Nervige Werbebanner

#1 Hallo,

ich hab gestern etwas rumgesurft und jetzt gehen alle paar Sekunden Flashwerbungen, werbebanner und ganze Fenster mit Sicherheitsfragen auf.
In den laufenden Programmen sind das .exe!

Was kann ich dagegen tun? Mein Popupblocker greift nicht ein, und diese Werbung geht auch auf wenn ich nicht im Internet bin und zum beispiel spiele!

Logfile of HijackThis v1.99.1
Scan saved at 13:00:41, on 30.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programme\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Softex\OmniPass\scureapp.exe
C:\Programme\Lexmark 5200 series\lxbtbmgr.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\Lexmark 5200 series\lxbtbmon.exe
C:\FRAPS\FRAPS.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\DATA BECKER\Pop-Up & Banner Blocker\asd.exe
C:\Programme\DATA BECKER\Pop-Up & Banner Blocker\dbad.exe
C:\Programme\DATA BECKER\Pop-Up & Banner Blocker\adblock.exe
C:\DOKUME~1\MAXIMI~1\LOKALE~1\Temp\~ef7194.tmp
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\DOKUME~1\MAXIMI~1\LOKALE~1\Temp\Rar$EX00.281\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OmniPass] C:\Programme\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Programme\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DATA BECKER - Dialer-Schutz.lnk = C:\Programme\DATA BECKER\Pop-Up & Banner Blocker\asd.exe
O4 - Global Startup: DATA BECKER - Pop-Up und Banner Blocker.lnk = C:\Programme\DATA BECKER\Pop-Up & Banner Blocker\dbad.exe
O4 - Global Startup: DATA BECKER - Werbebannerblocker.lnk = C:\Programme\DATA BECKER\Pop-Up & Banner Blocker\adblock.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\r46ulej91ho.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Programme\Softex\OmniPass\Omniserv.exe

#2 Zwackmix

1.
wende an:
Look2Me-Destroyer V1.0.5 http://virus-protect.org/l2mfix.html
poste den scanreport

2.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

3.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrlo0533e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{23BC6EF3-9763-8CCC-71F2-D6A6431E1520}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschaften f�r Multimediadatei"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite f�r Dokumente"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen f�r Freigaben"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Grafikkarten"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Bildschirme"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Anzeigeverschiebung"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung f�r Datentr„gerkopien"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen f�r Microsoft Windows-Netzwerkobjekte"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen f�r die Dateikomprimierung"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung f�r Webdrucker"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen� f�r die Verschl�sselung"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung f�r HyperTerminal-Icons"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen f�r Freigaben"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen f�r Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverkn�pfung"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen�"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausf�hren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Eigenschaftenseite f�r vorherige Versionen"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Vorherige Versionen"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begr�áungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abz�gen �ber das Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverkn�pfung"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}"="OmniPass Shell Extension"
"{D0CE97A0-415B-42E9-B251-34393AF2D5F6}"="OmniPass Shell Extension"
"{D5B1944E-DB4E-482E-B3F1-DB05827F0978}"="OmniPass ShellNameSpace Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webordner"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{efb97cb8-a4a4-4357-a261-002ffaed0267}"="CD Slideshow Powertoy"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"="Shell Extension for Malware scanning"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
@="CorelDRAW Shell Extension Component"
"{EA231374-F808-4960-B81A-49412BE3B156}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EA231374-F808-4960-B81A-49412BE3B156}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA231374-F808-4960-B81A-49412BE3B156}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA231374-F808-4960-B81A-49412BE3B156}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA231374-F808-4960-B81A-49412BE3B156}\InprocServer32]
@="C:\\WINDOWS\\system32\\hsp95en.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Sat 4 Mar 2006 5:34:40 A.... 1.022.976 999,00 K
cdfview.dll Sat 4 Mar 2006 5:34:40 A.... 152.064 148,50 K
cmdlin~1.dll Mon 24 Apr 2006 14:19:10 A.... 98.304 96,00 K
cmdlin~2.dll Tue 25 Apr 2006 21:48:50 A.... 43.520 42,50 K
danim.dll Sat 4 Mar 2006 5:34:42 A.... 1.056.256 1,00 M
dxtrans.dll Sat 4 Mar 2006 5:34:42 A.... 205.312 200,50 K
extmgr.dll Sat 4 Mar 2006 5:34:42 A.... 55.808 54,50 K
g0400a~1.dll Sun 30 Apr 2006 16:05:32 ..S.R 234.230 228,74 K
hrlo05~1.dll Sun 30 Apr 2006 16:02:32 ..S.R 234.565 229,07 K
hsp95en.dll Sun 30 Apr 2006 16:22:58 ..... 234.565 229,07 K
iepeers.dll Sat 4 Mar 2006 5:34:42 A.... 251.392 245,50 K
inetcomm.dll Fri 17 Mar 2006 11:11:30 A.... 679.424 663,50 K
inseng.dll Sat 4 Mar 2006 5:34:42 A.... 96.768 94,50 K
mshtml.dll Thu 23 Mar 2006 22:34:46 A.... 3.074.560 2,93 M
mshtmled.dll Sat 4 Mar 2006 5:34:44 A.... 448.512 438,00 K
msrating.dll Sat 4 Mar 2006 5:34:44 A.... 146.432 143,00 K
mstime.dll Sat 4 Mar 2006 5:34:44 A.... 532.480 520,00 K
pngfilt.dll Sat 4 Mar 2006 5:34:44 A.... 39.424 38,50 K
shdocvw.dll Thu 30 Mar 2006 11:26:22 A.... 1.492.480 1,42 M
shell32.dll Fri 17 Mar 2006 6:03:36 A.... 8.493.056 8,10 M
shlwapi.dll Sat 4 Mar 2006 5:34:44 A.... 474.624 463,50 K
urlmon.dll Sat 18 Mar 2006 13:09:44 A.... 615.424 601,00 K
wininet.dll Sat 4 Mar 2006 5:34:46 A.... 664.064 648,50 K
wmp.dll Fri 10 Mar 2006 6:09:14 A.... 5.533.696 5,28 M
xpsp3res.dll Thu 30 Mar 2006 3:16:48 A.... 18.944 18,50 K

25 items found: 25 files (2 H/S), 0 directories.
Total of file sizes: 25.898.880 bytes 24,70 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sun 30 Apr 2006 16:23:58 ..S.R 234.565 229,07 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 234.565 bytes 229,07 K
**********************************************************************************
Directory Listing of system files:
Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 44BB-7427

Verzeichnis von C:\WINDOWS\System32

30.04.2006 16:23 234.565 guard.tmp
30.04.2006 16:05 234.230 g0400ahmed4a0.dll
30.04.2006 16:02 234.565 hrlo0533e.dll
30.04.2006 12:23 <DIR> dllcache
03.03.2006 17:10 1.682 KGyGaAvL.sys
03.03.2006 17:10 56 6D2AA531D2.sys
16.11.2005 23:56 <DIR> Microsoft
5 Datei(en) 705.098 Bytes
2 Verzeichnis(se), 11.780.218.880 Bytes frei



Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 44BB-7427

Verzeichnis von C:\WINDOWS\system32

30.04.2006 16:23 234.565 guard.tmp
30.04.2006 16:23 40.937 nvapps.xml
30.04.2006 16:22 234.565 hsp95en.dll
30.04.2006 16:05 234.230 g0400ahmed4a0.dll
30.04.2006 16:02 234.565 hrlo0533e.dll
25.04.2006 21:48 43.520 CmdLineExt03.dll
24.04.2006 14:19 98.304 CmdLineExt.dll
12.04.2006 17:28 2.206 wpa.dbl
06.04.2006 21:48 5.143.456 MRT.exe
06.04.2006 13:34 1.024 pdf2word.DAT
30.03.2006 11:26 1.492.480 shdocvw.dll
30.03.2006 10:23 234.368 FNTCACHE.DAT
30.03.2006 03:16 18.944 xpsp3res.dll
26.03.2006 14:33 316.924 perfh007.dat
26.03.2006 14:33 48.354 perfc007.dat
26.03.2006 14:33 311.740 perfh009.dat
26.03.2006 14:33 40.128 perfc009.dat
26.03.2006 14:33 723.744 PerfStringBackup.INI
23.03.2006 22:34 3.074.560 mshtml.dll
18.03.2006 13:09 615.424 urlmon.dll
17.03.2006 11:11 679.424 inetcomm.dll
17.03.2006 06:03 8.493.056 shell32.dll
17.03.2006 02:38 28.672 verclsid.exe
10.03.2006 06:09 5.533.696 wmp.dll
04.03.2006 05:34 664.064 wininet.dll
04.03.2006 05:34 474.624 shlwapi.dll
04.03.2006 05:34 39.424 pngfilt.dll
04.03.2006 05:34 448.512 mshtmled.dll
04.03.2006 05:34 146.432 msrating.dll
04.03.2006 05:34 532.480 mstime.dll
04.03.2006 05:34 1.056.256 danim.dll
04.03.2006 05:34 205.312 dxtrans.dll
04.03.2006 05:34 55.808 extmgr.dll
04.03.2006 05:34 96.768 inseng.dll
04.03.2006 05:34 251.392 iepeers.dll
04.03.2006 05:34 1.022.976 browseui.dll
04.03.2006 05:34 152.064 cdfview.dll
03.03.2006 17:10 1.682 KGyGaAvL.sys
03.03.2006 17:10 56 6D2AA531D2.sys
16.02.2006 16:48 5.242.934 toyhide.bmp
18.01.2006 14:05 57.344 avsda.dll
11.01.2006 15:05 7.006 jupdate-1.5.0_06-b05.log
06.01.2006 14:50 664 d3d9caps.dat
04.01.2006 05:35 68.096 webclnt.dll


Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 44BB-7427

Verzeichnis von C:\DOKUME~1\MAXIMI~1\LOKALE~1\Temp

30.04.2006 16:23 53.248 ~ef7194.tmp
30.04.2006 15:46 66.877 java_install_reg.log
30.04.2006 15:40 222 wecerr.txt
30.04.2006 15:40 158.735 FRONTPG.log
29.04.2006 08:51 576 travel01.rgn
29.04.2006 08:50 800 no_popups.rgn
29.04.2006 08:48 5.851 plfA.tmp
29.04.2006 08:47 16.384 ~DF89F0.tmp
29.04.2006 08:44 5.851 plf5.tmp
29.04.2006 08:29 624 cellphones04.rgn
29.04.2006 08:29 2.576 travel04.rgn
29.04.2006 08:12 1.072 auto02.rgn
29.04.2006 08:09 4.176 homes01.rgn
05.04.2006 18:46 16.384 ~WRF0002.tmp
05.04.2006 18:27 46.080 ~e5d141.tmp

usw... (edit Sabina)


Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 44BB-7427

Verzeichnis von C:\WINDOWS

30.04.2006 16:21 0 0.log
30.04.2006 16:20 159 wiadebug.log
30.04.2006 16:20 1.061.124 WindowsUpdate.log
30.04.2006 16:20 50 wiaservc.log
30.04.2006 16:20 2.048 bootstat.dat
30.04.2006 16:19 20.606 SchedLgU.Txt
29.04.2006 08:58 54.156 QTFont.qfn
29.04.2006 08:50 9.240 Hosts
29.04.2006 08:50 9.240 b_as_Hosts
29.04.2006 08:49 112.128 CdaC14BA.DLL
29.04.2006 08:49 30.720 CdaC13BA.EXE
29.04.2006 08:47 13 scode8.cfg
29.04.2006 08:46 796.672 GPInstall.exe
28.04.2006 15:25 276 game.ini
28.04.2006 15:14 230 NeroDigital.ini
28.04.2006 14:54 0 keyboard151.dat
26.04.2006 13:40 64.973 ntdtcsetup.log
26.04.2006 13:40 1.374 imsins.log
26.04.2006 13:40 116.840 tsoc.log
26.04.2006 13:40 46.909 iis6.log
26.04.2006 13:40 18.512 KB900485.log
26.04.2006 13:40 110.075 comsetup.log
26.04.2006 13:40 16.617 ocmsn.log
26.04.2006 13:40 148.821 ocgen.log
26.04.2006 13:40 15.055 msgsocm.log
26.04.2006 13:40 295.935 FaxSetup.log
26.04.2006 13:40 199.447 setupapi.log
25.04.2006 20:19 64.003 wmsetup.log
25.04.2006 20:19 460 wmsetup10.log
20.04.2006 16:53 1.409 QTFont.for
19.04.2006 13:07 122 setup.log
16.04.2006 10:45 2.180 spupdsvc.log
15.04.2006 19:20 18.572 KB908531.log
15.04.2006 19:20 1.374 imsins.BAK
15.04.2006 19:20 22.505 updspapi.log
15.04.2006 19:20 17.809 KB911562.log
15.04.2006 19:19 20.603 KB912812.log
15.04.2006 19:19 17.999 KB911565.log
15.04.2006 19:19 12.451 KB911567.log
06.04.2006 13:34 106 pdf2rtf.INI
03.04.2006 20:27 192 winamp.ini
02.03.2006 15:53 31.608 FontData.fdb
16.02.2006 15:00 12.672 KB911927.log
16.02.2006 15:00 9.102 KB911564.log
16.02.2006 14:59 7.482 KB913446.log
12.02.2006 19:58 149 KPCMS.INI
04.02.2006 19:44 25.253 DirectX.log

Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 44BB-7427

Verzeichnis von C:\

30.04.2006 16:27 0 sys.txt
30.04.2006 16:27 8.365 system.txt
30.04.2006 16:26 24.123 systemtemp.txt
30.04.2006 16:26 101.532 system32.txt
30.04.2006 16:24 64 direct.txt
30.04.2006 16:20 805.306.368 pagefile.sys
27.01.2006 13:16 11.072 results.txt
17.11.2005 14:43 200 lxbt.log
16.11.2005 23:52 0 IO.SYS
16.11.2005 23:52 0 CONFIG.SYS
16.11.2005 23:52 0 AUTOEXEC.BAT
16.11.2005 23:52 0 MSDOS.SYS
16.11.2005 23:45 211 boot.ini
04.08.2004 14:00 4.952 bootfont.bin
04.08.2004 14:00 47.564 NTDETECT.COM
04.08.2004 14:00 251.184 ntldr
16 Datei(en) 805.755.635 Bytes
0 Verzeichnis(se), 11.780.321.280 Bytes frei

#4 1.
nun gut, du hast zwar nicht das Tool angewendet, was ich wollte....[Look2Me-Destroyer V1.0.5]
aber...mache folgendes..klicke Option 2 bei l2mfix, starte den PC neu, warte den scan ab und

2.
poste den scanreport von l2mfix

3.
Hinweis:
Verzeichnis von C:\DOKUME~1\MAXIMI~1\LOKALE~1\Temp --- muss leer sein, also noch mal mit CleanUp scannen !

4.
KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: ......

C:\WINDOWS\Hosts
C:\WINDOWS\b_as_Hosts
C:\WINDOWS\CdaC14BA.DLL
C:\WINDOWS\CdaC13BA.EXE
C:\WINDOWS\scode8.cfg
C:\WINDOWS\GPInstall.exe

PC neustarten

5.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

6.
Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

7.
Scanne mit Panda und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 L2mfix 032106
Creating Account.
Das Konto existiert bereits.

Sie erhalten weitere Hilfe, wenn Sie NET HELPMSG 2224 eingeben.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 444 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 528 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1204 'explorer.exe'
Killing PID 1204 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratoren ... successful

Scanning First Pass. Please Wait!


Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 448 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 532 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1440 'explorer.exe'
Killing PID 1440 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratoren ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g0400ahmed4a0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EA231374-F808-4960-B81A-49412BE3B156}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA231374-F808-4960-B81A-49412BE3B156}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA231374-F808-4960-B81A-49412BE3B156}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EA231374-F808-4960-B81A-49412BE3B156}\InprocServer32]
@="C:\\WINDOWS\\system32\\marddm.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/g0400ahmed4a0.dll (164 bytes security) (deflated 4%)
adding: dlls/jt4q07h5e.dll (164 bytes security) (deflated 5%)
adding: dlls/marddm.dll (164 bytes security) (deflated 4%)
adding: dlls/mvjml9111.dll (164 bytes security) (deflated 4%)
adding: dlls/pzspl.dll (164 bytes security) (deflated 4%)
adding: dlls/q686lgls16q6.dll (164 bytes security) (deflated 4%)
adding: backregs/EA231374-F808-4960-B81A-49412BE3B156.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)


Incident Status Location

Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\backup.zip[dlls/g0400ahmed4a0.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\backup.zip[dlls/jt4q07h5e.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\backup.zip[dlls/marddm.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\backup.zip[dlls/mvjml9111.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\backup.zip[dlls/pzspl.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\backup.zip[dlls/q686lgls16q6.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\dlls\g0400ahmed4a0.dll
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\dlls\jt4q07h5e.dll
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\dlls\marddm.dll
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\dlls\mvjml9111.dll
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\dlls\pzspl.dll
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\dlls\q686lgls16q6.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix.exe[l2mfix/Process.exe]

#6 Look2Me-Destroyer V1.0.5

Lade den L2Me Destroyer hier und speichere Ihn auf deinem Desktop:
http://www.atribune.org/content/view/28/

1 ) Schließe alle offenen Fenster und Doppel-klicke die Look2Me-Destroyer.exe um das Programm zu starten.
2 ) Setzte einen Haken bei run this program as a task
3 ) Es erscheint eine Nachricht in der steht, dass sich innerhalb der naechsten 10 Sekunden der Look2Me Destroyer oeffnen und schliessen wird.
4 ) Klicke auf OK
5 ) Wenn das Programm sich wieder oeffnet, auf scan for L2Me klicken.
6 ) Wenn der Scan fertig ist, auf Remove L2Me klicken. Es erscheint danach eine "Done scanning" Nachricht. Einfach auf "OK" klicken.
7) Nach Beendigung des Scans, kommt folgende Nachricht: Done removing infected files! Look2Me-Destroyer will now shutdown your compute und der PC faehrt herunter.
8 ) PC starten und den Inhalt der C:\Look2Me-Destroyer.txt

---------------------

dann alles weitere abarbeiten..und poste den scanreport vom Panda-Onlinescan
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Incident Status Location

Spyware:Cookie/Mediaplex Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Anwendungsdaten\Mozilla\Firefox\Profiles\dowgbt68.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Anwendungsdaten\Mozilla\Firefox\Profiles\dowgbt68.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Anwendungsdaten\Mozilla\Firefox\Profiles\dowgbt68.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Cookies\maximilian zwick@2o7[1].txt
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\backup.zip[dlls/g0400ahmed4a0.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\backup.zip[dlls/jt4q07h5e.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\backup.zip[dlls/marddm.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\backup.zip[dlls/mvjml9111.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\backup.zip[dlls/pzspl.dll]
Adware:Adware/Look2Me Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\backup.zip[dlls/q686lgls16q6.dll]
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix.exe[l2mfix/Process.exe]


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 01.05.2006 21:59:50

Infected! C:\WINDOWS\system32\g0400ahmed4a0.dll
Infected! C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\g0400ahmed4a0.dll
Infected! C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\jt4q07h5e.dll
Infected! C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\marddm.dll
Infected! C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\mvjml9111.dll
Infected! C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\pzspl.dll
Infected! C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\q686lgls16q6.dll

Attempting to delete infected files...

Attempting to delete: C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\g0400ahmed4a0.dll
C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\g0400ahmed4a0.dll Deleted successfully!

Attempting to delete: C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\jt4q07h5e.dll
C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\jt4q07h5e.dll Deleted successfully!

Attempting to delete: C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\marddm.dll
C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\marddm.dll Deleted successfully!

Attempting to delete: C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\mvjml9111.dll
C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\mvjml9111.dll Deleted successfully!

Attempting to delete: C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\pzspl.dll
C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\pzspl.dll Deleted successfully!

Attempting to delete: C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\q686lgls16q6.dll
C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\Programme\Anti Virus\l2mfix\dlls\q686lgls16q6.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administratoren - Succeeded

#8 1.
loesche:
C:\Dokumente und Einstellungen\Maximilian Zwick\Desktop\l2mfix\

2.
noch mal anwenden
Look2Me-Destroyer V1.0.12

3.
ueberpruefe, ob das geloescht wurde. (siehe Killbox)

C:\WINDOWS\system32

29.04.2006 08:50 9.240 Hosts
29.04.2006 08:50 9.240 b_as_Hosts
29.04.2006 08:49 112.128 CdaC14BA.DLL
29.04.2006 08:49 30.720 CdaC13BA.EXE
29.04.2006 08:47 13 scode8.cfg
29.04.2006 08:46 796.672 GPInstall.exe

4.
scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 So hab nachträglich von Hand noch

29.04.2006 08:49 112.128 CdaC14BA.DLL
29.04.2006 08:49 30.720 CdaC13BA.EXE

gelöscht!

Report:

Nix, weil er nix gefunden hat :-)

Dankeschön!!!!