 20:29 2.206 wpa.dbl 24.01.2006 11:46 21.840 SIntfNT.dll 24.01.2006 11:46 17.212 SIntf32.dll 24.01.2006 11:46 12.067 SIntf16.dll 23.01.2006 14:08 375.406 perfh009.dat 23.01.2006 14:08 51.204 perfc009.dat 23.01.2006 14:08 385.728 perfh007.dat 23.01.2006 14:08 61.968 perfc007.dat 23.01.2006 14:08 884.200 PerfStringBackup.INI 04.01.2006 04:35 68.096 webclnt.dll 29.12.2005 03:54 280.064 gdi32.dll :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Datentr„ger in Laufwerk C: ist BOOT Volumeseriennummer: C0F6-F3B6 Verzeichnis von C:\DOKUME~1\Start\LOKALE~1\Temp 18.03.2006 02:32 978 TmpICQMagic_{05736BBE-C20F-4F10-A6DE-4DB1E3564B0E}17916.html 18.03.2006 02:31 983 TmpICQMagic_{EC202595-1DFD-4301-A1EA-13C1E331B505}14868.html 18.03.2006 02:30 16.384 ~DFAD36.tmp 18.03.2006 02:30 512 ~DF4F5F.tmp 18.03.2006 02:30 16.384 ~DF47B5.tmp 18.03.2006 02:30 412 jusched.log 13.03.2006 09:09 126 D9164221.TMP 7 Datei(en) 35.779 Bytes 0 Verzeichnis(se), 30.953.332.736 Bytes frei ................................................................................................ Datentr„ger in Laufwerk C: ist BOOT Volumeseriennummer: C0F6-F3B6 Verzeichnis von C:\WINDOWS 18.03.2006 02:45 24 p0Y7b-->Apropos http://virus-protect.org/artikel/spyware/apropos1.html 18.03.2006 02:30 3.039 setupapi.log 18.03.2006 02:30 159 wiadebug.log 18.03.2006 02:30 4.210 ModemLog_Creatix V.9X DSP Data Fax Modem.txt 18.03.2006 02:30 1.082.095 WindowsUpdate.log 18.03.2006 02:30 1.920 ModemLog_Standardmodem.txt 18.03.2006 02:29 50 wiaservc.log 18.03.2006 02:29 0 0.log 18.03.2006 02:29 2.048 bootstat.dat 18.03.2006 02:28 31.942 SchedLgU.Txt 15.03.2006 20:02 155.648 b.exe 15.03.2006 18:33 0 keyboard21.dat 15.03.2006 18:33 0 newname.dat 14.03.2006 19:13 110 wininit.ini 14.03.2006 12:26 10.752 DH.dll 13.03.2006 05:22 54.156 QTFont.qfn 01.03.2006 19:02 29 TRWINUPD.DLL 25.02.2006 10:06 3.145.782 Picture It!-Hintergrundbild.bmp 23.02.2006 12:32 1.409 QTFont.for 23.01.2006 14:04 2.082 ModemLog_Standardmodem ber Bluetooth-Verbindung.txt 14.01.2006 13:31 2.359.350 Firefox Wallpaper.bmp 06.01.2006 19:55 1.421 win.ini 03.01.2006 17:45 1.989 uninstall_nmon.vbs 27.12.2005 17:17 6.104 ModemLog_Bluetooth DUN Modem.txt 27.12.2005 17:17 6.098 ModemLog_Bluetooth Fax Modem.txt 25.12.2005 00:34 118.784 bwUnin-7.2.0.137-8876480SL.exe 24.12.2005 16:21 1.525 pstudio.ini ............................................................................................... Verzeichnis von C:\ 18.03.2006 02:46 0 sys.txt 18.03.2006 02:45 9.693 system.txt 18.03.2006 02:45 676 systemtemp.txt 18.03.2006 02:41 110.964 system32.txt 18.03.2006 02:29 536.403.968 hiberfil.sys 18.03.2006 02:29 805.306.368 pagefile.sys 18.03.2006 01:51 45 TEST.XML 15.03.2006 18:34 299.624 WHCC2.exe 15.03.2006 18:33 49.152 newname2.exe 15.03.2006 18:33 38.040 DR140306.exe 15.03.2006 18:33 20.480 keyboard2.exe 15.03.2006 18:33 49.152 drsmartload1.exe 25.02.2006 16:57 444.307 stub.log 18.12.2005 12:21 152 Delme.bat ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: SO ? Hier noch mal n aktueller logfile( weis zwar net ob ihr den gebrauchen könnt aber ich poste den einfach mal ^^) und schon einmal VIELEN VIELEN DANK FÜR EURE HILFE : Logfile of HijackThis v1.99.1 Scan saved at 12:20:55, on 18.03.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programme\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\gearsec.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Programme\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Java\jre1.5.0_05\bin\jusched.exe C:\Programme\Logitech\iTouch\iTouch.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\Dit.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\MessengerPlus! 3\MsgPlus.exe C:\Programme\QuickTime\qttask.exe C:\WINDOWS\vsnpstd.exe C:\Programme\DAEMON Tools\daemon.exe C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Programme\ICQLite\ICQLite.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programme\Logitech\SetPoint\SetPoint.exe C:\Programme\Anti-Hijacker\AntiHijacker 1.2.EXE C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\DitExp.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe C:\WINDOWS\system32\wuauclt.exe C:\Dokumente und Einstellungen\Start\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programme\Gemeinsame Dateien\Nokia\Tools\NclTray.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [list clock wave surf] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachjoylistclock\BalmShow.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe O4 - HKLM\..\Run: [Anti-Blaxx Manager] D:\Antiblaxx an 192.168.0.254\Anti-Blaxx\Anti-Blaxx.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [shell32] C:\WINDOWS\system32\wuauclt10.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [I downloaded pirated Software from P2P and now I post my Hijack log whining] C:\WINDOWS\system32\Fifa Soccer 2006 crack.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [mmtask] "C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [csr] csrrs.exe O4 - HKLM\..\Run: [newname] C:\\newname2.exe O4 - HKLM\..\RunServices: [csr] csrrs.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [STYLEXP] C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - Startup: Anti-Hijacker.lnk = C:\Programme\Anti-Hijacker\AntiHijacker 1.2.EXE O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing) O9 - Extra button: MedionShop - {01E9CF82-AE9D-42BA-A629-B23D51A4B86B} - http://www.medionshop.de/ (file missing) (HKCU) O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\q0nula591d.dll (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programme\Spyware Doctor\sdhelp.exe O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe die pop ups und so sind VERSCHWUNDEN !!!!!!! SUPER !!!!! ICH LIEBE EUCH ^^ aber sauber ist mein pc, glaub ich ,trotzdem noch nicht Dieser Beitrag wurde am 18.03.2006 um 14:37 Uhr von Harbs editiert.
|
|
|
||
18.03.2006, 16:19
Ehrenmitglied
Beiträge: 29434 |
#5
Harbs
* Versteckte- und Systemdateien sichtbar machen http://virus-protect.org/invisible.html * Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Zitat REGEDIT4** avenger http://virus-protect.org/artikel/tools/avenger.html kopiere rein: Zitat Files to delete:klicke auf die gruene "Ampel" im Avenger das Sript wird nun ausgeführt, dann wird der PC automatisch neustarten öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [list clock wave surf] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachjoylistclock\BalmShow.exe O4 - HKLM\..\Run: [shell32] C:\WINDOWS\system32\wuauclt10.exe O4 - HKLM\..\Run: [I downloaded pirated Software from P2P and now I post my Hijack log whining] C:\WINDOWS\system32\Fifa Soccer 2006 crack.exe O4 - HKLM\..\Run: [csr] csrrs.exe O4 - HKLM\..\Run: [newname] C:\\newname2.exe O4 - HKLM\..\RunServices: [csr] csrrs.exe O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\q0nula591d.dll (file missing) pc neustarten Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken deinstallieren MessengerPlus! 3 loesche: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\eachjoylistclock ---------------------------------------------------------------------------------------------- 1. poste den scanbericht vom avenger 2. aproposfix http://swandog46.geekstogo.com/aproposfix.exe lade aproposfix.exe --> klicke RunThis.bat klicke "enter" und warte, bis sich das Fenster schliesst. dann kopiere die log.txt ab. 3. l2mfix--> arbeite Option 2 ab und poste nach neustart und scan den scanbericht http://virus-protect.org/l2mfix.html 4. Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. 5. scanne mit ewido--> poste den scanreport http://virus-protect.org/ewido.html 6. Panda (scanne und poste den scanbericht) http://virus-protect.org/onlinescan.html dann kommt noch mehr...aber erst mal bis hier. uebrigens..lange sehe ich schon nicht mehr so einen verseuchten pc .. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.03.2006, 16:39
Member
Themenstarter Beiträge: 18 |
#6
Logfile of The Avenger version 1, by Swandog46
Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\qdcjksyi ******************* Script file located at: \??\C:\WINDOWS\dmxlhpgm.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\csrrs.exe not found! Deletion of file C:\WINDOWS\system32\csrrs.exe failed! File C:\WINDOWS\system32\Fifa Soccer 2006 crack.exe not found! Deletion of file C:\WINDOWS\system32\Fifa Soccer 2006 crack.exe failed! Could not process line: C:\WINDOWS\system32\Fifa Soccer 2006 crack.exe Status: 0xc0000034 File C:\WINDOWS\system32\bspanui.dll not found! Deletion of file C:\WINDOWS\system32\bspanui.dll failed! Could not process line: C:\WINDOWS\system32\bspanui.dll Status: 0xc0000034 File C:\WINDOWS\system32\wuauclt10.exe deleted successfully. File C:\WINDOWS\system32\kspydoc.log deleted successfully. File C:\WINDOWS\system32\Sweeper.cfg deleted successfully. File C:\WINDOWS\system32\hrjq0515e.dll not found! Deletion of file C:\WINDOWS\system32\hrjq0515e.dll failed! Could not process line: C:\WINDOWS\system32\hrjq0515e.dll Status: 0xc0000034 File C:\WINDOWS\system32\ir6ul5j91.dll not found! Deletion of file C:\WINDOWS\system32\ir6ul5j91.dll failed! Could not process line: C:\WINDOWS\system32\ir6ul5j91.dll Status: 0xc0000034 File C:\WINDOWS\system32\kldhu.dll not found! Deletion of file C:\WINDOWS\system32\kldhu.dll failed! Could not process line: C:\WINDOWS\system32\kldhu.dll Status: 0xc0000034 File C:\WINDOWS\system32\stera.job deleted successfully. File C:\WINDOWS\system32\stera.log deleted successfully. File C:\WINDOWS\system32\q8psli7718.dll not found! Deletion of file C:\WINDOWS\system32\q8psli7718.dll failed! Could not process line: C:\WINDOWS\system32\q8psli7718.dll Status: 0xc0000034 File C:\WINDOWS\system32\aamen32.dll not found! Deletion of file C:\WINDOWS\system32\aamen32.dll failed! Could not process line: C:\WINDOWS\system32\aamen32.dll Status: 0xc0000034 File C:\WINDOWS\system32\cmd.com not found! Deletion of file C:\WINDOWS\system32\cmd.com failed! Could not process line: C:\WINDOWS\system32\cmd.com Status: 0xc0000034 File C:\WINDOWS\system32\regedit.com not found! Deletion of file C:\WINDOWS\system32\regedit.com failed! Could not process line: C:\WINDOWS\system32\regedit.com Status: 0xc0000034 File C:\WINDOWS\system32\taskkill.com not found! Deletion of file C:\WINDOWS\system32\taskkill.com failed! Could not process line: C:\WINDOWS\system32\taskkill.com Status: 0xc0000034 File C:\WINDOWS\system32\tasklist.com not found! Deletion of file C:\WINDOWS\system32\tasklist.com failed! Could not process line: C:\WINDOWS\system32\tasklist.com Status: 0xc0000034 File C:\WINDOWS\system32\tracert.com not found! Deletion of file C:\WINDOWS\system32\tracert.com failed! Could not process line: C:\WINDOWS\system32\tracert.com Status: 0xc0000034 File C:\WINDOWS\system32\ping.com not found! Deletion of file C:\WINDOWS\system32\ping.com failed! Could not process line: C:\WINDOWS\system32\ping.com Status: 0xc0000034 File C:\WINDOWS\system32\netstat.com not found! Deletion of file C:\WINDOWS\system32\netstat.com failed! Could not process line: C:\WINDOWS\system32\netstat.com Status: 0xc0000034 File C:\WINDOWS\system32\n.bat deleted successfully. File C:\WINDOWS\system32\astr.exe not found! Deletion of file C:\WINDOWS\system32\astr.exe failed! Could not process line: C:\WINDOWS\system32\astr.exe Status: 0xc0000034 File C:\WINDOWS\system32\xxx.exe deleted successfully. File C:\WINDOWS\system32\dr.exe deleted successfully. File C:\WINDOWS\system32\taskkill.exe deleted successfully. File C:\WINDOWS\b.exe deleted successfully. File C:\WINDOWS\keyboard21.dat deleted successfully. File C:\WINDOWS\newname.dat deleted successfully. File C:\WINDOWS\uninstall_nmon.vbs not found! Deletion of file C:\WINDOWS\uninstall_nmon.vbs failed! Could not process line: C:\WINDOWS\uninstall_nmon.vbs Status: 0xc0000034 File C:\WHCC2.exe not found! Deletion of file C:\WHCC2.exe failed! Could not process line: C:\WHCC2.exe Status: 0xc0000034 File C:\newname2.exe deleted successfully. File C:\DR140306.exe not found! Deletion of file C:\DR140306.exe failed! Could not process line: C:\DR140306.exe Status: 0xc0000034 File C:\keyboard2.exe not found! Deletion of file C:\keyboard2.exe failed! Could not process line: C:\keyboard2.exe Status: 0xc0000034 File C:\drsmartload1.exe not found! Deletion of file C:\drsmartload1.exe failed! Could not process line: C:\drsmartload1.exe Status: 0xc0000034 File C:\Delme.bat deleted successfully. Completed script processing. ******************* Finished! Terminate. Zitat Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.soll ich die datei zur registrie hinzufügen ? Dieser Beitrag wurde am 18.03.2006 um 16:44 Uhr von Harbs editiert.
|
|
|
||
18.03.2006, 16:48
Ehrenmitglied
Beiträge: 29434 |
#7
ja, aber erst spaeter (im abgesicherten Modus) ...ist alles aufgelistet.............
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.03.2006, 16:52
Ehrenmitglied
Beiträge: 29434 |
#8
KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html Options: Delete on Reboot --> anhaken und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes" reinkopieren: ........... C:\WINDOWS\DH.dll C:\WINDOWS\TRWINUPD.DLL C:\WINDOWS\system32\cmd.com C:\WINDOWS\system32\regedit.com C:\WINDOWS\system32\taskkill.com C:\WINDOWS\system32\tasklist.com C:\WINDOWS\system32\tracert.com C:\WINDOWS\system32\ping.com C:\WINDOWS\system32\netstat.com C:\WINDOWS\system32\astr.exe C:\WINDOWS\system32\Fifa Soccer 2006 crack.exe C:\WINDOWS\system32\csrrs.exe C:\WINDOWS\keyboard21.dat C:\WINDOWS\uninstall_nmon.vbs C:\WHCC2.exe C:\DR140306.exe C:\keyboard2.exe C:\drsmartload1.exe PC neustarten __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.03.2006, 17:12
Member
Themenstarter Beiträge: 18 |
#9
Log of AproposFix v1.1
************ Running from directory: C:\Dokumente und Einstellungen\Start\Desktop\aproposfix ************ Warning: batch running in normal mode, not Safe Mode! In normal mode the fix WILL NOT WORK! Registry entries found: ************ No service found! Removing hidden folder: No folder found! Deleting files: Backing up files: Done! Removing registry entries: REGEDIT4 Done! Finished! |
|
|
||
18.03.2006, 17:13
Ehrenmitglied
Beiträge: 29434 |
#10
Zitat Warning: batch running in normal mode, not Safe Mode! In normal mode the fix WILL NOT WORK!noch mal..im abgesicherten Modus...um den apropos zu loeschen !!!!!!!!!!! __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.03.2006, 17:32
Member
Themenstarter Beiträge: 18 |
#11
L2MFIX find log 010406
These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{F4F00575-0444-A768-1F9E-11DD00C42F5B}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webordner" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{D120D80B-BD26-4A74-8E43-2C2AF0966139}"="QuickPar ContextMenu extension" "{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universelle Plug & Play-Ger„te" "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"="Multiscan" "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{472083B0-C522-11CF-8763-00608CC02F24}"="avast" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{59B12D92-FC2B-4063-B3D5-6BC628A0D4EB}"="ArchiCrypt Shredder2 ShellExtension" "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension" "{8A53CA2A-955E-4010-9D7F-F5830C3D816E}"="" "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"="Shell Extension for Malware scanning" "{377BBCBD-F863-486F-A723-F6CF1E5AC046}"="" "{37F1B261-ADEC-4E51-8482-6A56FB966324}"="" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{8A53CA2A-955E-4010-9D7F-F5830C3D816E}] @="" [HKEY_CLASSES_ROOT\CLSID\{8A53CA2A-955E-4010-9D7F-F5830C3D816E}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{8A53CA2A-955E-4010-9D7F-F5830C3D816E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{8A53CA2A-955E-4010-9D7F-F5830C3D816E}\InprocServer32] @="C:\\WINDOWS\\system32\\rTstapi.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{377BBCBD-F863-486F-A723-F6CF1E5AC046}] @="" [HKEY_CLASSES_ROOT\CLSID\{377BBCBD-F863-486F-A723-F6CF1E5AC046}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{377BBCBD-F863-486F-A723-F6CF1E5AC046}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{377BBCBD-F863-486F-A723-F6CF1E5AC046}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: Directory Listing of system files: Datentr„ger in Laufwerk C: ist BOOT Volumeseriennummer: C0F6-F3B6 Verzeichnis von C:\WINDOWS\System32 18.03.2006 17:23 <DIR> .. 18.03.2006 17:23 <DIR> . 15.03.2006 18:33 <DIR> dllcache 13.12.2003 17:23 32 {E262E80D-BE08-44C1-B4C9-B555F1F6FCEF}.dat 05.02.2003 08:41 <DIR> Microsoft 1 Datei(en) 32 Bytes 4 Verzeichnis(se), 30.757.462.016 Bytes frei |
|
|
||
18.03.2006, 17:37
Ehrenmitglied
Beiträge: 29434 |
||
|
||
18.03.2006, 18:04
Member
Themenstarter Beiträge: 18 |
#13
L2mfix 010406
Creating Account. Der Befehl wurde erfolgreich ausgefhrt. Adding Administrative privleges. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: zip warning: name not matched: dlls\*.* zip error: Nothing to do! (backup.zip) adding: backregs/notibac.reg (164 bytes security) (deflated 88%) |
|
|
||
18.03.2006, 18:09
Ehrenmitglied
Beiträge: 29434 |
#14
aproposfix
http://swandog46.geekstogo.com/aproposfix.exe im abgesicherten Modus !!!!!!!!!!!!!!!! danach noch mal l2mfix ...option 1 __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.03.2006, 18:13
Member
Themenstarter Beiträge: 18 |
#15
Running From:
C:\Dokumente und Einstellungen\Start\Desktop\l2mfix Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 456 'smss.exe' Error 0x6 : Das Handle ist ungültig. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 608 'winlogon.exe' Error 0x6 : Das Handle ist ungültig. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1440 'explorer.exe' Killing PID 1440 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administratoren ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{8A53CA2A-955E-4010-9D7F-F5830C3D816E}] @="" [HKEY_CLASSES_ROOT\CLSID\{8A53CA2A-955E-4010-9D7F-F5830C3D816E}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{8A53CA2A-955E-4010-9D7F-F5830C3D816E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{8A53CA2A-955E-4010-9D7F-F5830C3D816E}\InprocServer32] @="C:\\WINDOWS\\system32\\rTstapi.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{377BBCBD-F863-486F-A723-F6CF1E5AC046}] @="" [HKEY_CLASSES_ROOT\CLSID\{377BBCBD-F863-486F-A723-F6CF1E5AC046}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{377BBCBD-F863-486F-A723-F6CF1E5AC046}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{377BBCBD-F863-486F-A723-F6CF1E5AC046}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{8A53CA2A-955E-4010-9D7F-F5830C3D816E}"=- "{377BBCBD-F863-486F-A723-F6CF1E5AC046}"=- "{37F1B261-ADEC-4E51-8482-6A56FB966324}"=- [-HKEY_CLASSES_ROOT\CLSID\{8A53CA2A-955E-4010-9D7F-F5830C3D816E}] [-HKEY_CLASSES_ROOT\CLSID\{377BBCBD-F863-486F-A723-F6CF1E5AC046}] [-HKEY_CLASSES_ROOT\CLSID\{37F1B261-ADEC-4E51-8482-6A56FB966324}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** ok....mach ich dann mal ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: L2MFIX find log 010406 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webordner" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{D120D80B-BD26-4A74-8E43-2C2AF0966139}"="QuickPar ContextMenu extension" "{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universelle Plug & Play-Ger„te" "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"="Multiscan" "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{472083B0-C522-11CF-8763-00608CC02F24}"="avast" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{59B12D92-FC2B-4063-B3D5-6BC628A0D4EB}"="ArchiCrypt Shredder2 ShellExtension" "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension" "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"="Shell Extension for Malware scanning" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: Directory Listing of system files: Datentr„ger in Laufwerk C: ist BOOT Volumeseriennummer: C0F6-F3B6 Verzeichnis von C:\WINDOWS\System32 18.03.2006 18:18 <DIR> .. 18.03.2006 18:18 <DIR> . 15.03.2006 18:33 <DIR> dllcache 13.12.2003 17:23 32 {E262E80D-BE08-44C1-B4C9-B555F1F6FCEF}.dat 05.02.2003 08:41 <DIR> Microsoft 1 Datei(en) 32 Bytes 4 Verzeichnis(se), 35.404.296.192 Bytes frei ---------------------------------------------------------------------------- :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ---------------------------------------------------------------------------- SO !!!!! und nun noch ewido und Panda durchlaufen lassen oder wie ?! Dieser Beitrag wurde am 18.03.2006 um 18:27 Uhr von Harbs editiert.
|
|
|
||
vielleicht kann mir da ja mal jemand helfen !!!!!!!!!!!!!!