SpywareQuake-Befall - Was tun??

#16 0.
der Scanreport von f-secure muss irgendwo im Proggie gespeichert sein...er interessiert mich sehr !!!

1.
loesche: C:\WINDOWS\system32\components

2.
Gehe in die registry
Start - Ausfuehren - regedit
bearbeiten - suchen - > INSTAFIN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\INSTAFIN<--loeschen
HEY_CURRENT_USER\Software\INSTAFIN<--loeschen

PC neustarten

3.
desinstalliere: INSTAFINK
http://securityresponse.symantec.com/avcenter/venc/data/adware.instafinder.html

C:\Programme\
04.03.2005 22:47 <DIR> INSTAFINK

loesche :
C:\Programme\INSTAFINK\instafink.dll
C:\Programme\INSTAFINK\uninstall.exe
C:\WINDOWS\\Downloaded Program Files\instafin.dll

3.
poste noch einmal die logs von datfindbat (bis Februar 2006)
__________
MfG Sabina

rund um die PC-Sicherheit

#17 Wie komme ich in die Proggie?

Haben die Registrierung auf InstaFin etc. durchsucht und nichts gefunden.

datfind.bat:

Datentr„ger in Laufwerk C: ist PROGRAMME
Volumeseriennummer: 7877-D03F

Verzeichnis von C:\WINDOWS\system32

04.07.2006 20:31 207.689 IKAutoUp.log
04.07.2006 16:31 94.208 msnsrv.exe
14.05.2006 20:45 2.184 wpa.dbl
29.04.2006 22:48 137.036 AdobeFnt.lst
27.04.2006 17:49 288.417 SrchSTS.exe
26.03.2006 12:27 307.816 FNTCACHE.DAT
14.02.2006 20:05 7.168 Thumbs.db
23.01.2006 13:25 65.536 GuardNT.cpl


Datentr„ger in Laufwerk C: ist PROGRAMME
Volumeseriennummer: 7877-D03F

Verzeichnis von C:\DOKUME~1\Marlene\LOKALE~1\Temp

04.07.2006 20:52 512 ~DFFBFA.tmp
04.07.2006 20:49 136 hpotdd004.log
04.07.2006 20:49 1.090 jusched.log
04.07.2006 20:31 135 hpotdd003.log
04.07.2006 20:25 136 hpotdd002.log
04.07.2006 20:19 136 hpotdd001.log
04.07.2006 19:51 136 hpotdd000.log
04.07.2006 18:41 136 hpotdd006.log
04.07.2006 18:31 244 tmp7BC.tmp
04.07.2006 18:03 512 ~DFA574.tmp
04.07.2006 18:02 16.384 ~WRF0001.tmp
04.07.2006 17:52 512 ~DF1F42.tmp
12 Datei(en) 20.069 Bytes
0 Verzeichnis(se), 19.295.928.320 Bytes frei

Datentr„ger in Laufwerk C: ist PROGRAMME
Volumeseriennummer: 7877-D03F

Verzeichnis von C:\WINDOWS

04.07.2006 20:49 0 0.log
04.07.2006 20:48 159 wiadebug.log
04.07.2006 20:48 2.048 bootstat.dat
04.07.2006 20:31 50 wiaservc.log
04.07.2006 20:31 32.622 SchedLgU.Txt
04.07.2006 20:31 1.227.061 WindowsUpdate.log
04.07.2006 17:43 1.902.644 setupapi.log
04.07.2006 16:36 176.139 setupact.log
03.07.2006 16:43 29.944 wmsetup.log
14.06.2006 08:34 6.096 ModemLog_Bluetooth Fax Modem.txt
09.06.2006 18:15 387 system.ini
27.05.2006 20:52 2.014 ModemLog_Siemens Mobile Phone USB Modem.txt
10.03.2006 16:25 65.536 DUMPff07.tmp
04.03.2006 15:41 244.929 iis6.log
04.03.2006 15:41 41.066 ntdtcsetup.log
04.03.2006 15:41 68.137 comsetup.log
04.03.2006 15:41 6.206 tabletoc.log
04.03.2006 15:41 88.506 tsoc.log
04.03.2006 15:41 22.678 netfxocm.log
04.03.2006 15:41 104.555 ocgen.log
04.03.2006 15:41 7.077 ocmsn.log
04.03.2006 15:41 1.891 imsins.log
04.03.2006 15:41 9.252 msgsocm.log
04.03.2006 15:41 166.591 FaxSetup.log
04.03.2006 15:39 62.070 msmqinst.log
14.02.2006 20:14 75.264 Thumbs.db
18.01.2006 19:02 65.536 DUMP04b4.tmp


Datentr„ger in Laufwerk C: ist PROGRAMME
Volumeseriennummer: 7877-D03F

Verzeichnis von C:\

04.07.2006 21:00 0 sys.txt
04.07.2006 21:00 9.331 windows.txt
04.07.2006 20:59 9.331 system.txt
04.07.2006 20:59 841 temp.txt
04.07.2006 20:58 841 systemtemp.txt
04.07.2006 20:57 111.750 system32.txt
04.07.2006 20:48 805.306.368 pagefile.sys
04.07.2006 19:02 4.485 files.txt
04.07.2006 19:01 105 neu.bat
04.07.2006 16:51 722.548 hpfr3600.log
04.07.2006 16:36 1.649 rapport.txt
04.07.2006 16:06 3.010 avenger.txt
03.07.2006 16:15 1.271 c.txt
27.05.2006 20:31 175.700 SDSSetup.log
29.04.2006 22:48 495 stub.log
08.12.2005 02:13 13.312 Thumbs.db

#18 diese msnsrv.exe war doch schon geloescht...wieso taucht die wieder auf
File C:\WINDOWS\system32\msnsrv.exe deleted successfully.
??????????????

virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\msnsrv.exe

poste den bericht
__________
MfG Sabina

rund um die PC-Sicherheit

#19 STATUS: FINISHEDComplete scanning result of "msnsrv.exe", received in VirusTotal at 07.04.2006, 22:48:12 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.20 07.04.2006 Worm/Gaobot.94208.C
Authentium 4.93.8 07.04.2006 no virus found
Avast 4.7.844.0 07.03.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.04.2006 no virus found
CAT-QuickHeal 8.00 07.04.2006 no virus found
ClamAV devel-20060426 07.04.2006 no virus found
DrWeb 4.33 07.04.2006 no virus found
eTrust-InoculateIT 23.72.59 07.04.2006 no virus found
eTrust-Vet 12.6.2285 07.04.2006 no virus found
Ewido 3.5 07.04.2006 no virus found
Fortinet 2.77.0.0 07.03.2006 suspicious
F-Prot 3.16f 07.03.2006 no virus found
F-Prot4 4.2.1.29 07.03.2006 no virus found
Ikarus 0.2.65.0 07.04.2006 no virus found
Kaspersky 4.0.2.24 07.04.2006 no virus found
McAfee 4799 07.04.2006 W32/Sdbot.worm.gen.h
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1644 07.04.2006 no virus found
Norman 5.90.23 07.04.2006 no virus found
Panda 9.0.0.4 07.04.2006 W32/Gaobot.NNF.worm
Sophos 4.07.0 07.04.2006 no virus found
Symantec 8.0 07.04.2006 no virus found
TheHacker 5.9.8.168 07.03.2006 no virus found
UNA 1.83 07.04.2006 no virus found
VBA32 3.11.0 07.04.2006 no virus found
VirusBuster 4.3.7:9 07.04.2006 no virus found


Aditional Information
File size: 94208 bytes
MD5: 0d05988845c1bf9c186579c1bf05fd04
SHA1: 8c9deed994f0dd4996bdad8ddae0b1296f83e149

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

#20 1.
lade noch mal und klicke doppelt (ich habe dort auch die bereinigung von dieser exe reingepackt

spyfalcon.zip -> http://virus-protect.org/zip/spyfalcon.zip -> entpacken auf dem Desktop -> spyfalcon.reg ->doppeltklicken und der Registry mit "ja/yes" beifügen

2.
avenger:

Zitat

Files to delete:
C:\WINDOWS\system32\msnsrv.exe

3.
scanne mit Panda und poste den scanreport
http://virus-protect.org/onlinescan.html

4.
poste noch mal das komplette log vom Silentrunner + das 1. Log von datfindbat
__________
MfG Sabina

rund um die PC-Sicherheit

#21 avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\befwfary

*******************

Script file located at: \??\C:\dbvcfuyi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger




*******************

Beginning to process script file:

File C:\WINDOWS\system32\msnsrv.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Rest folgt..

Panda:


Incident Status Location

Adware:adware/savenow Not disinfected c:\windows\system32\ap2nqrd4.dat
Adware:adware/sahagent Not disinfected c:\windows\system32\ritsacnk.dat
Adware:adware/wupd Not disinfected c:\windows\system32\AP9H4QMO.INI
Adware:adware/quicksearch Not disinfected c:\windows\downloaded program files\Install.inf
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Potentially unwanted tool:application/altnet Not disinfected c:\program files\Altnet
Adware:adware/instafinder Not disinfected c:\programme\INSTAFINK
Adware:adware/ncase Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/powerscan Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Virus:Bck/Sdbot.ELC Disinfected C:\WINDOWS\system32\TFTP3536
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL
Potentially unwanted tool:Application/SpywareStormer Not disinfected C:\WINDOWS\Downloaded Program Files\Install.dll
Spyware:Cookie/Atwola Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@atwola[1].txt
Spyware:Cookie/Adverserve Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@adverserve[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@belnk[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@as1.falkag[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@dist.belnk[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@mediaplex[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@hitbox[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@ehg-idg.hitbox[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@advertising[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@tradedoubler[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@as-eu.falkag[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Dokumente und Einstellungen\Marlene\Cookies\marlene@adtech[2].txt
Virus:W32/Bagle.pwdzip Disinfected C:\Dokumente und Einstellungen\Marlene\Eigene Dateien\Anwendungen\SmitfraudFix.zip
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Marlene\Eigene Dateien\Unzipped\SmitfraudFix\SmitfraudFix\Process.exe
Spyware:Spyware/BetterInet Not disinfected C:\Dokumente und Einstellungen\Oliver\Lokale Einstellungen\Temp\drp1.tmp\thnall1s.exe
Spyware:Cookie/Sextracker Not disinfected C:\Dokumente und Einstellungen\Oliver\Cookies\oliver@sextracker[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Dokumente und Einstellungen\Oliver\Cookies\oliver@cs.sexcounter[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Dokumente und Einstellungen\Oliver\Cookies\oliver@counter9.sextracker[1].txt
Spyware:Cookie/Adverserve Not disinfected C:\Dokumente und Einstellungen\Oliver\Cookies\oliver@adverserve[2].txt
Spyware:Cookie/PayCounter Not disinfected C:\Dokumente und Einstellungen\Oliver\Cookies\oliver@paycounter[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\Oliver\Cookies\oliver@as1.falkag[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Dokumente und Einstellungen\Oliver\Cookies\oliver@counter3.sextracker[1].txt
Spyware:Cookie/Adverserve Not disinfected C:\Dokumente und Einstellungen\Gast.LENES-PC\Cookies\gast@adverserve[1].txt
Virus:W32/Gaobot.NNF.worm Disinfected C:\avenger\backup.zip[avenger/msnsrv.exe]
Virus:W32/Gaobot.NNF.worm Disinfected C:\avenger\backup-04.07.2006-23.23.23,34.zip[avenger/msnsrv.exe]


"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"ares" = ""C:\Programme\Ares Lite Edition\Ares.exe" -h" [file not found]
"MsnMsgr" = ""C:\Programme\MSN Messenger\MsnMsgr.Exe" /background" [file not found]
"Win32" = "msnsrv.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Anvshell" = "C:\WINDOWS\Anvshell.exe" ["AsusTeK Computer Inc."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"nForce Tray Options" = "sstray.exe /r" ["NVIDIA Corporation"]
"TCASUTIEXE" = "TCAUDIAG.exe -on" [empty string]
"ASUS Probe" = "C:\Program Files\ASUS\Probe\AsusProb.exe" [null data]
"SunJavaUpdateSched" = "C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"WinPatrol" = ""C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"" [file not found]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"HP Software Update" = "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [null data]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" ["HP"]
"DeviceDiscovery" = "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"msnappau" = ""C:\Programme\MSN Apps\Updater\01.02.0002.1001\de-at\msnappau.exe"" [file not found]
"Ikarus-AutoUpdate" = "C:\WINDOWS\System32\IKAutoUp.exe /LOG" ["Ikarus Software Wien"]
"Siemens SmartSync - ScheduleSync" = "C:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE" [empty string]
"Guard NT" = "C:\Programme\aon\aonVirenchecker\GuardNT\GuardNT.exe /STARTDLG /CPYTOKEN" ["Ikarus Software Wien"]
"Win32" = "msnsrv.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Programme\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [file not found]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop-Explorer"
-> {HKLM...CLSID} = "Desktop-Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> {HKLM...CLSID} = "PropPage Class"
\InProcServer32\(Default) = "C:\Programme\Symantec\Norton Ghost 2002\GhoShExt.dll" ["Symantec Corporation"]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "Meine Digitalkamera"
-> {HKLM...CLSID} = "Meine Digitalkamera"
\InProcServer32\(Default) = "C:\Programme\PhotoDeluxe HE 3.1\FotoNation Explorer\camview.dll" ["FotoNation Inc."]
"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"
-> {HKLM...CLSID} = "Siemens Device"
\InProcServer32\(Default) = "C:\Programme\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"
-> {HKLM...CLSID} = "Siemens Device ContextMenuHandler"
\InProcServer32\(Default) = "C:\Programme\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"
-> {HKLM...CLSID} = "Siemens Device PropertySheetHandler"
\InProcServer32\(Default) = "C:\Programme\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "Bluetooth-Umgebung"
\InProcServer32\(Default) = "C:\WINDOWS\System32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Marlene\Anwendungsdaten\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Marlene" & "All Users" startup folders:
---------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"InterVideo WinCinema Manager" -> shortcut to: "C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string]
"BTTray" -> shortcut to: "C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe" ["WIDCOMM, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN Toolbar"
\InProcServer32\(Default) = "C:\Programme\MSN Toolbar\01.01.1601.0\msgr.de.de-at\msntb.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "MSN Toolbar"
\InProcServer32\(Default) = "C:\Programme\MSN Toolbar\01.01.1601.0\msgr.de.de-at\msntb.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Bluetooth Service, btwdins, "C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
Guard NT, Guard NT, "C:\Programme\aon\aonVirenchecker\GuardNT\guardNt.exe /DAVE" ["Ikarus Software Wien"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt08\Driver = "hpzsnt08.dll" ["HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 216 seconds, including 14 seconds for message boxes)




**********************************************************
datfind.bat folgt morgen, da sich momentan nur das DOS-Fenster öffnet, aber nicht der Editor... Gehe jetzt schlafen und versuche es morgen nochmals. ;-)

Gute Nacht und auf alle Fälle vielen Dank nochmals!

#22 Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

Zitat

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32"=-

[-HKEY_CLASSES_ROOT\CLSID\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}]

**
Avenger

Zitat

Files to delete:
c:\windows\system32\ap2nqrd4.dat
c:\windows\system32\ritsacnk.dat
c:\windows\system32\AP9H4QMO.INI
c:\windows\downloaded program files\Install.inf
c:\windows\smdat32m.sys
C:\WINDOWS\system32\TFTP3536
C:\Dokumente und Einstellungen\Oliver\Lokale Einstellungen\Temp\drp1.tmp\thnall1s.exe
C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL
C:\WINDOWS\Downloaded Program Files\Install.dll

loesche manuell:
C:\WINDOWS\system32\P2P Networking
c:\program files\Altnet
c:\programme\INSTAFINK
C:\Dokumente und Einstellungen\Oliver\Lokale Einstellungen\Temp\drp1.tmp
C:\avenger\backup.zip

**
F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml

1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere den Scanreport

**
poste das Log von winpfind
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit

#23 datfind.bat log:

Datentr„ger in Laufwerk C: ist PROGRAMME
Volumeseriennummer: 7877-D03F

Verzeichnis von C:\WINDOWS\system32

05.07.2006 00:55 209.647 IKAutoUp.log
05.07.2006 00:26 94.208 msnsrv.exe
04.07.2006 23:29 0 asfiles.txt
04.07.2006 23:26 30.590 pavas.ico
04.07.2006 23:26 1.406 Help.ico
04.07.2006 23:26 2.550 Uninstall.ico
14.05.2006 20:45 2.184 wpa.dbl
29.04.2006 22:48 137.036 AdobeFnt.lst
27.04.2006 17:49 288.417 SrchSTS.exe
06.04.2006 10:54 73.728 asuninst.exe
03.04.2006 10:59 128 xposer.cfg
03.04.2006 10:59 128 asinst.cfg
26.03.2006 12:27 307.816 FNTCACHE.DAT
14.02.2006 20:05 7.168 Thumbs.db
23.01.2006 13:25 65.536 GuardNT.cpl

* Habe schon wieder Probleme beim Posten des "F-Secure-OnlineScanner"-Report. Wenn ich auf Show report klicke, streikt mein Browser: "Keine Rückmeldung".


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
Umonitor 28.04.1999 01:01:12 331776 C:\WINDOWS\SYSTEM32\ipebase12.dll
UPX! 09.01.2006 10:36:04 42496 C:\WINDOWS\SYSTEM32\swreg.exe
PEC2 23.08.2001 12:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
winsync 23.08.2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 09.01.2006 10:36:06 40960 C:\WINDOWS\SYSTEM32\swsc.exe
Umonitor 29.08.2002 03:43:28 660480 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 27.04.2006 17:49:30 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 09.07.2005 11:03:06 433152 C:\WINDOWS\SYSTEM32\aswBoot.exe
SAHAgent 07.02.2005 08:41:08 35 C:\WINDOWS\SYSTEM32\q17i9a4j.ini
SAHAgent 07.02.2005 08:41:08 35 C:\WINDOWS\SYSTEM32\a95kfrhe.ini
PEC2 12.09.1998 10:32:00 751080 C:\WINDOWS\SYSTEM32\WIN32.TLB

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
27.06.2006 08:31:04 H 8628 C:\WINDOWS\Help\netcfg.GID
05.07.2006 08:05:16 H 6 C:\WINDOWS\Tasks\SA.DAT
28.05.2006 12:36:20 H 0 C:\WINDOWS\LastGood.Tmp\INF\oem18.inf
28.05.2006 12:36:20 H 0 C:\WINDOWS\LastGood.Tmp\INF\oem18.PNF
04.07.2006 23:26:28 H 0 C:\WINDOWS\LastGood\INF\oem19.inf
04.07.2006 23:26:28 H 0 C:\WINDOWS\LastGood\INF\oem19.PNF

Checking for CPL files...
FotoNation inc. 14.01.1999 11:48:54 26624 C:\WINDOWS\SYSTEM32\CAMCPL.CPL
Microsoft Corporation 29.08.2002 03:43:42 132096 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 29.08.2002 03:43:42 125440 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29.08.2002 03:43:42 583680 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 23.08.2001 12:00:00 152064 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29.08.2002 03:43:42 293376 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29.08.2002 03:43:42 66560 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 23.08.2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 23.08.2001 12:00:00 566272 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 23.08.2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 23.08.2001 12:00:00 259072 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23.08.2001 12:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 23.08.2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 23.08.2001 12:00:00 111616 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 29.08.2002 03:43:42 272896 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23.08.2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 23.08.2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
WIDCOMM, Inc. 15.09.2003 16:54:18 245819 C:\WINDOWS\SYSTEM32\btcpl.cpl
NVIDIA Corporation 02.05.2003 08:19:00 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
NVIDIA Corporation 05.12.2002 12:22:20 73728 C:\WINDOWS\SYSTEM32\sscpl.cpl
Microsoft Corporation 23.08.2001 13:00:00 68096 C:\WINDOWS\SYSTEM32\access.cpl
Sun Microsystems 19.11.2003 17:48:12 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Ahead Software AG 09.10.2002 12:36:12 57344 C:\WINDOWS\SYSTEM32\NeroBurnRights.cpl
Ikarus Software Wien 23.01.2006 13:25:58 65536 C:\WINDOWS\SYSTEM32\GuardNT.cpl
Ahead Software AG 29.07.2003 17:09:40 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Ikarus Software Wien 02.02.2005 17:24:50 49152 C:\WINDOWS\SYSTEM32\IKAutoUp.cpl
Microsoft Corporation 23.08.2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 23.08.2001 13:00:00 68096 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 23.08.2001 12:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23.08.2001 12:00:00 152064 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 23.08.2001 12:00:00 566272 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 23.08.2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23.08.2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23.08.2001 12:00:00 259072 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 23.08.2001 12:00:00 111616 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 23.08.2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 23.08.2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
26.03.2005 16:31:46 681 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\BTTray.lnk
20.12.2003 01:59:28 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
22.12.2003 02:50:14 1658 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\InterVideo WinCinema Manager.lnk
21.12.2003 23:16:00 1627 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
19.12.2003 21:43:06 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
05.03.2006 12:34:48 HS 142 C:\Dokumente und Einstellungen\Marlene\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
19.12.2003 21:43:06 62 C:\Dokumente und Einstellungen\Marlene\Anwendungsdaten\desktop.ini
03.04.2005 12:26:26 0 C:\Dokumente und Einstellungen\Marlene\Anwendungsdaten\dm.ini
03.12.2005 12:37:20 46280 C:\Dokumente und Einstellungen\Marlene\Anwendungsdaten\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
Crazy Browser 1.0.5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
=

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN Toolbar : C:\Programme\MSN Toolbar\01.01.1601.0\msgr.de.de-at\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CCA281CA-C863-46ef-9331-5C8D4460577F}
ButtonText = @btrez.dll,-4015 :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN Toolbar : C:\Programme\MSN Toolbar\01.01.1601.0\msgr.de.de-at\msntb.dll
{855F3B16-6D32-4FE6-8A56-BBB695989046} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Anvshell C:\WINDOWS\Anvshell.exe
nwiz nwiz.exe /install
nForce Tray Options sstray.exe /r
TCASUTIEXE TCAUDIAG.exe -on
ASUS Probe C:\Program Files\ASUS\Probe\AsusProb.exe
SunJavaUpdateSched C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
WinPatrol "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
HP Software Update C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
DeviceDiscovery C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
msnappau "C:\Programme\MSN Apps\Updater\01.02.0002.1001\de-at\msnappau.exe"
Ikarus-AutoUpdate C:\WINDOWS\System32\IKAutoUp.exe /LOG
Siemens SmartSync - ScheduleSync C:\PROGRA~1\MOBILE~1\SMARTS~1\SCHEDU~1.EXE
Guard NT C:\Programme\aon\aonVirenchecker\GuardNT\GuardNT.exe /STARTDLG /CPYTOKEN
Win32 msnsrv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Win32 msnsrv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
ares "C:\Programme\Ares Lite Edition\Ares.exe" -h
MsnMsgr "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
Win32 msnsrv.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mirabilis ICQ
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQNet
hkey HKLM
command C:\PROGRA~1\ICQ\ICQNet.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQNet
hkey HKLM
command C:\PROGRA~1\ICQ\ICQNet.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 05.07.2006 09:18:52

#24 Hinweis:
wenn du den Gaobot-Wurm nicht geloeschst bekommst...musst du formatieren
----------------------------------------------------------------------------------
1.
gehe in die Registry
Start - Ausfuehren - regedit
bearbeiten - suchen -

- Win32
- msnsrv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Win32 msnsrv.exe -->loeschen

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Win32 msnsrv.exe -->loeschen

2.
loeschen:
C:\WINDOWS\SYSTEM32\q17i9a4j.ini
C:\WINDOWS\SYSTEM32\a95kfrhe.ini

3.
C:\WINDOWS\system32\msnsrv.exe -> rechtsklick - > umbenennen -> von msnsrv.exe in msnsrv.old

PC neustarten

-------------
4.
Antivirus
scanne im abgesicherten modus und poste dann den scanreport

5.
dann poste noch mal das erste log von datfindbat und Winpfind
__________
MfG Sabina

rund um die PC-Sicherheit

#25 Ich kann diese Datei msnsrv.exe nicht umbenennen - Dialogfenster erscheint, dass die Datei schreibgeschützt ist oder gerade verwendet wird...

#26 Schritt 1
Erstelle eine neue Datei C:\bad

Schritt 2 :
Start - Ausführen - cmd (reinschreiben)

kopiere in das DOS-Fenster:
-- und klicke -- [enter]

Zitat

move C:\WINDOWS\system32\msnsrv.exe C:\bad

Schritt 3 :
C:\bad loeschen

dann poste das 1.Log von datfindbat, um zu sehen, ob die exe sich neu erstellt hat.
__________
MfG Sabina

rund um die PC-Sicherheit