Ich krieg die Trojaner Win32:Zlob-BN [Trj] und Win32:Small-TF [Trj nicht weg

#1 Hallo
Ich hab seit ca. 3 Wochen 2 Trojaner auf meinem PC und ich krieg ihn einfach nicht weg. Ich benutze avast und ca. jede halbe Stunde kommt eine Fehlermeldung, dass die Trojaner Win32:Zlob-BN [Trj] und Win32:Small-TF [Trj] gefunden wurde. Ich drücke dann immer auf löschen aber die Meldung kommt dann eine halbe Stunde später weider. Ich habe jetzt alles so wie im Forum beschrieben gemacht und hier alles rein kopiert. Bitte helft mir, ich weiß nicht mehr weiter!

Logfile of HijackThis v1.99.1
Scan saved at 00:36:26, on 09.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\CodeMeter\Runtime\bin\CodeMeter.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\PROGRA~1\GEMEIN~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\Lukas\Bewerbung\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CExtension Object - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\bs3.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Programme\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] "C:\Dokumente und Einstellungen\Lukas\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Dokumente und Einstellungen\Lukas\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Search - http://ky.bar.need2find.com/KY/menusearch.html?p=KY
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Dokumente und Einstellungen\Lukas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Dokumente und Einstellungen\Lukas\ICQLite\ICQLite.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {7C82C724-35FE-42FE-AA0D-76A4A8B552C6} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {7C82C724-35FE-42FE-AA0D-76A4A8B552C6} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605688.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3250F25A-A263-4AD5-86F0-AB0BE1D4B956}: NameServer = 217.237.150.188 217.237.150.97
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CodeMeter Runtime Server (CodeMeter.exe) - WIBU-SYSTEMS AG - C:\Programme\CodeMeter\Runtime\bin\CodeMeter.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7081-E2C0

Verzeichnis von C:\WINDOWS\system32

09.06.2006 00:31 4.888 stdole3.tlb
08.06.2006 22:04 14 ssprs.tgz
08.06.2006 22:04 219 lsprst7.tgz
08.06.2006 22:04 205 lsprst7.dll
08.06.2006 22:04 17 servdat.slm
08.06.2006 21:50 41.118 vsconfig.xml
08.06.2006 21:49 2.145 mmf.sys
08.06.2006 21:48 39.437 ld4594.tmp
08.06.2006 02:40 4.286 ot.ico
08.06.2006 02:40 4.286 ts.ico
07.06.2006 14:45 2.206 wpa.dbl
03.06.2006 10:26 3.002 CONFIG.NT
31.05.2006 11:02 624.640 aswBoot.exe
31.05.2006 10:54 90.112 AVASTSS.scr
14.05.2006 04:14 50.701 regperf.exe
06.05.2006 19:56 565.170 large.bnk
06.05.2006 19:56 278.528 livesnth.dll
06.05.2006 19:56 11.333 cf_lic.txt
06.05.2006 19:56 203.776 clrviddc.dll
06.05.2006 19:51 176.167 rmoc3260.dll
06.05.2006 19:51 5.632 pndx5032.dll
06.05.2006 19:51 6.656 pndx5016.dll
06.05.2006 19:50 278.528 pncrt.dll
06.05.2006 17:45 16.832 amcompat.tlb
06.05.2006 17:45 23.392 nscompat.tlb
23.04.2006 18:42 129.296 FNTCACHE.DAT
30.03.2006 02:51 4.212 zllictbl.dat
27.03.2006 15:19 0 ssprs.dll
26.03.2006 10:04 311.740 perfh009.dat
26.03.2006 10:04 40.128 perfc009.dat
26.03.2006 10:04 316.924 perfh007.dat
26.03.2006 10:04 48.354 perfc007.dat
26.03.2006 10:04 723.744 PerfStringBackup.INI
16.03.2006 11:34 71.448 zlcommdb.dll
16.03.2006 11:34 79.640 zlcomm.dll
16.03.2006 11:33 100.120 vsxml.dll
16.03.2006 11:33 382.744 vsutil.dll
16.03.2006 11:33 71.448 vsregexp.dll
16.03.2006 11:33 227.096 vspubapi.dll
16.03.2006 11:33 104.216 vsmonapi.dll
16.03.2006 11:33 141.080 vsinit.dll
16.03.2006 11:33 372.824 vsdatant.sys
16.03.2006 11:32 83.736 vsdata.dll
16.03.2006 11:16 54.960 vsutil_loc0407.dll

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7081-E2C0

Verzeichnis von C:\DOKUME~1\Gerd\LOKALE~1\Temp

09.06.2006 00:31 49.152 ~DFCD84.tmp
09.06.2006 00:11 16.384 ~DFCC02.tmp
08.06.2006 22:15 16.384 ~DF7D1B.tmp
08.06.2006 22:15 16.384 ~DF76D0.tmp
08.06.2006 22:13 55.296 mkvbm10119.tmp
08.06.2006 22:10 49.152 ~DFA1B1.tmp
6 Datei(en) 202.752 Bytes
0 Verzeichnis(se), 44.019.990.528 Bytes frei

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7081-E2C0

Verzeichnis von C:\WINDOWS

09.06.2006 00:34 1.129 win.ini
08.06.2006 21:50 0 0.log
08.06.2006 21:49 0 TempFile
08.06.2006 21:48 2.048 bootstat.dat
08.06.2006 21:36 429.726 WindowsUpdate.log
08.06.2006 21:26 472 RTPLOT.INI
08.06.2006 18:48 163 NeroDigital.ini
27.05.2006 13:10 323 WISO.INI
23.05.2006 12:09 50 wiaservc.log
23.05.2006 12:09 216 wiadebug.log
18.05.2006 12:38 105 wininit.ini
16.05.2006 22:52 884.882 setupapi.log
14.05.2006 05:26 113.995 wmsetup.log
06.05.2006 20:29 1.292 cdPlayer.ini
06.05.2006 17:46 378 wmsetup10.log
06.05.2006 17:35 316.640 WMSysPr9.prx
06.05.2006 13:47 332 system.ini
04.05.2006 19:33 6.874 aksdrvsetup.log
23.04.2006 15:55 8.011 Directx.log

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7081-E2C0

Verzeichnis von C:\

09.06.2006 00:39 0 sys.txt
09.06.2006 00:39 6.078 system.txt
09.06.2006 00:39 539 systemtemp.txt
09.06.2006 00:39 102.755 system32.txt
09.06.2006 00:34 36.342 winzip.log
08.06.2006 21:48 1.048.576.000 pagefile.sys
06.05.2006 13:47 210 boot.ini
05.05.2006 07:57 3.019 zeiparm4.dat
23.04.2006 18:39 5.705 BM2005Setup.log

#2 tschuralsum

virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\mmf.sys

poste den Bericht

---------------

1.
spyfalcon.zip -> http://virus-protect.org/zip/spyfalcon.zip -> entpacken auf dem Desktop -> spyfalcon.reg ->doppeltklicken und der Registry mit "ja/yes" beifügen

2.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:
HKEY_CLASSES_ROOT\CLSID\{A85C4A1B-BD36-44E5-A70F-8EC347D9B24F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A85C4A1B-BD36-44E5-A70F-8EC347D9B24F}
HKEY_LOCAL_MACHINE\SOFTWARE\Bookedspace
HKEY_CURRENT_USER\software\clipgenie
HKEY_CURRENT_USER\software\traynotifier\clipgenie
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\clipgenie
HKEY_LOCAL_MACHINE\software\traynotifier\clipgenie
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bookedspace
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bsx3

Files to delete:
C:\WINDOWS\system32\stdole3.tlb
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\ts.ico
C:\WINDOWS\system32\regperf.exe
C:\WINDOWS\bs3.dll
C:\zeiparm4.dat
C:\Dokumente und Einstellungen\Gerd\Lokale Einstellungen\Temp\mkvbm10119.tmp
C:\Dokumente und Einstellungen\All Users\Startmenü\remove spyware.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Online Security Guide.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Security Troubleshooting.url

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

poste den report vom Avenger,der erscheint

3.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O2 - BHO: CExtension Object - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\bs3.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Programme\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun
O8 - Extra context menu item: &Search - http://ky.bar.need2find.com/KY/menusearch.html?p=KY
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605688.exe

PC neustarten

4.
smitfraudfix
http://virus-protect.org/artikel/tools/smitfrautfix.html
. doppelklick smitfraudfix.cmd
. schreibe: 1 (es wird ein Report von den infizierten Dateien erstellt)
. doppelklick smitfraudfix.cmd
. schreibe: 2

. auf die Frage: "Voulez-vous nettoyer le registre ?" antworte mit: o [o/n] , falls festgestellt wird, dass die Datei wininet.dll infiziert ist, antworte auf die Frage: " Corriger le fichier infecté ?" mit o [o/n]

die Taskleiste verschwindet + Bildschirm..alles wird blau werden...warte...
wenn der Scan beeendet ist, kopiere die Logfile ab [C:\rapport.txt]

**
5.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. (dann nach der Reinigung wieder aktivieren)

**
6.
Counterspy
http://virus-protect.org/counterspy.html
* nach dem Scan muss man sich entscheiden für:

*Ignore
*Remove --> Status: Deleted
*Quarantaine

wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab
__________
MfG Sabina

rund um die PC-Sicherheit

#3 STATUS: FINISHEDComplete scanning result of "mmf.sys", received in VirusTotal at 06.10.2006, 18:21:26 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 1813
Line: HKEY_CLASSES_ROOT\CLSID\{A85C4A1B-BD36-44E5-A70F-8EC347D9B24F}


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 1813
Line: HKEY_CURRENT_USER\software\clipgenie


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 1813
Line: HKEY_CURRENT_USER\software\traynotifier\clipgenie


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jottaeri

*******************

Script file located at: \??\C:\WINDOWS\flvifntj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\stdole3.tlb deleted successfully.
File C:\WINDOWS\system32\ot.ico deleted successfully.
File C:\WINDOWS\system32\ts.ico deleted successfully.
File C:\WINDOWS\system32\regperf.exe deleted successfully.
File C:\WINDOWS\bs3.dll deleted successfully.
File C:\zeiparm4.dat deleted successfully.


File C:\Dokumente und Einstellungen\Gerd\Lokale Einstellungen\Temp\mkvbm10119.tmp not found!
Deletion of file C:\Dokumente und Einstellungen\Gerd\Lokale Einstellungen\Temp\mkvbm10119.tmp failed!

Could not process line:
C:\Dokumente und Einstellungen\Gerd\Lokale Einstellungen\Temp\mkvbm10119.tmp
Status: 0xc0000034



File C:\Dokumente und Einstellungen\All Users\Startmenü\remove spyware.url not found!
Deletion of file C:\Dokumente und Einstellungen\All Users\Startmenü\remove spyware.url failed!

Could not process line:
C:\Dokumente und Einstellungen\All Users\Startmenü\remove spyware.url
Status: 0xc0000034

File C:\Dokumente und Einstellungen\All Users\Startmenü\Online Security Guide.url deleted successfully.
File C:\Dokumente und Einstellungen\All Users\Startmenü\Security Troubleshooting.url deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Bookedspace deleted successfully.


Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\clipgenie not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\clipgenie failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\traynotifier\clipgenie not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\traynotifier\clipgenie failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bookedspace not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bookedspace failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bsx3 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bsx3 failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

#4 o.k.
nun arbeite alles weitere ab
ich hoffe, dass Counterspy den Bookedspace loescht..poste also alle scanreporte.

von smitfraud.fix-> C:\rapport.txt
und vom Counterspy
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Ich kann Counterspy nicht installieren. Es kommt immer folgende Meldung:
Der Zugriff auf Windows Script Host wurde für diesen Computer deaktiviert. Wenden Sie sich an ihren Administrator um weitere Details in Erfahrung zu bringen.




SmitFraudFix v2.57

Scan done at 19:24:02,23, 10.06.2006
Run from C:\Dokumente und Einstellungen\Gerd\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Gerd\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#6 wenn du xpantispy installiert hast , schalte den host dort frei.
oder:
Schau mal, ob es in der Registry (Start -> Ausführen -> regedit) bei dir unter:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings

einen Eintrag mit dem Namen Enabled gibt. Wenn ja, dann weise diesem den Wert 1 zu, dann ist der Scripting Host wieder aktiviert. (dann den PC neustarten)
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Spyware Scan Details
Start Date: 13.06.2006 22:55:48
End Date: 13.06.2006 23:30:28
Total Time: 34 mins 40 secs

Detected spyware

BearShare P2P Program more information...
Details: BearShare is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Deleted

Infected files detected
c:\programme\bearshare\bearshare.dat
c:\programme\bearshare\bearshare.exe
c:\programme\bearshare\bsidle.dll
c:\programme\bearshare\freepeers.ini
c:\programme\bearshare\history.txt
c:\programme\bearshare\install.log
c:\programme\bearshare\runmsc.dll
c:\programme\bearshare\unwise.exe
c:\programme\bearshare\unwise.ini
c:\programme\bearshare\webstats.bat
c:\programme\bearshare\webstats.exe
c:\programme\bearshare\webstats.ini
c:\programme\bearshare\db\config.bin
c:\programme\bearshare\db\connect.txt
c:\programme\bearshare\db\gwebcache.dat
c:\programme\bearshare\db\hostiles-chat.txt
c:\programme\bearshare\db\hostiles.txt
c:\programme\bearshare\db\library.2.db
c:\programme\bearshare\db\library.2.db.lastgoodload.bak
c:\programme\bearshare\db\library.db
c:\programme\bearshare\db\library.db.lastgoodload.bak
c:\programme\bearshare\db\searches.ini
c:\programme\bearshare\installer\bsinstallde.exe
c:\programme\bearshare\logs\console.txt
c:\programme\bearshare\logs\hosts-state.txt
c:\programme\bearshare\logs\memory.txt
c:\programme\bearshare\logs\ordinal.txt
c:\programme\bearshare\logs\streams.txt
c:\programme\bearshare\sounds\notify.wav
c:\programme\bearshare\temp\tmpsuper.kickers.2006.-.ep10.-.sieg.und.niederlage.by.sn1p3r[ohne.intro].avi
c:\programme\bearshare\temp\tmpsuper.kickers.2006.-.ep10.-.sieg.und.niederlage.by.sn1p3r[ohne.intro].dat
c:\programme\bearshare\temp\tmpsuper.kickers.2006.-.ep10.-.sieg.und.niederlage.by.sn1p3r[ohne.intro].dat.bak
c:\programme\bearshare\temp\tmpsuper.kickers.2006.-.ep10.-.sieg.und.niederlage.by.sn1p3r[ohne.intro].tiger
c:\dokumente und einstellungen\all users\startmenü\programme\bearshare.lnk
c:\programme\ahead\nerovision\nevideofx.dll

Infected registry entries detected
HKEY_CLASSES_ROOT\gnufile
HKEY_CLASSES_ROOT\gnufile\shell\open\command "C:\Programme\BearShare\BearShare.exe" "%1"
HKEY_CLASSES_ROOT\gnufile gnutella
HKEY_CLASSES_ROOT\gnufile BrowserFlags 8
HKEY_CLASSES_ROOT\gnufile EditFlags 65536
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 C:\Programme\BearShare\RunMSC.dll
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR C:\Programme\BearShare\
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library
HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg
HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current C:\Programme\BearShare\sounds\notify.wav
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare BearShare
HKEY_LOCAL_MACHINE\software\bearshare
HKEY_LOCAL_MACHINE\software\bearshare InstallDir C:\Programme\BearShare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayName BearShare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare UninstallString C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayVersion 5.2.1.2DE
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare HelpLink http://bearshare.de/Help/index.htm
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare Publisher Free Peers, Inc.
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare URLInfoAbout http://www.freepeers.com
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayIcon C:\Programme\BearShare\BearShare.exe,-128
HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg
HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_USERS\.default\appevents\schemes\apps\bearshare
HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current C:\Programme\BearShare\sounds\notify.wav
HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_USERS\.default\appevents\schemes\apps\bearshare BearShare
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InprocServer32 C:\Programme\Ahead\NeroVision\NeVideoFX.dll
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InprocServer32 ThreadingModel Both
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} Distortion - Water
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} trgkohoAOzmq ozLrtbsDSJFrAyZ]
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} SeIdYxawgzile hzTXJTjJZmGZhByrV
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} qpzzd eoQ_JLeI[nzIWKzb
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} swoalp FeDhMPPjbiUDSpk_ZzI
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} CfpN l{tVunHTrMCA`rWt^yx}sg
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} ujaCXdJ i@u[T[QV_vicMu^[q}TrtMfN
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} cvwJvk K]HqW\\hxB[WVfjTuOdapQd}kW|fXo
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} mkKuSzxlC vUptMb~S\lFUWhy~WgfL~xYySlPK
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} yrXowuwppmmrJ ~jrIYoUREBDexz~p\nN]Pixp[@Lw
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} wlcillgkrmoz MHyBGiAR|ipBveLetjfoCX[FZ
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} RgGh wrs\jZq~h{NwPc|fezL@zSVd|WE[`R
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} IjwnhI KENnAYnDgdPfwlHN\eMo\bxk
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} fKOjoffbsh ^UPpfZzp[oMtSYXxTWo@]vY]@
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E} hTBJOaq
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17} BearShare
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17} Version 5,2,1,2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17} ComponentID BearShare
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17} IsInstalled 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17} Locale DE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BearShare
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BearShare SlowInfoCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\BearShare Changed 0


webHancer Adware (General) more information...
Details: webHancer is an adware application started at Windows startup that monitors web sites being viewed and sends performance data on them back to webHancer's servers. This occurs unknown to the user.
Status: Deleted

Infected files detected
c:\programme\whinstall\license.txt
c:\programme\whinstall\readme.txt
c:\programme\whinstall\whagent.inf
c:\programme\whinstall\whagent.ini
c:\programme\whinstall\whinstaller.exe
c:\programme\whinstall\whinstaller.ini
c:\windows\whinstaller.exe
c:\windows\whagent.inf
c:\windows\whinstaller.ini

Infected registry entries detected
HKEY_CLASSES_ROOT\interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0}
HKEY_CLASSES_ROOT\interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0}\TypeLib {C8CB3870-CDFE-11D3-976A-00E02913A9E0}
HKEY_CLASSES_ROOT\interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} IWhIeHelperObj
HKEY_CLASSES_ROOT\typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0}
HKEY_CLASSES_ROOT\typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0}\1.0\0\win32 C:\Program Files\webHancer\programs\whiehlpr.dll
HKEY_CLASSES_ROOT\typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0}\1.0\HELPDIR C:\Program Files\webHancer\programs\
HKEY_CLASSES_ROOT\typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0}\1.0 IWhIeHelperObj 1.0 Type Library
HKEY_LOCAL_MACHINE\software\webhancer
HKEY_LOCAL_MACHINE\software\webhancer\CC DistTag OVERNET
HKEY_LOCAL_MACHINE\software\webhancer\CC id 0
HKEY_LOCAL_MACHINE\software\webhancer
HKEY_LOCAL_MACHINE\software\webhancer BaseDir C:\Program Files\webHancer
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer BaseDir C:\Program Files\webHancer
HKEY_CLASSES_ROOT\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0\win32 C:\Program Files\webHancer\programs\whiehlpr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\webhancer\CC id 0


RXToolbar Toolbar more information...
Details: RXToolbar is an Internet Explorer toolbar that shows links for the current page being viewed, targetted through www.searchenginebar.com.
Status: Deleted

Infected files detected
c:\programme\rxtoolbar\cachecatolog.rx

Infected registry entries detected
HKEY_CURRENT_USER\Software\RX Toolbar


Twain Tech Adware (General) more information...
Details: Twain-Tech is an adware based Internet Explorer browser helper object that deliver targeted ads based on a user’s browsing patters. Twain-Tech does not provide any other relevant purpose other then to display pop-up ads.
Status: Deleted

Infected files detected
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys


AFX Windows Rootkit 2003 Backdoor more information...
Details: AFX Windows Rootkit 2003 is a backdoor trojan.
Status: Deleted

Infected files detected
c:\windows\system32\process.exe


DesktopScam Trojan Downloader more information...
Details: DesktopScam is a trojan that is downloaded with rogue security applicatons in order to frighten the affected user into purchasing the rogue program.
Status: Deleted

Infected files detected
c:\dokumente und einstellungen\all users\desktop\security troubleshooting.url
c:\dokumente und einstellungen\gerd\favoriten\antivirus test online.url

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Security Toolbar DisplayName Security Toolbar
HKEY_CLASSES_ROOT\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}
HKEY_CLASSES_ROOT\clsid\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}\InprocServer32 C:\Programme\Security Toolbar\Security Toolbar.dll
HKEY_CLASSES_ROOT\clsid\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} SecurityToolbar
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Security Toolbar
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Security Toolbar DisplayName Security Toolbar
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Security Toolbar UninstallString "C:\Programme\Security Toolbar\Uninstall.bat" "C:\Programme\Security Toolbar"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wininet.dll


Virtual-IE.MsMovies Adware (General) more information...
Status: Deleted

Infected files detected
c:\windows\system32\cmd.com
c:\windows\system32\netstat.com
c:\windows\system32\ping.com
c:\windows\system32\regedit.com
c:\windows\system32\taskkill.com
c:\windows\system32\tasklist.com
c:\windows\system32\tracert.com


WhenU.Save Adware (General) more information...
Details: WhenU.SaveNow is an adware application that displays pop-up advertising on the desktop in response to users' web browsing.
Status: Deleted

Infected files detected
C:\Programme\BearShare\RunMSC.dll

Infected registry entries detected
HKEY_CLASSES_ROOT\runmsc.loader.1\clsid
HKEY_CLASSES_ROOT\runmsc.loader.1\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_CLASSES_ROOT\runmsc.loader\clsid
HKEY_CLASSES_ROOT\runmsc.loader\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_CLASSES_ROOT\runmsc.loader\curver
HKEY_CLASSES_ROOT\runmsc.loader\curver RunMSC.Loader.1
HKEY_CLASSES_ROOT\wusn.1
HKEY_CLASSES_ROOT\wusn.1 WUSN_Id
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97} ILoader
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 C:\Programme\BearShare\RunMSC.dll
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\ProgID RunMSC.Loader.1
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\VersionIndependentProgID RunMSC.Loader
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} Loader Class
HKEY_CURRENT_USER\SOFTWARE\WhenU


PartyPoker Potentially Unwanted Program more information...
Details: PartyPoker is an online gambling application that requires the user to download its software in order to play.
Status: Ignored

Infected files detected
C:\Programme\PartyGaming.net\PartyPokerNet\Images\ppicon.ico
C:\Programme\PartyGaming.net\PartyPokerNet\Images\pp_browser.ico


BookedSpace Browser Plug-in more information...
Details: BookedSpace is an Internet Explorer Browser Helper Object used to show popup advertising.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\appid\bookedspace.dll
HKEY_CLASSES_ROOT\appid\bookedspace.dll AppID {5CD19420-B328-47D5-A55F-1C07638EFDF8}
HKEY_CLASSES_ROOT\bookedspace.extension
HKEY_CLASSES_ROOT\bookedspace.extension\CLSID {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F}
HKEY_CLASSES_ROOT\bookedspace.extension\CurVer BookedSpace.Extension.3
HKEY_CLASSES_ROOT\bookedspace.extension CExtension Object
HKEY_CLASSES_ROOT\clsid\{a85c4a1b-bd36-44e5-a70f-8ec347d9b24f}
HKEY_CLASSES_ROOT\clsid\{a85c4a1b-bd36-44e5-a70f-8ec347d9b24f}\InprocServer32 C:\WINDOWS\bs3.dll
HKEY_CLASSES_ROOT\clsid\{a85c4a1b-bd36-44e5-a70f-8ec347d9b24f}\InprocServer32 ThreadingModel apartment
HKEY_CLASSES_ROOT\clsid\{a85c4a1b-bd36-44e5-a70f-8ec347d9b24f}\ProgID BookedSpace.Extension.3
HKEY_CLASSES_ROOT\clsid\{a85c4a1b-bd36-44e5-a70f-8ec347d9b24f}\TypeLib {5CD19420-B328-47D5-A55F-1C07638EFDF8}
HKEY_CLASSES_ROOT\clsid\{a85c4a1b-bd36-44e5-a70f-8ec347d9b24f}\VersionIndependentProgID BookedSpace.Extension
HKEY_CLASSES_ROOT\clsid\{a85c4a1b-bd36-44e5-a70f-8ec347d9b24f} CExtension Object
HKEY_CLASSES_ROOT\clsid\{a85c4a1b-bd36-44e5-a70f-8ec347d9b24f} AppID {5CD19420-B328-47D5-A55F-1C07638EFDF8}
HKEY_CLASSES_ROOT\BookedSpace.Extension.3
HKEY_CLASSES_ROOT\BookedSpace.Extension.3\CLSID {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F}
HKEY_CLASSES_ROOT\BookedSpace.Extension.3 CExtension Object


NavExcel Search Toolbar Toolbar more information...
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\appid\nhelper.dll
HKEY_CLASSES_ROOT\appid\nhelper.dll AppID {710BCB5B-8C6C-483E-A4F5-FAF083B13184}
HKEY_CLASSES_ROOT\NavExcel.NavHelper.1
HKEY_CLASSES_ROOT\NavExcel.NavHelper.1\CLSID {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}
HKEY_CLASSES_ROOT\NavExcel.NavHelper.1 NavHelper Class
HKEY_CLASSES_ROOT\NavExcel.NavHelper
HKEY_CLASSES_ROOT\NavExcel.NavHelper\CLSID {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}
HKEY_CLASSES_ROOT\NavExcel.NavHelper\CurVer NavExcel.NavHelper.1
HKEY_CLASSES_ROOT\NavExcel.NavHelper NavHelper Class
HKEY_CLASSES_ROOT\AppID\{710BCB5B-8C6C-483E-A4F5-FAF083B13184}
HKEY_CLASSES_ROOT\AppID\{710BCB5B-8C6C-483E-A4F5-FAF083B13184} NavHelper
HKEY_CLASSES_ROOT\Typelib\{fa4de133-d3c3-4ed4-92d1-cd4dde839ab3}
HKEY_CLASSES_ROOT\Typelib\{fa4de133-d3c3-4ed4-92d1-cd4dde839ab3}\1.0\0\win32 C:\Programme\NavExcel\NavHelper\v2.0.4a\NHelper.dll
HKEY_CLASSES_ROOT\Typelib\{fa4de133-d3c3-4ed4-92d1-cd4dde839ab3}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\Typelib\{fa4de133-d3c3-4ed4-92d1-cd4dde839ab3}\1.0\HELPDIR C:\Programme\NavExcel\NavHelper\v2.0.4a\
HKEY_CLASSES_ROOT\Typelib\{fa4de133-d3c3-4ed4-92d1-cd4dde839ab3}\1.0 NavExcel 1.0 Type Library
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}\TypeLib {FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3}
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07} INERedirect


KaZaA P2P Program more information...
Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Kazaa
HKEY_CURRENT_USER\Software\Kazaa\Advanced MaxSearchResult 50
HKEY_CURRENT_USER\Software\Kazaa\Advanced SuperNode 0
HKEY_CURRENT_USER\Software\Kazaa\Advanced FFQ [9Z¾g]+‡
HKEY_CURRENT_USER\Software\Kazaa\Advanced SFQ •Í¥»\LˆEZ¼
HKEY_CURRENT_USER\Software\Kazaa\Advanced SDD 1
HKEY_CURRENT_USER\Software\Kazaa\Advanced ScWeeklyDate 20-8-2005
HKEY_CURRENT_USER\Software\Kazaa\Advanced Status Installed
HKEY_CURRENT_USER\Software\Kazaa\DontShow SetDefaultHandler 0
HKEY_CURRENT_USER\Software\Kazaa\DontShow DeletePlaylist 0
HKEY_CURRENT_USER\Software\Kazaa\DontShow CancelDownload 0
HKEY_CURRENT_USER\Software\Kazaa\DontShow CloseToSystray 1
HKEY_CURRENT_USER\Software\Kazaa\InstantMessaging IgnoredUsers
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 0 150
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 1 108
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 2 62
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 3 31
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 4 45
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 5 70
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 6 51
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 7 82
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 8 70
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 9 64
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 10 106
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 11 76
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 12 64
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 13 50
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\AudioWidth 14 180
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\ColumnSortStates1 PlaylistNode 0
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\ColumnSortStates2 PlaylistNode 0
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\ColumnWidths PlaylistNode 117,80,70,70,70,
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\CombinedSortedColumns PlaylistNode
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Download Width 0 146
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Download Width 1 73
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Download Width 2 73
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Download Width 3 73
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Download Width 4 146
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Download Width 5 73
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Download Width 6 146
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Download Width 7 73
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Download Width 8 146
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\MyKazaaStates Meine Medien 1
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\MyKazaaStates Meine Kapsules 0
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\MyKazaaStates Meine Wiedergabelisten 1
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\Settings WindowPos 0,3,-1,-1,-1,-1,22,29,790,559
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 0 115
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 1 108
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 2 80
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 3 50
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 4 50
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 5 70
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 6 72
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 7 82
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 8 60
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 9 64
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 10 76
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 11 76
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 12 180
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 13 64
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 14 50
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Media Desktop\VideoWidth 15 64
HKEY_CURRENT_USER\Software\Kazaa\LocalContent DisableListFiles 1
HKEY_CURRENT_USER\Software\Kazaa\LocalContent DisableSharing 0
HKEY_CURRENT_USER\Software\Kazaa\Promotions\Broadband BBDbLoc C:\Programme\Kazaa\Db\bb.db
HKEY_CURRENT_USER\Software\Kazaa\Promotions\Broadband NullImageLoc C:\Programme\Kazaa\broadband.gif
HKEY_CURRENT_USER\Software\Kazaa\Promotions\Broadband NullImageLoc2 C:\Programme\Kazaa\broadband2.gif
HKEY_CURRENT_USER\Software\Kazaa\Promotions\Broadband BroadNagCount2 1
HKEY_CURRENT_USER\Software\Kazaa\Promotions\Broadband LastBBShown 1124573560
HKEY_CURRENT_USER\Software\Kazaa\Search 0 jp¾iž
HKEY_CURRENT_USER\Software\Kazaa\Search 1 or¶m•´qW@—É
HKEY_CURRENT_USER\Software\Kazaa\Search 2 e q°,…ú]`WN–ÉîsNƒ
HKEY_CURRENT_USER\Software\Kazaa\Search 3 sn¾
HKEY_CURRENT_USER\Software\Kazaa\Search 4 t¼`‰ç
HKEY_CURRENT_USER\Software\Kazaa\Search 5 C+>—k„ø{
HKEY_CURRENT_USER\Software\Kazaa\Search 6 e>¼c€
HKEY_CURRENT_USER\Software\Kazaa\Search 7 h{¾+Ÿ´ u^M�È
HKEY_CURRENT_USER\Software\Kazaa\Search 8 qpÿi€çl\
HKEY_CURRENT_USER\Software\Kazaa\Settings AutoUpdateSkype 0
HKEY_CURRENT_USER\Software\Kazaa\Settings +
HKEY_CURRENT_USER\Software\Kazaa\Settings Date
HKEY_CURRENT_USER\Software\Kazaa\Settings UseCount 0
HKEY_CURRENT_USER\Software\Kazaa\SOCKS Enabled 0
HKEY_CURRENT_USER\Software\Kazaa\Transfer +
HKEY_CURRENT_USER\Software\Kazaa\Transfer NoUploadLimitWhenIdle 1
HKEY_CURRENT_USER\Software\Kazaa\Transfer UploadBandwidth 0
HKEY_CURRENT_USER\Software\Kazaa\Transfer ConcurrentDownloads 5
HKEY_CURRENT_USER\Software\Kazaa\Transfer ConcurrentUploads 5
HKEY_CURRENT_USER\Software\Kazaa\Transfer CacheHost 0
HKEY_CURRENT_USER\Software\Kazaa\Transfer CachePort 0
HKEY_CURRENT_USER\Software\Kazaa\Transfer CacheDiscoveryTime 1124573094
HKEY_CURRENT_USER\Software\Kazaa\Transfer DlDir0 C:\Programme\Kazaa\My Shared Folder
HKEY_CURRENT_USER\Software\Kazaa Tmp 0
HKEY_CURRENT_USER\Software\Kazaa LastSearchHash


Altnet/Topsearch Browser Plug-in more information...
Details: Altnet/Topsearch is a browser plug-in that acts as search engine for peer-to-peer applications Kazaa and Grokster.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\AppID\Altnet Signing Module.EXE
HKEY_CLASSES_ROOT\AppID\Altnet Signing Module.EXE AppID {8B0FEF15-54DC-49F5-8377-8172DE975F75}
HKEY_CLASSES_ROOT\TopSearch.TSLink.1
HKEY_CLASSES_ROOT\TopSearch.TSLink.1\CLSID {B7156514-A76C-4545-9D5B-A4E1D02C7AEC}
HKEY_CLASSES_ROOT\TopSearch.TSLink.1 TSLink Class
HKEY_CLASSES_ROOT\ADM25.ADM25.1
HKEY_CLASSES_ROOT\ADM25.ADM25.1\CLSID {1D3BCE37-7834-4579-8169-E67681420A98}
HKEY_CLASSES_ROOT\ADM25.ADM25.1 ADM25 Class
HKEY_CLASSES_ROOT\ADM4.ADM4.1
HKEY_CLASSES_ROOT\ADM4.ADM4.1\CLSID {DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2}
HKEY_CLASSES_ROOT\ADM4.ADM4.1 ADM4 Class
HKEY_CLASSES_ROOT\ADM25.ADM25
HKEY_CLASSES_ROOT\ADM25.ADM25\CurVer ADM25.ADM25.1
HKEY_CLASSES_ROOT\ADM25.ADM25 ADM25 Class
HKEY_CLASSES_ROOT\ADM4.ADM4
HKEY_CLASSES_ROOT\ADM4.ADM4\CurVer ADM4.ADM4.1
HKEY_CLASSES_ROOT\ADM4.ADM4 ADM4 Class
HKEY_CLASSES_ROOT\TopSearch.TSLink
HKEY_CLASSES_ROOT\TopSearch.TSLink\CLSID {B7156514-A76C-4545-9D5B-A4E1D02C7AEC}
HKEY_CLASSES_ROOT\TopSearch.TSLink\CurVer TopSearch.TSLink.1
HKEY_CLASSES_ROOT\TopSearch.TSLink TSLink Class


Cydoor Adware (General) more information...
Details: Cydoor is an adware program that downloads advertisements from a server and displays them on your computer.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\cydoor
HKEY_LOCAL_MACHINE\software\cydoor AdwrCnt 0
HKEY_CURRENT_USER\software\cydoor
HKEY_CURRENT_USER\software\cydoor Desc2 ?????????_@??
HKEY_CURRENT_USER\software\cydoor ConnType 1


Altnet P2P Networking Low Risk Adware more information...
Details: Altnet P2P Networking is a program that uses peer-to-peer functionality to enable the delivery of content, including advertising, to PC desktops. This content may be used by other programs.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\p2p networking
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\p2p networking SlowInfoCache
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\p2p networking Changed 0


Altnet Download Manager Low Risk Adware more information...
Details: Altnet Download Manager accompanies Altnet P2P Networking and performs the job of downloading content from Altnet's P2P network.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\AppID\adm.EXE
HKEY_CLASSES_ROOT\AppID\adm.EXE AppID {99A8E2B2-3405-4C0D-9110-131C14CAAF62}


eDonkey2000 P2P Program more information...
Details: eDonkey2000 is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 C:\Programme\eDonkey2000\plugins\ed2kie.dll
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 ThreadingModel Both
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\ProgID eD2KDownloadManager.object.1
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\TypeLib {379919F2-1612-45B7-B9F4-773F6D5214F5}
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\VersionIndependentProgID eD2KDownloadManager.object
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620} eD2K downloadManager object


WhenU.WeatherCast Low Risk Adware more information...
Details: WeatherCast is an ad supported desktop weather program that that puts an icon in the system tray displaying the local temperature. It also offers current weather data and forecasts. Weathercast is often bundled with the Save advertising program and/or th
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\software\whenu


NavHelper Hijacker more information...
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{c1e58a84-95b3-4630-b8c2-d06b77b7a0fc}
HKEY_CLASSES_ROOT\clsid\{c1e58a84-95b3-4630-b8c2-d06b77b7a0fc}\InprocServer32 C:\Programme\NavExcel\NavHelper\v2.0.4a\NHelper.dll
HKEY_CLASSES_ROOT\clsid\{c1e58a84-95b3-4630-b8c2-d06b77b7a0fc}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{c1e58a84-95b3-4630-b8c2-d06b77b7a0fc}\ProgID NavExcel.NavHelper.1
HKEY_CLASSES_ROOT\clsid\{c1e58a84-95b3-4630-b8c2-d06b77b7a0fc}\TypeLib {FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3}
HKEY_CLASSES_ROOT\clsid\{c1e58a84-95b3-4630-b8c2-d06b77b7a0fc}\VersionIndependentProgID NavExcel.NavHelper
HKEY_CLASSES_ROOT\clsid\{c1e58a84-95b3-4630-b8c2-d06b77b7a0fc} NavHelper Class
HKEY_CLASSES_ROOT\clsid\{c1e58a84-95b3-4630-b8c2-d06b77b7a0fc} AppID {710BCB5B-8C6C-483E-A4F5-FAF083B13184}
HKEY_CLASSES_ROOT\AppID\{710BCB5B-8C6C-483E-A4F5-FAF083B13184}
HKEY_CLASSES_ROOT\AppID\{710BCB5B-8C6C-483E-A4F5-FAF083B13184} NavHelper
HKEY_CLASSES_ROOT\AppID\NHelper.DLL AppID {710BCB5B-8C6C-483E-A4F5-FAF083B13184}
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}\TypeLib {FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3}
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07} INERedirect
HKEY_CLASSES_ROOT\NavExcel.NavHelper
HKEY_CLASSES_ROOT\NavExcel.NavHelper\CLSID {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}
HKEY_CLASSES_ROOT\NavExcel.NavHelper\CurVer NavExcel.NavHelper.1
HKEY_CLASSES_ROOT\NavExcel.NavHelper NavHelper Class
HKEY_CLASSES_ROOT\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3}
HKEY_CLASSES_ROOT\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3}\1.0\0\win32 C:\Programme\NavExcel\NavHelper\v2.0.4a\NHelper.dll
HKEY_CLASSES_ROOT\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3}\1.0\HELPDIR C:\Programme\NavExcel\NavHelper\v2.0.4a\
HKEY_CLASSES_ROOT\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3}\1.0 NavExcel 1.0 Type Library


Need2FindBar Potentially Unwanted Program more information...
Details: Need2FindBar is a browser helper object (BHO) toolbar that has a search function.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Need2Find
HKEY_CLASSES_ROOT\MSIEDe1egate.Application.2
HKEY_CLASSES_ROOT\MSIEDe1egate.Application.2\CLSID {0002DF01-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\MSIEDe1egate.Application.2 Internet Exp1orer (Ver 1.38269)
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar\Partner test "C:\Program Files\Altnet\Points Manager\Points Manager.exe" -p 1
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar\Partner PM-Home C:\Program Files\Altnet\Points Manager\Points Manager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar\Partner PM-Points "C:\Program Files\Altnet\Points Manager\Points Manager.exe" -p 1
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar\Partner PM-Redeem "C:\Program Files\Altnet\Points Manager\Points Manager.exe" -p 2
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar\Partner PM-Wallet "C:\Program Files\Altnet\Points Manager\Points Manager.exe" -p 3
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar\Partner PM-Settings "C:\Program Files\Altnet\Points Manager\Points Manager.exe" -p 4
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar pid KC
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar Dir C:\Programme\Need2Find\bar\
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar ShzmCurInstall 1
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar PluginPath C:\Programme\Need2Find\bar\1.bin\
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar CurInstall 1
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar sr 0
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar pl 7
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar Id 311F2B8D-02E6-4E7B-BBCC-520D2F658B57
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar Build 180.27266
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar CacheDir C:\Programme\Need2Find\bar\Cache\
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar Visible 1
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar SettingsDir C:\Programme\Need2Find\bar\Settings\
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar ConfigDateStamp 2005082017
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar HTMLMenuRevision 85
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar Flags 530
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar CfgUrl http://ky.barcfg.need2find.com/speedbar/mySpeedbarCfg2.jsp?s=kb&p=KY
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find\bar HistoryDir C:\Programme\Need2Find\bar\History\


WhenU.WhenUSearch Low Risk Adware more information...
Details: WhenU.WhenUSearch is a desktop search toolbar that displays links to advertised offers in response to users' surfing behavior and opens paid search results when users perform searches through the toolbar's search mechanism.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\WUSN.1
HKEY_CLASSES_ROOT\WUSN.1 WUSN_Id


Advertising.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\gerd\cookies\gerd@advertising[1].txt


ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\gerd\cookies\gerd@atdmt[1].txt


CGI-Bin Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\gerd\cookies\gerd@cgi-bin[2].txt


DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\gerd\cookies\gerd@doubleclick[1].txt


Mediaplex.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\gerd\cookies\gerd@mediaplex[1].txt


BS.Serving-Sys Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\gerd\cookies\gerd@serving-sys[2].txt


Radar Spy 1.0 Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\gerd\cookies\gerd@tradedoubler[1].txt


ValueClick.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\gerd\cookies\gerd@valueclick[1].txt
c:\dokumente und einstellungen\gerd\cookies\gerd@valueclick[2].txt

#8 das sieht doch schon gut aus

1.
ueberpruefe, ob das Programm noch da ist, falls ja...deinstallieren + alles loeschen:
C:\Programme\Security Toolbar
C:\Program Files\Altnet\Points Manager
C:\Programme\Need2Find
C:\Programme\PartyGaming.net
C:\Programme\NavExcel
c:\programme\bearshare
c:\programme\rxtoolbar
c:\programme\whinstall
C:\WINDOWS\bs3.dll

2
TuneUp 2006 (30 Tage free) Shareware
http://virus-protect.org/reinigungstoolsregistry.html
wende an:
Cleanup repair -- TuneUp Diskcleaner
Cleanup repair -- Registry Cleaner

3.
mache bitte einen Onlinescan mit Panda und poste den report
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Beim ActiveScan von Panda kommt immer ein Error

#10 versuche es mal mit dem Trend Micro Anti-Spyware for the Web
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#11 Ich hatte vor kurzem das selbe Problem. Ich habe auch das Antivirenprogramm von avast! Es erkannte die Trojaner und man konnte die verseuchten Dateien in den Container packen und löschen. Aber beim nächsten Gang ins Internet gab es jeweils neue Warnungen, und das Ganze ging von vorne los (Container/löschen)!
Ich wollte den Rechner schon platt machen, durchstöberte aber nocheinmal das Netz und wurde duch Zufall fündig.
Das Programmnennt sich SPYWAREfighter, ist als 30 Tage Schnupperversion runterladbar. Mit dem Scanner des Programms prüfte ich den Rechner. es wurde 92 verwanste Dateien angezeigt, die alle ratz-fatz gelöscht wurden.
Seit diesem Ereignis (Oh, große Freude!!!) kommt keine Warnung mehr und im
avast-Container ist nichts mehr zusehen.So!

#12 wenn es denn mit dem "ratz-fatz" immer so einfach waere............
aber Glueckwunsch, wenn du das wolle-milch-eierlegende Antivirus-Antitrojan-Antispyware-Anti-Adware-Antirootkit-Schnupper-Programm gefunden hast
So.
__________
MfG Sabina

rund um die PC-Sicherheit

#13 hallo Sabina,
Ich hab gesehen wie toll du dem 'tschuralsum' geholfen hast.
Ich hab das gleiche Problem wie er und dachte ich mach ainfach mal das selbe was Bis zum Avenger Programmscheint alles funktioniert zu haben aber dann bekam ich die Meldung:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Fatal error: could not create new script file.
Error code: 0
Error logged to errorlog.txt. Aborting now!


Kannst du mir helfen wo hier das Problem ist.
Viele liebe Grüsse und Danke im Voraus.
Marco

#14 marcosevim

das sind hier ganz individuelle Reinigungen, ich muss erst sehen, was auf deinem Rechner los ist
arbeite das bitte ab und poste die logs.
http://board.protecus.de/t23188.htm
__________
MfG Sabina

rund um die PC-Sicherheit

#15 Achso ist das.
Vielen Dank. Das muss ich mir mal in Ruhe ansehen.
Allerdings hatte ich bis jetzt keine Meldung mehr vom Trojaner.
Vielleicht ist er endlich weg.
Was funktioniert soll man ja nicht ändern.
Wenn er sich wieder meldet geh ich dein Programm durch.
Vielen Dank.
Marco.