zeigt mir jemand wie man TR/swizzor.A löschen kann

#61 truthfacer

CleanUp
http://virus-protect.org/cleanup.html

öffne das HijackThis -- Button "scan" -- vor Malware-Eintrag Häkchen setzen -- Button "Fix checked" -- PC neustarten

O2 - BHO: (no name) - {EDFE3544-C056-FE24-625E-E1613FD73901} - C:\DOKUME~1\rob\ANWEND~1\MULTIN~1\Tray Defy.exe
O4 - HKLM\..\Run: [Meal Flaw Mp3 Mpeg] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\fastbitsmealflaw\ElseGlobal.exe
O4 - HKCU\..\Run: [lite way] C:\DOKUME~1\rob\ANWEND~1\TYPE32~1\WinWebCoal.exe

PC neustarten

arbeite das ab:
http://virus-protect.org/artikel/spyware/lop1.html

loeschen:

C:\Dokumente und Einstellungen\rob\Anwendungsdaten\MULTIN........
C:\Dokumente und Einstellungen\rob\Anwendungsdaten\TYPE32.........
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\fastbitsmealflaw\

-----------------------

Counterspy (nach dem scan alles auf *remove stellen)
**
scanne mit dr.web
**
Onlinescan-Panda (alles manuell loeschen)
**
noch mal cleanup anwenden

------------------
wenn alles sauber ist:

Start -- alle Programme -- Zubehör -- Editor und kopiere folgenden Text rein:

Zitat

dir %Windir%\tasks /a h > files.txt
notepad files.txt

- Speichern als: findjobs.bat
- abspeichern unter : Dateityp: alle Dateien
- speichere auf dem Desktop
- Locate findjobs.bat-- doppelklick auf die bat-Datei , der Editor öffnet sich -- poste den Text
__________
MfG Sabina

rund um die PC-Sicherheit

#62 Hi nochmal!

Ich habe nun den angegebenen Text in den editor eingegeben und dann nochmal mit Dr Web und Panda überprüft. Leider hat Dr Web immer noch vier Viren gefunden und auch Panda hat noch elf infizierte Dateien gefunden. Die Dateien die Panda angezeigt hat konnte ich manuell löschen (es waren Cookies ) , die von Dr Web gefundenen Dateien konnte ich weder mit Dr Web noch manuell löschen. D.h. ich habe sie bei Beendigung des Programmes so gelöscht: "nicht desinfizierbar.gelöscht" Sind die jetzt wirklich weg ?
Schon mal im Vorraus Danke!
Hier die beiden Berichte von Dr Web und Panda:

DR WEB:

A0052932.exe C:\System Volume Information\_restore{5D0F8B0A-9D3D-426F-B7CF-84AFDAD7B5B1}\RP195 Trojan.Swizzor
A0052933.exe C:\System Volume Information\_restore{5D0F8B0A-9D3D-426F-B7CF-84AFDAD7B5B1}\RP195 Trojan.Swizzor
A0052934.exe C:\System Volume Information\_restore{5D0F8B0A-9D3D-426F-B7CF-84AFDAD7B5B1}\RP195 Trojan.Swizzor


Panda:

Incident Status Location

Spyware:Cookie/Itrack Not disinfected C:\Dokumente und Einstellungen\han\Anwendungsdaten\Mozilla\Firefox\Profiles\nwh2vbhf.default\cookies.txt[ilead.itrack.it/]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\han\Anwendungsdaten\Mozilla\Firefox\Profiles\nwh2vbhf.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\han\Anwendungsdaten\Mozilla\Firefox\Profiles\nwh2vbhf.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\han\Anwendungsdaten\Mozilla\Firefox\Profiles\nwh2vbhf.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Dokumente und Einstellungen\han\Anwendungsdaten\Mozilla\Firefox\Profiles\nwh2vbhf.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\han\Anwendungsdaten\Mozilla\Firefox\Profiles\nwh2vbhf.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\han\Anwendungsdaten\Mozilla\Firefox\Profiles\nwh2vbhf.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\han\Cookies\han@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\han\Cookies\han@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Dokumente und Einstellungen\han\Cookies\han@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Dokumente und Einstellungen\han\Cookies\han@doubleclick[1].txt

#63 Henneböhl

Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

dann ist alles wieder in Ordnung
__________
MfG Sabina

rund um die PC-Sicherheit

#64 Ok! Ich werd die Tage nochmal n Virenscan machen.. Auf deden Fall schon mal Dankeschön!

#65 Hallo Leute!
Brauch auch mal eure hilfe:

Hijack:
Logfile of HijackThis v1.99.1
Scan saved at 13:33:38, on 15.05.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programme\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\acer\Wireless\Utility\WlanUtil.exe
C:\PROGRA~1\LAUNCH~1\LManager.EXE
C:\acer\epm\epm-dm.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\SurfAccuracy\SAcc.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\maepsk.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programme\ICQLite\ICQLite.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Opera75\opera.exe
C:\Dokumente und Einstellungen\EMI\Desktop\Daten\Programme\vir\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=40
0055&utm_con
tent=leftnav&utm_source=wdz3&utm_medium=bund&utm_campaign=wdz0805
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.freeze.com/start.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE5BarLauncherBHO Class - {1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} - C:\Programme\e-zshopper\BarLcher.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - C:\WINDOWS\System32\hlwin.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Programme\Accoona\ASearchAssist.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Programme\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {E7A8A06F-EF5E-995F-2A3A-9C313AC9BBAA} - C:\DOKUME~1\EMI\ANWEND~1\BALMCOOL\Phoneloud.exe
O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Programme\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O3 - Toolbar: e-zshopper 1.200 - {3D782BB3-F2A5-11D3-BF4C-000000000000} - C:\Programme\e-zshopper\BarLcher.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\Programme\Accoona\atoolbar.dll
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Programme\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [acerWireless] C:\Programme\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.EXE
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programme\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [SurfAccuracy] C:\Programme\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpb.exe
O4 - HKLM\..\Run: [Majhbx] C:\Program Files\Tjoc\Bkrry.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bO²
ùõö/ØF%)ßfÏNb½¾C:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\mtteqcj.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\maepsk.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [hole copy tool draw] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\readme okay hole copy\seconddent.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [TheOption] C:\DOKUME~1\EMI\ANWEND~1\RdrDate\Webseek.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: Link to &MidpX - C:\Programme\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: eZshopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O9 - Extra 'Tools' menuitem: e-zshopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - C:\WINDOWS\System32\hlwin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Programme\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

#66 emiemkes

Gehe in die Registry

Start-->Ausfuehren-->regedit (reinschreiben)

bearbeiten - suchen - switp

loesche mit rechtsklick:

HKEY_LOCAL_MACHINE\SOFTWARE\switp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\switp

----------------------------------------------------------------------------

1.
stelle den Cleaner genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

2.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400055&utm_content=leftnav
&utm_source=wdz3&utm_medium=bund&utm_campaign=wdz0805

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.freeze.com/start.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s

O2 - BHO: IE5BarLauncherBHO Class - {1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} - C:\Programme\e-zshopper\BarLcher.dll
O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - C:\WINDOWS\System32\hlwin.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Programme\Accoona\ASearchAssist.dll

O2 - BHO: (no name) - {E7A8A06F-EF5E-995F-2A3A-9C313AC9BBAA} - C:\DOKUME~1\EMI\ANWEND~1\BALMCOOL\Phoneloud.exe
O2 - BHO: Kwyshell MidpX BHO - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Programme\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O3 - Toolbar: e-zshopper 1.200 - {3D782BB3-F2A5-11D3-BF4C-000000000000} - C:\Programme\e-zshopper\BarLcher.dll
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\Programme\Accoona\atoolbar.dll
O3 - Toolbar: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - C:\Programme\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll

O4 - HKLM\..\Run: [SurfAccuracy] C:\Programme\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpb.exe
O4 - HKLM\..\Run: [Majhbx] C:\Program Files\Tjoc\Bkrry.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [bO²
ùõö/ØF%)ßfÏNb½¾C:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\mtteqcj.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\maepsk.exe
O4 - HKLM\..\Run: [hole copy tool draw] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\readme okay hole copy\seconddent.exe
O4 - HKCU\..\Run: [TheOption] C:\DOKUME~1\EMI\ANWEND~1\RdrDate\Webseek.exe
O4 - Startup: PowerReg SchedulerV2.exe

O8 - Extra context menu item: Link to &MidpX - C:\Programme\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm

O9 - Extra button: eZshopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)
O9 - Extra 'Tools' menuitem: e-zshopper - {BFA03761-5565-41b3-93D9-82B354C0A8EC} - SHDOCVW.DLL (file missing)

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - C:\WINDOWS\System32\hlwin.dll

PC neustarten

3.
Deinstallieren:
"Start -> Einstellungen -> Systemsteuerung -> Software"

OfferAgent
C:\Programme\Accoona
C:\Programme\Kwyshell
C:\Programme\ISTsvc
C:\Programme\e-zshopper
C:\Programme\SurfAccuracy

loeschen

C:\Program Files\Tjoc
C:\WINDOWS\maepsk.exe
C:\WINDOWS\switpb.exe
C:\WINDOWS\System32\hlwin.dll

-----------------------------------------------------------
4.
VirtumundoBeGone
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
doppelklick VirtumundoBeGone.exe

4.
wende vundofix an
http://virus-protect.org/artikel/tools/vundofixx.html

5.
Counterspy
http://virus-protect.org/counterspy.html
* nach dem Scan muss man sich entscheiden für:

*Ignore
*Remove --> Status: Deleted
*Quarantaine

wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab


dann sehen wir weiter...............
__________
MfG Sabina

rund um die PC-Sicherheit

#67 Hallo,
hab allesgemacht.
beim löschen gab es aber kein C:\WINDOWS\maepsk.exe und kein C:\WINDOWS\System32\hlwin.dll.
und bei Virtumundo und Vundofix hat der nix gefunden.


Spyware Scan Details
Start Date: 15.05.2006 15:42:24
End Date: 15.05.2006 16:37:37
Total Time: 55 mins 13 secs

Detected spyware

IST.ISTbar Hijacker more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=7457>
Details: ISTbar is an Internet Explorer Hijacker, which modifies your homepages and searches without a user’s consent using an Internet Explorer toolbar.
Status: Deleted

Infected files detected
c:\programme\sidefind\sfbho.dll_tobedeleted
c:\programme\sidefind\sidefind.dll_tobedeleted

Infected registry entries detected
HKEY_CURRENT_USER\software\ist
HKEY_CURRENT_USER\software\ist Recover !ZpHc…Z•x,Ä›°qÙþs…9F p¶G›ÖwD¾-DúOß‘Fõ[HONX#Š.”¡Ç¦AÁC÷NT,%,2.|r?»LÕ5›z³ÜŸ.dáÈON«ýNäÔ²SMÐ\'ùk3¾ÁŸWñå D â_ÀSV
—GÒ¥©«Á-Çt°;£Ë�]|àƒ¼|Dn.0§ ñ£_°á×g/
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127788594419375000 1818|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127788777613906250 1893|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127788955677968750 1952|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127789421577656250 1831|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127789564486250000 1818|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127789690492656250 1946|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127790265402500000 1893|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127809384958593750 2056|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127809507542343750 2109|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127809614928750000 2119|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127810178920781250 2017|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127815570583437500 2017|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127815660747656250 2109|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127815762197968750 2056|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127815873988125000 2119|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127819749467343750 2056|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127819903953437500 2119|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127820004257656250 2017|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127820094568281250 2109|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127855372479062500 2372|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127855426485156250 2382|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc version 1024
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc app_name istsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_url http://www.ysbweb.com/ist/scripts/istsvc_ads_data.php
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_url http://cache.ysbweb.com/ist/softwares/istupdates/istsvc_updater.exe
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc config_url http://www.ysbweb.com/ist/scripts/istsvc_config.php
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc ui 691BCD46-665D-4b48-BE57-2F55ADE64E3C
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_initial_delay 600
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_count 143
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_day_count 2
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_day_limit 5
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_count 1
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_version 1024
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc config_count 93
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc account_id 0
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc app_date
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_interval 5400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_last
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_interval 86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_last
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc config_interval 432000
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc config_last


AntiLeech Plugin Adware (General) more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=15044>
Details: Plugin is an Ad-Ware software which enables the broadcasting of advertisements, and execution of e-commerce and other internet related services on the user-interface of the software.
Status: Deleted

Infected files detected
c:\programme\anti-leech\alie_1.0.2.2\al2np.dll
c:\programme\anti-leech\alie_1.0.2.2\alhlp.exe
c:\programme\anti-leech\alie_1.0.2.2\alie.dll
c:\programme\anti-leech\alie_1.0.2.2\alie.inf
c:\programme\anti-leech\alie_1.0.2.2\iesetup2.exe
c:\programme\anti-leech\alnn\al2np.dll
c:\programme\anti-leech\alnn\alhlp.exe
c:\programme\anti-leech\alnn\npalnn.dll
c:\programme\anti-leech\alnn\setup2.exe
C:\Programme\Mozilla Firefox\plugins\al2np.dll
C:\Programme\Opera75\Plugins\al2np.dll

Infected registry entries detected
HKEY_CURRENT_USER\Software\Anti-Leech\Anti-Leech Plugin
HKEY_CURRENT_USER\Software\Anti-Leech\Anti-Leech Plugin Mozilla Firefox 1.0.7 C:\Programme\Mozilla Firefox\Plugins
HKEY_CURRENT_USER\Software\Anti-Leech\Anti-Leech Plugin Opera C:\Programme\Opera75\Plugins
HKEY_CLASSES_ROOT\AntiLeech.ALIE.1
HKEY_CLASSES_ROOT\AntiLeech.ALIE.1\CLSID {056738EE-E15C-11D6-B876-0050BF5D85C7}
HKEY_CLASSES_ROOT\AntiLeech.ALIE.1 Anti-Leech Plug-in
HKEY_CLASSES_ROOT\AntiLeech.ALIE
HKEY_CLASSES_ROOT\AntiLeech.ALIE\CLSID {056738EE-E15C-11D6-B876-0050BF5D85C7}
HKEY_CLASSES_ROOT\AntiLeech.ALIE\CurVer AntiLeech.ALIE.1
HKEY_CLASSES_ROOT\AntiLeech.ALIE Anti-Leech Plug-in
HKEY_CLASSES_ROOT\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}
HKEY_CLASSES_ROOT\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\InprocServer32 C:\PROGRA~1\ANTI-L~1\ALIE_1~1.2\alie.dll
HKEY_CLASSES_ROOT\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\ProgID AntiLeech.ALIE.1
HKEY_CLASSES_ROOT\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\TypeLib {056738E1-E15C-11D6-B876-0050BF5D85C7}
HKEY_CLASSES_ROOT\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\VersionIndependentProgID AntiLeech.ALIE
HKEY_CLASSES_ROOT\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7} Anti-Leech Plug-in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALIE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALIE DisplayName Anti-Leech Plugin for Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALIE UninstallString C:\Programme\Anti-Leech\ALIE_1.0.2.2\iesetup2.exe uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALNN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALNN DisplayName Anti-Leech Plugin for Netscape, Mozilla, Opera
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALNN UninstallString C:\Programme\Anti-Leech\ALNN\setup2.exe -u


Accoona.Toolbar Toolbar more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=41590>
Details: The Accoona Toolbar is a Internet Explorer toolbar that is bundled and installed with other programs.
Status: Deleted

Infected files detected
c:\programme\accoona\tbquiesce.exe
c:\windows\acc1.txt
c:\windows\ncc1.txt
C:\Dokumente und Einstellungen\EMI\Desktop\Daten\Programme\vir\Hijack\backups\backup-20060515-144632-567.dll
C:\Dokumente und Einstellungen\EMI\Lokale Einstellungen\Temp\GLF1C.EXE
C:\Programme\filesubmit\maxbabes2003.zip\atoolbar400005.exe

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Distribution ID -18925100115816169411244888
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant First Search
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Package ID 400055
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant CommServer URL http://www.accoona.com/soap
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Content Type text/xml
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Search Assistant Tracking ID &utm_id=400055&utm_content=assist&utm_source=wdz3&utm_medium=bund&utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Search Assistant URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Soap Action URL http://www.accoona.com/soap
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Updates Rate 1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant XMLNS http://search.accoona.com
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings2 no
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings4 http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings5
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings6 0
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings7
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings8
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings9 http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings10 http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar\Components 1 {A12ACBAD-7775-486D-8732-8AE4BAD9AFA4}
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Sidebar Search URL http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Sidebar Tracking ID &utm_id=400055&utm_content=leftnav&utm_source=wdz3&utm_medium=bund&utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Application Path C:\PROGRA~1\Accoona
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Auto Complete
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Auto Update
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Birth Date
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Business Search Collection String col=BC&
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Business Search Tracking ID1 &utm_id=400055&utm_content=biz
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Business Search Tracking ID2 &utm_source=wdz3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Business Search Tracking ID3 &utm_medium=bund
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Business Search Tracking ID4 &utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Business Search URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Chess Link URL http://www.accoonachess.com
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar CommServer Tracking ID1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar CommServer Tracking ID2
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar CommServer Tracking ID3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar CommServer Tracking ID4
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar CommServer URL http://www.accoona.com/soap
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Company Name Search Tracking ID1 &utm_id=400055&utm_content=biz
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Company Name Search Tracking ID2 &utm_source=wdz3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Company Name Search Tracking ID3 &utm_medium=bund
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Company Name Search Tracking ID4 &utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Company Name Search URL http://www.accoona.com/company?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Content Type text/xml
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Contact URL http://www.accoona.com/toolbar/toolbar_contact_us.jsp
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Country ID -193
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Desktop Search Version
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Distribution ID -18925100115816169411244888
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Download Tracking ID1 &utm_id=400055
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Download Tracking ID2 &utm_source=wdz3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Download Tracking ID3 &utm_medium=bund
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Download Tracking ID4 &utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar DT Search Install URL http://www.accoona.com/desktop_search/desktop_search_installation.jsp
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar First Launch
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar First Search
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar General Urchin Code &utm_id=400055&utm_source=wdz3&utm_medium=bund&utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Headline XML URL http://www.accoona.com/newsfeed/headline.xml
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Help Tracking ID1 &utm_id=400055
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Help Tracking ID2 &utm_source=wdz3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Help Tracking ID3 &utm_medium=bund
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Help Tracking ID4 &utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Help URL http://www.accoona.com/toolbar/toolbar_help.jsp
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Home URL http://www.accoona.com
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Install Package Number 1.0.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar InstallPath C:\Programme\Accoona
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Language ID en
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar New Release
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Headline Update Rate -5
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Headlines Collection String col=NC&
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Home Tracking ID1 &utm_id=400055
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Home Tracking ID2 &utm_source=wdz3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Home Tracking ID3 &utm_medium=bund
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Home Tracking ID4 &utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Home URL http://www.accoona.com/newsclick?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Search Collection String col=MC&
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Search Tracking ID1 &utm_id=400055&utm_content=news
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Search Tracking ID2 &utm_source=wdz3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Search Tracking ID3 &utm_medium=bund
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Search Tracking ID4 &utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar News Search URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar OTC Code
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Package ID 400055
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Popup Blocker Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Postal Code
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Scroll Speed
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Search History
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Show News
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Soap Action Tracking ID1 &utm_id=400055
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Soap Action Tracking ID2 &utm_source=wdz3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Soap Action Tracking ID3 &utm_medium=bund
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Soap Action Tracking ID4 &utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Soap Action URL http://www.accoona.com/soap
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Terms Tracking ID1 &utm_id=400055
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Terms Tracking ID2 &utm_source=wdz3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Terms Tracking ID3 &utm_medium=bund
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Terms Tracking ID4 &utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Terms URL http://www.accoona.com/legal/terms_and_conditions.jsp
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Toolbar Install URL http://www.accoona.com/toolbar/toolbar_installation.jsp
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Toolbar Version Number 1.0.2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Update Stamp 01/05/2006
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Updates Rate 1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar UTF utf-8
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Web Search Collection String col=WC&
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Web Search Tracking ID1 &utm_id=400055&utm_content=web
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Web Search Tracking ID2 &utm_source=wdz3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Web Search Tracking ID3 &utm_medium=bund
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Web Search Tracking ID4 &utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Web Search URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar XMLNS http://search.accoona.com
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Dynamic Marketing Active
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Search Assistant Tracking ID &utm_id=400055&utm_content=assist&utm_source=wdz3&utm_medium=bund&utm_campaign=wdz0805
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Search Assistant URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings10 http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings9 http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings8
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings7
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings6 0
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings5
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings3
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings2
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant PrevSettings1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant XMLNS http://search.accoona.com
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Updates Rate 1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Soap Action URL http://www.accoona.com/soap
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Search Assistant URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant Content Type text/xml
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Search Assistant CommServer URL http://www.accoona.com/soap
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Search Assistant URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar XMLNS http://search.accoona.com
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Web Search URL http://www.accoona.com/search.jsp?
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar UTF utf-8
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Updates Rate 1
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona\Toolbar Toolbar Version Number 1.0.2.0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208} (Default) Accoona Search Assistant
HKEY_CLASSES_ROOT\ABar.ABarBand
HKEY_CLASSES_ROOT\ABar.ABarBand\CLSID {364B6276-C6C1-40B6-A6D7-6C48871FD707}
HKEY_CLASSES_ROOT\ABar.ABarBand\CurVer ABar.ABarBand.1
HKEY_CLASSES_ROOT\ABar.ABarBand ABarBand
HKEY_CLASSES_ROOT\ABar.ABarBand.1
HKEY_CLASSES_ROOT\ABar.ABarBand.1\CLSID {364B6276-C6C1-40B6-A6D7-6C48871FD707}
HKEY_CLASSES_ROOT\ABar.ABarBand.1 ABarBand
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch\CLSID {944864A5-3916-46E2-96A9-A2E84F3F1208}
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch\CurVer ASearchAssist.ADefaultSearch.1
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch ADefaultSearch Class
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch.1
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch.1\CLSID {944864A5-3916-46E2-96A9-A2E84F3F1208}
HKEY_CLASSES_ROOT\ASearchAssist.ADefaultSearch.1 ADefaultSearch Class
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\InprocServer32 C:\Programme\Accoona\atoolbar.dll
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\ProgID ABar.ABarBand.1
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\TypeLib {21F022C8-C045-4555-8A90-651E6A3DC6C6}
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\VersionIndependentProgID ABar.ABarBand
HKEY_CLASSES_ROOT\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707} Accoona
HKEY_CLASSES_ROOT\CLSID\{F80C1D93-0D22-436e-963E-9D3156997A4E}
HKEY_CLASSES_ROOT\CLSID\{F80C1D93-0D22-436e-963E-9D3156997A4E}
HKEY_CLASSES_ROOT\CLSID\{F80C1D93-0D22-436e-963E-9D3156997A4E} +
HKEY_CLASSES_ROOT\CLSID\{F80C1D93-0D22-436e-963E-9D3156997A4E} Distribution ID -18925100115816169411244888
HKEY_CLASSES_ROOT\CLSID\{F80C1D93-0D22-436e-963E-9D3156997A4E} Package ID 400055
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}\TypeLib {EA3956D2-EC38-41AB-B601-47AA281E4952}
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{6C8AB177-7B09-4F5C-9E6D-82EAA765430C} IADefaultSearch
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}\TypeLib {21F022C8-C045-4555-8A90-651E6A3DC6C6}
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{7ED983C3-FAAC-400C-BBD4-F519D74FF188} IABarBand
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}\1.0\0\win32 C:\Programme\Accoona\atoolbar.dll
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}\1.0\HELPDIR C:\Programme\Accoona\
HKEY_CLASSES_ROOT\TypeLib\{21F022C8-C045-4555-8A90-651E6A3DC6C6}\1.0 Accoona Toolbar 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}\1.0\0\win32 C:\Programme\Accoona\ASearchAssist.dll
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}\1.0\HELPDIR C:\Programme\Accoona\
HKEY_CLASSES_ROOT\TypeLib\{EA3956D2-EC38-41AB-B601-47AA281E4952}\1.0 ASearchAssist 1.0 Type Library
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208} (Default) Accoona Search Assistant


180solutions.SearchAssistant Adware (General) more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=14814>
Details: 180search Assistant is an adware application that monitors users' search queries and web surfing in order to display targeted advertising.
Status: Deleted

Infected files detected
c:\windows\downloaded program files\clientax.dll


NewDotNet Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=9108>
Details: New.Net is an Internet Explorer spyware/hijacker plug-in that adds subdomains of 'new.net' to your name resolution system (Windows’ Host file), resulting in what appear to be extra top-level domains (.shop, and so on) being resolvable.
Status: Deleted

Infected files detected
c:\windows\ndnuninstall6_38.exe
c:\windows\ndnuninstall7_14.exe
c:\windows\ndnuninstall7_22.exe
C:\Programme\themexp\Themexp.org File\NNWDAB638.EXE
C:\WINDOWS\NDNuninstall6_98.exe


ActiveShopper.DealBar Adware (General) more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=42059>
Status: Deleted

Infected files detected
C:\Dokumente und Einstellungen\EMI\Desktop\Daten\Programme\vir\Hijack\backups\backup-20060515-144632-792.dll

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{3D782BB3-F2A5-11D3-BF4C-000000000000}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{3D782BB3-F2A5-11D3-BF4C-000000000000}\Programmable
HKEY_CLASSES_ROOT\Interface\{DB1F5554-582C-4F53-82CC-458D2C04A2F1}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\TypeLib\{3D782BA6-F2A5-11D3-BF4C-000000000000}
HKEY_CLASSES_ROOT\TypeLib\{3D782BA6-F2A5-11D3-BF4C-000000000000}\1.0\0\win32 C:\Programme\e-zshopper\BarLcher.dll
HKEY_CLASSES_ROOT\TypeLib\{3D782BA6-F2A5-11D3-BF4C-000000000000}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{3D782BA6-F2A5-11D3-BF4C-000000000000}\1.0\HELPDIR C:\Programme\e-zshopper\
HKEY_CLASSES_ROOT\TypeLib\{3D782BA6-F2A5-11D3-BF4C-000000000000}\1.0 MyNewsBarLauncher 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{3D782BA6-F2A5-11D3-BF4C-000000000000}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{3D782BA6-F2A5-11D3-BF4C-000000000000}\1.0\0\win32 C:\Programme\e-zshopper\BarLcher.dll
HKEY_CURRENT_USER\Software\ActivShopper\Params toolbar_mode 0
HKEY_CURRENT_USER\Software\ActivShopper\Params sidebar2 1
HKEY_CURRENT_USER\Software\ActivShopper\Params sidebar1 1
HKEY_CURRENT_USER\Software\ActivShopper\Params sidebar 1


SurfAccuracy Adware (General) more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=40065>
Details: SurfAccuracy is an adware application that displays advertisements on the desktop and records keystrokes that are entered into certain search engines.
Status: Deleted

Infected files detected
C:\Dokumente und Einstellungen\EMI\Lokale Einstellungen\Temp\uninstall.exe


IRC.Lambot Backdoor more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=2642>
Status: Deleted

Infected files detected
C:\Programme\OCRANA-IRC\moo.dll
C:\Programme\OCRANA-IRC\system\bin\dll\moo.dll


IST.SideFind Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=14817>
Details: SideFind is a browser helper object (BHO) that add a side bar to Internet Explorer and displays alternate search results in the side bar.
Status: Deleted

Infected files detected
C:\Programme\SideFind\sfbho.dll_tobedeleted
C:\Programme\SideFind\sidefind.dll_tobedeleted


OfferAgent Adware (General) more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=15248>
Status: Deleted

Infected files detected
C:\RECYCLER\S-1-5-21-527237240-1993962763-725345543-1003\Dc2.exe


QuickLinks Adware (General) more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=44217>
Details: QuickLinks is an adware program that hijacks search keywords and adds a toolbar to internet explorer that displays alternate links based on the user's web browsing and search queries.
Status: Deleted

Infected files detected
C:\WINDOWS\system32\intlib.bin


eXact.Downloader Adware Downloader more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=15002>
Details: eXact.Downloader is a trojan downloader used by eXact Advertising to add components to the company's adware applications.
Status: Deleted

Infected files detected
C:\WINDOWS\system32\msbe.dll_tobedeleted


Xrenoder Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=12166>
Details: Xrenoder is a multi faceted Trojan. It is an Internet Explorer-Toolbar, homepage and search hijacker which resets your browser's home page and search settings to point to other affiliate sites. Xrenoder also displays pornographic popup ads.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\istsvc
HKEY_LOCAL_MACHINE\software\istsvc\history 127788594419375000 1818|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127788777613906250 1893|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127788955677968750 1952|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127789421577656250 1831|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127789564486250000 1818|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127789690492656250 1946|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127790265402500000 1893|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127809384958593750 2056|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127809507542343750 2109|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127809614928750000 2119|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127810178920781250 2017|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127815570583437500 2017|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127815660747656250 2109|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127815762197968750 2056|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127815873988125000 2119|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127819749467343750 2056|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127819903953437500 2119|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127820004257656250 2017|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127820094568281250 2109|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127855372479062500 2372|86400
HKEY_LOCAL_MACHINE\software\istsvc\history 127855426485156250 2382|86400
HKEY_LOCAL_MACHINE\software\istsvc version 1024
HKEY_LOCAL_MACHINE\software\istsvc app_name istsvc.exe
HKEY_LOCAL_MACHINE\software\istsvc popup_url http://www.ysbweb.com/ist/scripts/istsvc_ads_data.php
HKEY_LOCAL_MACHINE\software\istsvc update_url http://cache.ysbweb.com/ist/softwares/istupdates/istsvc_updater.exe
HKEY_LOCAL_MACHINE\software\istsvc config_url http://www.ysbweb.com/ist/scripts/istsvc_config.php
HKEY_LOCAL_MACHINE\software\istsvc ui 691BCD46-665D-4b48-BE57-2F55ADE64E3C
HKEY_LOCAL_MACHINE\software\istsvc popup_initial_delay 600
HKEY_LOCAL_MACHINE\software\istsvc popup_count 143
HKEY_LOCAL_MACHINE\software\istsvc popup_day_count 2
HKEY_LOCAL_MACHINE\software\istsvc popup_day_limit 5
HKEY_LOCAL_MACHINE\software\istsvc update_count 1
HKEY_LOCAL_MACHINE\software\istsvc update_version 1024
HKEY_LOCAL_MACHINE\software\istsvc config_count 93
HKEY_LOCAL_MACHINE\software\istsvc account_id 0
HKEY_LOCAL_MACHINE\software\istsvc app_date
HKEY_LOCAL_MACHINE\software\istsvc popup_interval 5400
HKEY_LOCAL_MACHINE\software\istsvc popup_last
HKEY_LOCAL_MACHINE\software\istsvc update_interval 86400
HKEY_LOCAL_MACHINE\software\istsvc update_last
HKEY_LOCAL_MACHINE\software\istsvc config_interval 432000
HKEY_LOCAL_MACHINE\software\istsvc config_last


eXact.BargainBuddy Adware (General) more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=2861>
Details: BargainBuddy is a Browser Helper Object that watches the pages your browser requests and the terms you enter into a search engine web form. If a term matches a preset list of sites or keywords, BargainBuddy will display an ad.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BargainBuddy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BargainBuddy SlowInfoCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BargainBuddy Changed 0


AvenueMedia.InternetOptimizer Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=4711>
Details: Internet Optimizer, also known as DyFuCA, is an adware application that hijacks the user's browser error page.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer SlowInfoCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer Changed 0


NetPumper Adware Bundler more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=15103>
Details: Bundles with a number of adware components such as cydoor, Save!, ClockSync, and WhenU Toolbar.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro\Firstrun state 2
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro state 2
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro pkid xvidz
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro alid xvidz
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro iid {20A87688-0866-487D-80D8-75BB6010BBD8}
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper VersionInfo oBNMQhW7rh0cj31674v2VpfTqv-atmWfyUgRr-xeGhEbWWPGVRPUpMtPnqfqYK8bWMBx
O+94WIckppHjUKxU9HLRm6X7yRSUkH4kuyYwQQvjygtoK
cNqEGIq0WIEouJ9lj6Bpc8Oa3CGcclzNxG1oQYwFly8eWPxVPP8EKuhG0I
HKEY_CURRENT_USER\Software\NetPumper
HKEY_CURRENT_USER\Software\NetPumper\EMI Field1 1187641926
HKEY_CURRENT_USER\Software\NetPumper\EMI Field2 1485404512
HKEY_CURRENT_USER\Software\NetPumper\EMI Field3 1530118368
HKEY_CURRENT_USER\Software\NetPumper\EMI Field4 1022988758
HKEY_CLASSES_ROOT\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}
HKEY_CLASSES_ROOT\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}\TypeLib {1145A909-A836-44B8-B03A-48D858B0F43E}
HKEY_CLASSES_ROOT\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}\TypeLib Version 1.2
HKEY_CLASSES_ROOT\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B} IAddUrl
HKEY_CLASSES_ROOT\Interface\{A9E33220-0B05-11D7-88D2-444553540000}
HKEY_CLASSES_ROOT\Interface\{A9E33220-0B05-11D7-88D2-444553540000}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{A9E33220-0B05-11D7-88D2-444553540000}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{A9E33220-0B05-11D7-88D2-444553540000}\TypeLib {1145A909-A836-44B8-B03A-48D858B0F43E}
HKEY_CLASSES_ROOT\Interface\{A9E33220-0B05-11D7-88D2-444553540000}\TypeLib Version 1.2
HKEY_CLASSES_ROOT\Interface\{A9E33220-0B05-11D7-88D2-444553540000} IAddPackage


IST.SlotchBar Toolbar more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=4739>
Details: An adware toolbar program for affiliates to distrubute on sites. Affiliates get paid per install of the toolbar.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\IST
HKEY_CURRENT_USER\Software\IST Recover !ZpHc…Z•x,Ä›°qÙþs…9F p¶G›ÖwD¾-DúOß‘Fõ[HONX#Š.”¡Ç¦AÁC÷NT,%,2.|r?»LÕ5›z³ÜŸ.dáÈON«ýNäÔ²SMÐ\'ùk3¾ÁŸWñå D â_ÀSV
—GÒ¥©«Á-Çt°;£Ë�]|àƒ¼|Dn.0§ ñ£_°á×g/


IST.XXXToolbar Toolbar more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=14816>
Details: IST.XXXToolbar is an adult adware search toolbar for Internet Explorer. XXXToolbar displays a number of pop-up ads when Internet Explorer is running.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\IST
HKEY_CURRENT_USER\Software\IST Recover !ZpHc…Z•x,Ä›°qÙþs…9F p¶G›ÖwD¾-DúOß‘Fõ[HONX#Š.”¡Ç¦AÁC÷NT,%,2.|r?»LÕ5›z³ÜŸ.dáÈON«ýNäÔ²SMÐ\'ùk3¾ÁŸWñå D â_ÀSV
—GÒ¥©«Á-Çt°;£Ë�]|àƒ¼|Dn.0§ ñ£_°á×g/


IST.PowerScan Adware (General) more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=9942>
Details: PowerScan is advertised through in ordinary web pop-ups, but recently it started to install with help from the the ISTBar adware.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\software\ist
HKEY_CURRENT_USER\software\ist Recover !ZpHc…Z•x,Ä›°qÙþs…9F p¶G›ÖwD¾-DúOß‘Fõ[HONX#Š.”¡Ç¦AÁC÷NT,%,2.|r?»LÕ5›z³ÜŸ.dáÈON«ýNäÔ²SMÐ\'ùk3¾ÁŸWñå D â_ÀSV
—GÒ¥©«Á-Çt°;£Ë�]|àƒ¼|Dn.0§ ñ£_°á×g/


2ndThought Adware (General) more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=39664>
Details: SecondThought is an adware program that displays pop-up advertisements on the desktop.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\HyperLinker
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\HyperLinker UninstallString C:\Programme\Hyperlinker\Uninst.exe -s C:\Programme\Hyperlinker\Uninst.log
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\HyperLinker DisplayName Hyperlinker


LinkReplacer Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=7972>
Details: LinkReplacer adds advertisement based content to all web pages browsed.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\LinkMaker.LinkTracker
HKEY_CLASSES_ROOT\LinkMaker.LinkTracker\CLSID {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1}
HKEY_CLASSES_ROOT\LinkMaker.LinkTracker LinkTracker Class
HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter
HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter\CLSID {03974811-C15F-462c-B6B0-2D2336AA57D0}
HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter LinkMakerFilter Class
HKEY_CLASSES_ROOT\LinkMaker.LinkTracker.1
HKEY_CLASSES_ROOT\LinkMaker.LinkTracker.1\CLSID {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1}
HKEY_CLASSES_ROOT\LinkMaker.LinkTracker.1 LinkTracker Class
HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter.1
HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter.1\CLSID {03974811-C15F-462c-B6B0-2D2336AA57D0}
HKEY_CLASSES_ROOT\LinkMaker.LinkMakerFilter.1 LinkMakerFilter Class


YourSiteBar Toolbar more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/Thread.aspx?ID=15049>
Details: YourSiteBar from IST, the makers of numerous spyware Thread, is an affiliate based marketing toolbar.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127788594419375000 1818|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127788777613906250 1893|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127788955677968750 1952|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127789421577656250 1831|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127789564486250000 1818|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127789690492656250 1946|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127790265402500000 1893|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127809384958593750 2056|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127809507542343750 2109|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127809614928750000 2119|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127810178920781250 2017|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127815570583437500 2017|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127815660747656250 2109|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127815762197968750 2056|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127815873988125000 2119|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127819749467343750 2056|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127819903953437500 2119|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127820004257656250 2017|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127820094568281250 2109|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127855372479062500 2372|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc\history 127855426485156250 2382|86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc version 1024
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc app_name istsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_url http://www.ysbweb.com/ist/scripts/istsvc_ads_data.php
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_url http://cache.ysbweb.com/ist/softwares/istupdates/istsvc_updater.exe
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc config_url http://www.ysbweb.com/ist/scripts/istsvc_config.php
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc ui 691BCD46-665D-4b48-BE57-2F55ADE64E3C
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_initial_delay 600
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_count 143
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_day_count 2
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_day_limit 5
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_count 1
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_version 1024
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc config_count 93
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc account_id 0
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc app_date
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_interval 5400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc popup_last
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_interval 86400
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc update_last
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc config_interval 432000
HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc config_last


EDIT 20:08:
Also is noch nicht in Ordnung, gerade eben (wie zu jeder vollen Stunde) meldete sich Antivir wieder

Hier mal Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 20:04:34, on 15.05.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\acer\Wireless\Utility\WlanUtil.exe
C:\PROGRA~1\LAUNCH~1\LManager.EXE
C:\acer\epm\epm-dm.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programme\ICQLite\ICQLite.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Opera75\opera.exe
C:\Dokumente und Einstellungen\EMI\Desktop\Daten\Programme\vir\Hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Programme\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [acerWireless] C:\Programme\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.EXE
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programme\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Programme\Dassault Systemes\B14\intel_a\code\bin\CATSysDemon.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

#68 emiemkes

1.
scanne mit dr.web
http://virus-protect.org/cureit.html

2.
Poste bitte das, was drweb gefunden hat. Dazu unter Start - Ausfuehren

Zitat

%userprofil%\doctorweb\cureit.log

eingeben und enter druecken. Den Inhalt der Dinge, die Drweb gefunden hat bitte posten.

oder:

Unter Menüpunkt Ansicht bei Dr. Web kann der Prüfbericht gespeichert werden als .txt Datei ablegen und dann abkopieren.

-----------
3.
Start -- alle Programme -- Zubehör -- Editor und kopiere folgenden Text rein:

Zitat

dir %Windir%\tasks /a h > files.txt
notepad files.txt

- Speichern als: findjobs.bat
- abspeichern unter : Dateityp: alle Dateien
- speichere auf dem Desktop
- Locate findjobs.bat-- doppelklick auf die bat-Datei , der Editor öffnet sich -- poste den Text
__________
MfG Sabina

rund um die PC-Sicherheit

#69 dr:
Hab mal den Bericht gespeichert, dann geöffnet und hier stand das drin:
Nodelock Key Management V5R14.lnk;C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\CATIA P3\Tools;Modifikation von Cysta.2954;Verschoben.;
htmhjzlx.exe;C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\RdrDate;Trojan.Swizzor;Nicht desinfizierbar.Verschoben.;
nkqwbhdb.exe;C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\RdrDate;Trojan.Swizzor;Nicht desinfizierbar.Verschoben.;
nvciwncj.exe;C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\RdrDate;Trojan.Swizzor;Nicht desinfizierbar.Verschoben.;
ykckyvwi.exe;C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\RdrDate;Trojan.Swizzor;Nicht desinfizierbar.Verschoben.;
3.JPG;C:\Dokumente und Einstellungen\EMI\Desktop\Daten\Bilder\handybilder\Sx1 Handybilder\11\B\02\_PAlbTN;Modifikation von Win32.Rammstein.13346;Verschoben.;
3.JPG;C:\Dokumente und Einstellungen\EMI\Desktop\Daten\Bilder\handybilder\Sx1 Handybilder\11\B\03\_PAlbTN;Modifikation von Win32.Rammstein.13346;Verschoben.;
backup-20060515-144632-926.dll;C:\Dokumente und Einstellungen\EMI\Desktop\Daten\Programme\vir\Hijack\backups;Adware.RXToolbar;Umbenannt.;
3.JPG;C:\Dokumente und Einstellungen\EMI\DoctorWeb\Quarantine;Modifikation von Win32.Rammstein.13346;Verschoben.;
3______0.JPG;C:\Dokumente und Einstellungen\EMI\DoctorWeb\Quarantine;Modifikation von Win32.Rammstein.13346;Verschoben.;
htmhjzlx.exe;C:\Dokumente und Einstellungen\EMI\DoctorWeb\Quarantine;Trojan.Swizzor;Nicht desinfizierbar.Verschoben.;
nkqwbhdb.exe;C:\Dokumente und Einstellungen\EMI\DoctorWeb\Quarantine;Trojan.Swizzor;Nicht desinfizierbar.Verschoben.;
Nodelock Key Management V5R14.lnk;C:\Dokumente und Einstellungen\EMI\DoctorWeb\Quarantine;Modifikation von Cysta.2954;Verschoben.;
nvciwncj.exe;C:\Dokumente und Einstellungen\EMI\DoctorWeb\Quarantine;Trojan.Swizzor;Nicht desinfizierbar.Verschoben.;
ykckyvwi.exe;C:\Dokumente und Einstellungen\EMI\DoctorWeb\Quarantine;Trojan.Swizzor;Nicht desinfizierbar.Verschoben.;
cliparts-bilder.exe;C:\Dokumente und Einstellungen\EMI\Eigene Dateien;Adware.Littlehelper;Umbenannt.;
CATStCmdViewManipulation.CATNls;C:\Programme\Dassault Systemes\B14\intel_a\resources\msgcatalog\Japanese;Modifikation von Win32.Bumblebee.3657;Verschoben.;
blowfish.dll;C:\Programme\OCRANA-IRC\sys\system\dat;IRC.Flood;Gelöscht.;



In der cureit.log stand eine Menge drin, brauchst den gesamten Text?
Der Schluss:
Gesamte Sitzungsstatistik

Geprüfte Objekte: 237467
Infizierte Objekte gefunden: 9
Objekte mit Modifikation gefunden: 7
Verdächtige Objekte gefunden: 0
Adware-Programm gefunden: 3
Dialer-Programm gefunden: 0
Scherz-Programm gefunden: 0
Riskware programm gefunden: 0
Hacktool-Programm gefunden: 0
Desinfizierte Objekte: 0
Gelöschte Objekte: 1
Umbenannte Objekte: 3
Verschobene Objekte: 15
Ignorierte Objekte: 3
Leistung:: 534 Kb/s
Dauer:: 01:59:29


findjobs:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 002D-CD9F

Verzeichnis von C:\WINDOWS\tasks

13.05.2006 17:00 <DIR> .
13.05.2006 17:00 <DIR> ..
15.05.2006 22:00 248 AA40E22C92C395A0.job
18.08.2001 14:00 65 desktop.ini
16.05.2006 11:39 6 SA.DAT
15.05.2006 20:41 344 Symantec NetDetect.job
4 Datei(en) 663 Bytes

Verzeichnis von C:\Dokumente und Einstellungen\EMI\Desktop

#70 hallo ihr guten menschen, habe TR/ Swizzor A und brauche eure hilfe den zu entfernen.
hatte den netbumpber installiert, sorry. reingefallen. der ist inzwischen deinstalliert, hatte dann spybot laufen lassen.
hab, weil ich euer forum nicht gefunden hatte schon systemwiederherstellung probiert. geht nicht mehr. jetzt arbeite ich eure liste ab. super, wenn ihr mir helfen könnt,

Logfile of HijackThis v1.99.1
Scan saved at 23:27:22, on 16.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Portrait Displays\forteManager\dtsslsrv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Programme\Portrait Displays\forteManager\DTSRVC.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\stardock\TrayServer.exe
C:\Programme\Lexmark X1100 Series\lxbkbmgr.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Lexmark X1100 Series\lxbkbmon.exe
C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Programme\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\WinPortrait\wpctrl.exe
C:\Programme\Microsoft IntelliType Pro\type32.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\TGTSoft\StyleXP\StyleXP.exe
C:\Programme\WinPortrait\floater.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://de.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AC8AE42A-E7C3-6FA5-4E0C-27469FEBCE0C} - C:\DOKUME~1\Steffi\ANWEND~1\CHICWA~1\Test More.exe
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Programme\Gemeinsame Dateien\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programme\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Programme\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Programme\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [DT Task] C:\Programme\Portrait Displays\forteManager\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [slow acid dent for] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\bibheckslowacid\globalsign.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Audio view] C:\DOKUME~1\Steffi\ANWEND~1\BROWSE~1\Okay readme.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {87BF5318-D5F0-41F4-9D14-47967FA8C12B} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D3FF8AC-9E63-4CF2-9DFD-BC9F3F4975D6}: NameServer = 80.58.0.93,80.58.32.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A0327DF-EED3-4423-B855-CAAA5AFB102B}: NameServer = 80.58.0.93,80.58.32.97
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Programme\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Programme\Portrait Displays\forteManager\dtsslsrv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Programme\Portrait Displays\forteManager\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StyleXPService - Unknown owner - (no file)

#71 emiemkes

Start -- alle Programme -- Zubehör -- Editor und kopiere folgenden Text rein:

Zitat

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h AA40E22C92C395A0.job
del AA40E22C92C395A0.job

- Speichern als: remjob.bat
- abspeichern unter : Dateityp: alle Dateien
- speichere auf dem Desktop
- Locate remjob.bat-- doppelklick auf die bat-Datei , der Editor öffnet sich kurz ist normal

**
scanne mit Panda und poste den scanreport
http://virus-protect.org/onlinescan.html

.
__________
MfG Sabina

rund um die PC-Sicherheit

#72 heffi

CleanUp
http://virus-protect.org/cleanup.html

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O2 - BHO: (no name) - {AC8AE42A-E7C3-6FA5-4E0C-27469FEBCE0C} - C:\DOKUME~1\Steffi\ANWEND~1\CHICWA~1\Test More.exe
O4 - HKLM\..\Run: [slow acid dent for] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\bibheckslowacid\globalsign.exe
O4 - HKCU\..\Run: [Audio view] C:\DOKUME~1\Steffi\ANWEND~1\BROWSE~1\Okay readme.exe

PC neustarten

arbeite das ab:
http://virus-protect.org/artikel/spyware/lop1.html

im abgesicherten Modus loeschen:

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\bibheckslowacid\
C:\Dokumente und Einstellungen\Steffi\Anwendungsdaten\CHICWA.............
C:\Dokumente und Einstellungen\Steffi\Anwendungsdaten\BROWSE.......... (ist nicht die vollstaendige Bezeichnung)

-----------------------------------------------

Counterspy ...nach dem scan ...alles auf * remove stellen
**
scanne mit dr.web
**
Onlinescan-Panda (alles manuell loeschen)
**
noch mal cleanup anwenden

-------

wenn alles sauber ist:

Start -- alle Programme -- Zubehör -- Editor und kopiere folgenden Text rein:

Zitat

dir %Windir%\tasks /a h > files.txt
notepad files.txt

- Speichern als: findjobs.bat
- abspeichern unter : Dateityp: alle Dateien
- speichere auf dem Desktop
- Locate findjobs.bat-- doppelklick auf die bat-Datei , der Editor öffnet sich -- poste den Text
__________
MfG Sabina

rund um die PC-Sicherheit

#73 Incident Status Location

Adware:Adware/Lop Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\BALMCOOL\Phoneloud.exe
Spyware:Cookie/Tribalfusion Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.tribalfusion.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.com.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.doubleclick.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.serving-sys.com/]
Spyware:Cookie/Rn11 Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.rn11.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.trafficmp.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.tradedoubler.com/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.atwola.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.fastclick.net/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[statse.webtrendslive.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.atdmt.com/]
Spyware:Cookie/Adserver Not disinfected C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\Mozilla\Firefox\Profiles\z0umvj15.default\cookies.txt.old[.z1.adserver.com/]
Spyware:Cookie/Atwola Not disinfected C:\Dokumente und Einstellungen\EMI\Cookies\emi@atwola[1].txt

#74 emiemkes

loesche im abgesicherten Modus:
C:\Dokumente und Einstellungen\EMI\Anwendungsdaten\BALMCOOL
__________
MfG Sabina

rund um die PC-Sicherheit

#75 hab seit einigen tagen leider das selbe problem. in unregelmäßigen abständen kommt die meldung durch antivir: "tr/swizzor.a". ausserdem laufen i.explore prozesse obwohl ich nur firefox verwende.

wäre sehr dankbar wenn mir jemand helfen könnte. mfg; petroleum
hier mein hijackthis file:


Logfile of HijackThis v1.99.1
Scan saved at 11:16:25, on 17.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\system32\CmUCReye.exe
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\Medion Info Display\MdionLCM.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programme\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Programme\Creative\MediaSource\Detector\CTDetect.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Winamp\Winamp.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\ATTENP~1\LOKALE~1\Temp\Rar$EX00.922\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inode.at/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Inode
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {BA2F3CF6-75C5-9C45-54BB-80EC4D63B4EB} - C:\DOKUME~1\ATTENP~1\ANWEND~1\Bike01\TRANS DEFY.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [CmUCRRun] C:\WINDOWS\system32\CmUCReye.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MedionVFD] "C:\Programme\Medion Info Display\MdionLCM.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [InstantOn] "C:\Programme\CyberLink\PowerCinema Linux\ion_install.exe /c "
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Defy Base Anti Poke] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Program Setup Defy Base\Else audio.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Programme\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sixth Idol] C:\DOKUME~1\ATTENP~1\ANWEND~1\OPTION~1\Stop Aim.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {A461BF3E-96B0-488F-9ACA-202335DDCC4B} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128778405937
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1F48CE2-9ACA-4297-8DCB-CFD2763FFADA}: NameServer = 195.58.160.194,195.58.161.122
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: hpdj - HP - C:\DOKUME~1\ATTENP~1\LOKALE~1\Temp\hpdj.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe