Hijacker ? Probleme mit 4 Trojanern - TR/Agent.RI TR/Click.526 TR/Puper.BX.. |
||
---|---|---|
#0
| ||
23.07.2006, 23:42
Ehrenmitglied
Beiträge: 29434 |
||
|
||
24.07.2006, 00:40
Member
Beiträge: 23 |
#62
hier das log vom ewido:
--------------------------------------------------------- ewido anti-spyware - Scan-Bericht --------------------------------------------------------- + Erstellt um: 00:34:51 24.07.2006 + Scan-Ergebnis: [188] VM_00D60000 -> Downloader.Agent.uj : Fehler während der Säuberung. [212] VM_00C80000 -> Downloader.Agent.uj : Fehler während der Säuberung. [844] VM_009E0000 -> Downloader.Agent.uj : Fehler während der Säuberung. ::Berichtende Der Start der silentrunners.vbs hat zur Folge, daß ein Fenster aufgeht, in dem steht: windows script host der Zugriff auf Windows Script Host wurde für diesen Computer deaktiviert. Wenden Sie sich an Ihren Administator, um weitere Details in Erfahrung zu bringen. OK zu Anklicken. ???? Gruß, Uli Dieser Beitrag wurde am 24.07.2006 um 00:51 Uhr von Uli B editiert.
|
|
|
||
24.07.2006, 12:39
Ehrenmitglied
Beiträge: 29434 |
#63
Zitat Was den "Silentrunners" angeht...der funktioniert leider nicht. bekomme immer die meldung: "Der Zugriff auf Windows Script Host wurde für diesen Computer deaktiviert." und ich solle mich an den Administrator wenden.Schau mal, ob es in der Registry (Start -> Ausführen -> regedit) bei dir unter: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings einen Eintrag mit dem Namen Enabled gibt. Wenn ja, dann weise diesem den Wert 1 zu, dann ist der Scripting Host wieder aktiviert. (dann den PC neustarten) ** andere Moeglichkeit, falls xpantispy installiert ist : dort den Host freischalten __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
24.07.2006, 18:35
Member
Beiträge: 23 |
#64
Gute Tipp, der erste führte zum Ziel.
Hier erst der log, der von alleine kommt, und dann der, den man bekommt, wenn man auf nein klickt. Bin gespannt, was noch alles drauf ist... "Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "InfoCockpit" = "C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE /nosplash" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Dit" = "Dit.exe" ["ICSI Technology Ltd."] "Verknüpfung mit der High Definition Audio-Eigenschaftenseite" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"] "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "Keyboard Status" = "C:\PROGRA~1\Medion\KeyStat\KeyStat.exe" [null data] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "RemoteControl" = ""C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."] "PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" ["CyberLink Corp."] "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."] "T-Online DSL-Manager" = ""C:\Programme\T-Online\DSL-Manager\TODslMgr.exe"" ["T-Systems International GmbH"] "ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["T-Online International AG, Marmiko IT-Solutions GmbH"] "dmhie.exe" = "C:\WINDOWS\system32\dmhie.exe" [file not found] "!ewido" = ""C:\Programme\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "csgcd.exe" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Active Desktop web content: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ "FriendlyName" = "Security" "Source" = "C:\WINDOWS\desktop.html" "SubscribedURL" = "C:\WINDOWS\desktop.html" Startup items in "Surfen" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "hp psc 1000 series" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."] "hpoddt01.exe" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"] Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"] "FRU Task #Hewlett-Packard#hp psc 1200 series#1119696064" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1119696064"" [empty string] "WebReg 20050625124638" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe /TaskName 20050625124638 /N "HP psc 1200 Series" /M Q1662A /S MY4CAG107RT0 /AP 303 /F /T " ["Hewlett-Packard Co."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\spacklsp.dll [null data], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 33 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.5.0_01" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."] {B205A35E-1FC4-4CE3-818B-899DBBB3388C}\ Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.aldi.com Missing lines (compared with English-language version): [Strings]: 1 line HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"] AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe" [null data] CyberLink Background Capture Service (CBCS), CLCapSvc, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe"" [empty string] CyberLink Media Library Service, CyberLink Media Library Service, ""C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe"" ["Cyberlink"] CyberLink Task Scheduler (CTS), CLSched, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe"" [empty string] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."] iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Sygate Personal Firewall, SmcService, "C:\Programme\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."] T-Online DSL-Manager, TODslService, ""C:\Programme\T-Online\DSL-Manager\TODslSvc.exe"" ["T-Systems International GmbH"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt07\Driver = "hpzsnt07.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 33 seconds, including 18 seconds for message boxes) hier der zweite log: "Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "InfoCockpit" = "C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE /nosplash" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Dit" = "Dit.exe" ["ICSI Technology Ltd."] "Verknüpfung mit der High Definition Audio-Eigenschaftenseite" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"] "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "Keyboard Status" = "C:\PROGRA~1\Medion\KeyStat\KeyStat.exe" [null data] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "RemoteControl" = ""C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."] "PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" ["CyberLink Corp."] "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."] "T-Online DSL-Manager" = ""C:\Programme\T-Online\DSL-Manager\TODslMgr.exe"" ["T-Systems International GmbH"] "ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["T-Online International AG, Marmiko IT-Solutions GmbH"] "dmhie.exe" = "C:\WINDOWS\system32\dmhie.exe" [file not found] "!ewido" = ""C:\Programme\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "csgcd.exe" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Active Desktop web content: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ "FriendlyName" = "Security" "Source" = "C:\WINDOWS\desktop.html" "SubscribedURL" = "C:\WINDOWS\desktop.html" DESKTOP.INI DLL launch in local fixed drive directories: -------------------------------------------------------- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\Content.IE5\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Verlauf\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Verlauf\History.IE5\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Moni & Uli-offline\Lokale Einstellungen\Temporary Internet Files\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Moni & Uli-offline\Lokale Einstellungen\Temporary Internet Files\Content.IE5\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Moni & Uli-offline\Lokale Einstellungen\Temporary Internet Files\Content.IE5\38OSCHEE\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Moni & Uli-offline\Lokale Einstellungen\Temporary Internet Files\Content.IE5\DS2GMDXX\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Moni & Uli-offline\Lokale Einstellungen\Temporary Internet Files\Content.IE5\N1LMMA6C\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Moni & Uli-offline\Lokale Einstellungen\Temporary Internet Files\Content.IE5\TG8F1BL9\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Moni & Uli-offline\Lokale Einstellungen\Verlauf\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Moni & Uli-offline\Lokale Einstellungen\Verlauf\History.IE5\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Raimo\Lokale Einstellungen\Temporary Internet Files\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Raimo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Raimo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\38OSCHEE\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Raimo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\DS2GMDXX\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Raimo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\N1LMMA6C\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Raimo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\TG8F1BL9\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Raimo\Lokale Einstellungen\Verlauf\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Raimo\Lokale Einstellungen\Verlauf\History.IE5\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Root\Lokale Einstellungen\Temporary Internet Files\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Root\Lokale Einstellungen\Temporary Internet Files\Content.IE5\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Root\Lokale Einstellungen\Temporary Internet Files\Content.IE5\38OSCHEE\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Root\Lokale Einstellungen\Temporary Internet Files\Content.IE5\DS2GMDXX\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Root\Lokale Einstellungen\Temporary Internet Files\Content.IE5\N1LMMA6C\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Root\Lokale Einstellungen\Temporary Internet Files\Content.IE5\TG8F1BL9\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Root\Lokale Einstellungen\Verlauf\DESKTOP.INI -- cannot be opened! C:\Dokumente und Einstellungen\Root\Lokale Einstellungen\Verlauf\History.IE5\DESKTOP.INI -- cannot be opened! Startup items in "Surfen" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "hp psc 1000 series" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."] "hpoddt01.exe" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"] Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"] "FRU Task #Hewlett-Packard#hp psc 1200 series#1119696064" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1119696064"" [empty string] "WebReg 20050625124638" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe /TaskName 20050625124638 /N "HP psc 1200 Series" /M Q1662A /S MY4CAG107RT0 /AP 303 /F /T " ["Hewlett-Packard Co."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\spacklsp.dll [null data], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 33 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.5.0_01" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."] {B205A35E-1FC4-4CE3-818B-899DBBB3388C}\ Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.aldi.com Missing lines (compared with English-language version): [Strings]: 1 line HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"] AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe" [null data] CyberLink Background Capture Service (CBCS), CLCapSvc, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe"" [empty string] CyberLink Media Library Service, CyberLink Media Library Service, ""C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe"" ["Cyberlink"] CyberLink Task Scheduler (CTS), CLSched, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe"" [empty string] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."] iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Sygate Personal Firewall, SmcService, "C:\Programme\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."] T-Online DSL-Manager, TODslService, ""C:\Programme\T-Online\DSL-Manager\TODslSvc.exe"" ["T-Systems International GmbH"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt07\Driver = "hpzsnt07.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 81 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 9 seconds. ---------- (total run time: 113 seconds) |
|
|
||
24.07.2006, 21:30
Ehrenmitglied
Beiträge: 29434 |
#65
1.
Gehe in die registry Start - Ausfuehren - regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "dmhie.exe"--> loeschen HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System" = "csgcd.exe"--> loeschen HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "FriendlyName" = "Security" --> loeschen "Source" = "C:\WINDOWS\desktop.html" --> loeschen "SubscribedURL" = "C:\WINDOWS\desktop.html" --> loeschen 2. Avenger: Zitat Files to delete:PC neustarten ** 3. berichte __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
24.07.2006, 23:47
Member
Beiträge: 23 |
#66
dmhie gibt es da nicht
csgcd gibt es auch nicht die anderen drei habe ich gelöscht. anbei die logs von Avenger und silentrunners Gruß, Uli Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\hjfqlayd ******************* Script file located at: \??\C:\WINDOWS\system32\bgxwvmjn.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\csgcd.exe deleted successfully. File C:\WINDOWS\system32\dmhie.exe not found! Deletion of file C:\WINDOWS\system32\dmhie.exe failed! Could not process line: C:\WINDOWS\system32\dmhie.exe Status: 0xc0000034 File C:\WINDOWS\desktop.html not found! Deletion of file C:\WINDOWS\desktop.html failed! Could not process line: C:\WINDOWS\desktop.html Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. "Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "InfoCockpit" = "C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE /nosplash" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Dit" = "Dit.exe" ["ICSI Technology Ltd."] "Verknüpfung mit der High Definition Audio-Eigenschaftenseite" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"] "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "Keyboard Status" = "C:\PROGRA~1\Medion\KeyStat\KeyStat.exe" [null data] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "RemoteControl" = ""C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."] "PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" ["CyberLink Corp."] "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."] "T-Online DSL-Manager" = ""C:\Programme\T-Online\DSL-Manager\TODslMgr.exe"" ["T-Systems International GmbH"] "ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["T-Online International AG, Marmiko IT-Solutions GmbH"] "dmhie.exe" = "C:\WINDOWS\system32\dmhie.exe" [file not found] "!ewido" = ""C:\Programme\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "csgcd.exe" [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Active Desktop web content: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ "FriendlyName" = "" "Source" = "" "SubscribedURL" = "" Startup items in "Surfen" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "hp psc 1000 series" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."] "hpoddt01.exe" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"] Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"] "FRU Task #Hewlett-Packard#hp psc 1200 series#1119696064" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1119696064"" [empty string] "WebReg 20050625124638" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe /TaskName 20050625124638 /N "HP psc 1200 Series" /M Q1662A /S MY4CAG107RT0 /AP 303 /F /T " ["Hewlett-Packard Co."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\spacklsp.dll [null data], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 33 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.5.0_01" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."] {B205A35E-1FC4-4CE3-818B-899DBBB3388C}\ Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.aldi.com Missing lines (compared with English-language version): [Strings]: 1 line HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"] AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe" [null data] CyberLink Background Capture Service (CBCS), CLCapSvc, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe"" [empty string] CyberLink Media Library Service, CyberLink Media Library Service, ""C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe"" ["Cyberlink"] CyberLink Task Scheduler (CTS), CLSched, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe"" [empty string] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."] iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Sygate Personal Firewall, SmcService, "C:\Programme\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."] T-Online DSL-Manager, TODslService, ""C:\Programme\T-Online\DSL-Manager\TODslSvc.exe"" ["T-Systems International GmbH"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt07\Driver = "hpzsnt07.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 49 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 9 seconds. ---------- (total run time: 80 seconds) |
|
|
||
24.07.2006, 23:54
Ehrenmitglied
Beiträge: 29434 |
#67
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen Zitat REGEDIT4PC neustarten poste das neue Log vom Silentrunner __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
25.07.2006, 00:21
Member
Beiträge: 23 |
#68
ich habe in der zwischenzeit nochmal regedit im account gemacht, in dem ich die zugangsrechte einstellen kann. Da habe ich die Dateien gefunden und gelöscht.
Es hat nichts erkennbares geändert. Anbei die avenger logs aus dem root account und dem "surf" account mit admin rechten. Ich mache mich gleich an die Anweisungen von oben. Danke, Gruß, Uli Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\rhqcahqn ******************* Script file located at: \??\C:\WINDOWS\mcuyskjh.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\csgcd.exe not found! Deletion of file C:\WINDOWS\system32\csgcd.exe failed! Could not process line: C:\WINDOWS\system32\csgcd.exe Status: 0xc0000034 File C:\WINDOWS\system32\dmhie.exe not found! Deletion of file C:\WINDOWS\system32\dmhie.exe failed! Could not process line: C:\WINDOWS\system32\dmhie.exe Status: 0xc0000034 File C:\WINDOWS\desktop.html not found! Deletion of file C:\WINDOWS\desktop.html failed! Could not process line: C:\WINDOWS\desktop.html Status: 0xc0000034 Completed script processing. ******************* Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\vbioxkko ******************* Script file located at: \??\C:\WINDOWS\rviasllf.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\csgcd.exe not found! Deletion of file C:\WINDOWS\system32\csgcd.exe failed! Could not process line: C:\WINDOWS\system32\csgcd.exe Status: 0xc0000034 File C:\WINDOWS\system32\dmhie.exe not found! Deletion of file C:\WINDOWS\system32\dmhie.exe failed! Could not process line: C:\WINDOWS\system32\dmhie.exe Status: 0xc0000034 File C:\WINDOWS\desktop.html not found! Deletion of file C:\WINDOWS\desktop.html failed! Could not process line: C:\WINDOWS\desktop.html Status: 0xc0000034 Completed script processing. ******************* regedit4 Befehle durchgeführt anbei der letzte silentrunner log "Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "InfoCockpit" = "C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE /nosplash" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Dit" = "Dit.exe" ["ICSI Technology Ltd."] "Verknüpfung mit der High Definition Audio-Eigenschaftenseite" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"] "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "Keyboard Status" = "C:\PROGRA~1\Medion\KeyStat\KeyStat.exe" [null data] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "RemoteControl" = ""C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."] "PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" ["CyberLink Corp."] "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."] "T-Online DSL-Manager" = ""C:\Programme\T-Online\DSL-Manager\TODslMgr.exe"" ["T-Systems International GmbH"] "ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["T-Online International AG, Marmiko IT-Solutions GmbH"] "!ewido" = ""C:\Programme\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension" \InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Active Desktop web content: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ "FriendlyName" = "" "Source" = "" "SubscribedURL" = "" Startup items in "Surfen" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "hp psc 1000 series" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."] "hpoddt01.exe" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"] Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"] "FRU Task #Hewlett-Packard#hp psc 1200 series#1119696064" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1119696064"" [empty string] "WebReg 20050625124638" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe /TaskName 20050625124638 /N "HP psc 1200 Series" /M Q1662A /S MY4CAG107RT0 /AP 303 /F /T " ["Hewlett-Packard Co."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\spacklsp.dll [null data], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 33 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.5.0_01" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."] {B205A35E-1FC4-4CE3-818B-899DBBB3388C}\ Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.aldi.com Missing lines (compared with English-language version): [Strings]: 1 line HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"] AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe" [null data] CyberLink Background Capture Service (CBCS), CLCapSvc, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe"" [empty string] CyberLink Media Library Service, CyberLink Media Library Service, ""C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe"" ["Cyberlink"] CyberLink Task Scheduler (CTS), CLSched, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe"" [empty string] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."] iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Sygate Personal Firewall, SmcService, "C:\Programme\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."] T-Online DSL-Manager, TODslService, ""C:\Programme\T-Online\DSL-Manager\TODslSvc.exe"" ["T-Systems International GmbH"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt07\Driver = "hpzsnt07.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 44 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 9 seconds. ---------- (total run time: 73 seconds) Dieser Beitrag wurde am 25.07.2006 um 01:32 Uhr von Uli B editiert.
|
|
|
||
25.07.2006, 19:42
Ehrenmitglied
Beiträge: 29434 |
#69
es ist alles sauber ..uff
wie geht es dem Desktop ? __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
25.07.2006, 21:14
Member
Beiträge: 23 |
#70
wow, das war ein langer Kampf - ist das immer so oder war mein Rechner besonders verseucht?
Der desktop ist noch immer nicht richtig, er ist grau, wenn die Maus draufzeigt, wenn die Maus auf irgendeinem Symbol ist, wird er heller - und irgendwas bringt mein speedport dazu, online zu gehen (wenigstens leuchtet die LED), bevor ich irgend einen account ausgewählt habe. Vorab schon mal vielen vielen Dank, daß Du es so lange mit meinem Rechner und mir ausgehalten hast. Gibt es irgendwelche Sicherheitseinstellungen, die ich unbedingt wieder einstellen muß - von denen Du weißt, daß sie verstellt sind? ewido zeigt gerade trackingcookie.ivwbox und .mediaplex an - er kann sie löschen. Gut so. Nochmals vielen vielen Dank, Uli Oh weh, geht es weiter? Soeben hat antivir heur/hijacker gemeldet. Der kam, als ich winpfind.exe das erste mal zugelassen hatte. antivir zeigt auch c:\....\winpfhind.exe an. Ich habe den heur/hijacker löschen lassen. Reicht das? Dieser Beitrag wurde am 25.07.2006 um 21:21 Uhr von Uli B editiert.
|
|
|
||
25.07.2006, 22:14
Moderator
Beiträge: 7805 |
#71
Das ist ein Fehlalarm der Heuristik. Ich habe die Datei mal eingeschickt. Da du mit Winpfind schon gearbeitet hast, ist es nicht so schlimm, das du die Datei loeschen lassen hast.
__________ MfG Ralf SEO-Spam Hunter |
|
|
||
26.07.2006, 13:41
Ehrenmitglied
Beiträge: 29434 |
#72
scanne bitte mit smitfraud.fix
http://virus-protect.org/artikel/tools/smitfrautfix.html es wird den Desktop-Hintergrund wieder geraderuecken - in MS-blau poste die reporte von Option 1 und 2 __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
27.07.2006, 23:32
Member
Beiträge: 23 |
#73
Hallo Sabina,
vielen Dank. Der Hintergrund ist wieder so, wie er mal war. Ich fürchte, ich habe noch nicht alles hinter mir. WEnn ich den Rechner starte und nicht irgend einen account wähle, sondern einfach nur warte, geht mein modem/router online und bleibt online, obwohl ich eingestellt habe, daß es nach einer Minute Inaktivität offline gehen soll. Wenn ich den LAN Stecker aus dem Rechner ziehe, geht es nach 1 min offline. Der Rechner hat so ein leises Glucksen, als würde die Festplatte lesen oder schreiben.... Das ganze gilt auch, wenn ich als irgend ein user eingeloggt bin. Da scheint noch was im Hintergrund zu nuckeln....??? Ich nehme an, jetzt ist es an der Zeit, mal alle Paßwörter zu ändern? Kennst Du auch jemanden, der einem so kompetent durch die Wirrungen der Telekom Software und den Umgang mit dem Speedport W501V hilft? Vielen Dank und viele Grüße, Uli Hier die log files: SmitFraudFix v2.76 Scan done at 23:06:34,54, 27.07.2006 Run from C:\Dokumente und Einstellungen\All Users\Dokumente\www\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Surfen\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\Surfen\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Programme »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="" "SubscribedURL"="" "FriendlyName"="" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End SmitFraudFix v2.76 Scan done at 23:13:39,39, 27.07.2006 Run from C:\Dokumente und Einstellungen\All Users\Dokumente\www\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Dieser Beitrag wurde am 28.07.2006 um 00:14 Uhr von Uli B editiert.
|
|
|
||
28.07.2006, 12:41
Ehrenmitglied
Beiträge: 29434 |
#74
vielleicht ist noch was von der Schadware auf dem Rechner....
scanne mit spybot und poste den report http://www.safer-networking.org/en/download/index.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
29.07.2006, 23:51
Member
Beiträge: 23 |
#75
Sorry, hat ne Weile gedauert.
habe den Spybot gleich "reparieren" lassen. Gruß, Uli Trotz der Erfolgsmeldungen vom spybot geht der Rechner online, zumindest zeigt das speedport das online Lämchen, nach dem Hochfahren, bevor ich einen user ausgewählt habe. Wenn ich dann einen ausgewählt habe, fährt der hoch und dann kommen bei bestehender lan Verbindung folgende Meldungen vom sygate, die ich mit "no" beantworte: NDIS user mode I/O Driver (ndisuio.sys) contacted from remote machine 208.175.160.126... und Generic host Process for Win 32 Services (svchost.exe) is being contacted from remote machine 208.175.160.126 usingn local port 1030(IAD1-BBn IAD)... Ein DSL manager will auch noch vom Rechner ins Netz und ewido will sich updaten.. Den letzten lasse ich zu. UND das Modem geht NICHT nach einer Minute offline, was es tut, wenn ich die lan Verbindung ziehe.. nun die logs vom spybot: --- Report generated: 2006-07-29 23:18 --- Vcodec.eMedia: Root class (Registrierungsdatenbank-Schlüssel, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VSEnchancer.Chl Microsoft.WindowsSecurityCenter_disabled: Einstellungen (Registrierungsdatenbank-Änderung, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2 CoolWWWSearch.SearchToolbar: Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done) HKEY_USERS\S-1-5-21-3502422098-1231007713-3040123213-1012\Software\SearchToolbar CoolWWWSearch.SearchToolbar: IE-Toolbar (Registrierungsdatenbank-Schlüssel, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar Pipas.A: Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins --- Spybot - Search & Destroy version: 1.4 (build: 20050523) --- 2005-05-31 blindman.exe (1.0.0.1) 2005-05-31 SpybotSD.exe (1.4.0.3) 2005-05-31 TeaTimer.exe (1.4.0.2) 2006-07-29 unins000.exe (51.41.0.0) 2005-05-31 Update.exe (1.4.0.0) 2006-02-06 advcheck.dll (1.0.2.0) 2005-05-31 aports.dll (2.1.0.0) 2005-05-31 borlndmm.dll (7.0.4.453) 2005-05-31 delphimm.dll (7.0.4.453) 2005-05-31 SDHelper.dll (1.4.0.0) 2006-02-20 Tools.dll (2.0.0.2) 2005-05-31 UnzDll.dll (1.73.1.1) 2005-05-31 ZipDll.dll (1.73.2.0) 2006-07-28 Includes\Cookies.sbi (*) 2006-07-28 Includes\Dialer.sbi (*) 2006-07-28 Includes\Hijackers.sbi (*) 2006-07-28 Includes\Keyloggers.sbi (*) 2006-07-28 Includes\Malware.sbi (*) 2006-07-28 Includes\PUPS.sbi (*) 2006-07-28 Includes\Revision.sbi (*) 2006-07-28 Includes\Security.sbi (*) 2006-07-28 Includes\Spybots.sbi (*) 2005-02-17 Includes\Tracks.uti 2006-07-28 Includes\Trojans.sbi (*) --- Report generated: 2006-07-29 23:19 --- Vcodec.eMedia: Root class (Registrierungsdatenbank-Schlüssel, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VSEnchancer.Chl Microsoft.WindowsSecurityCenter_disabled: Einstellungen (Registrierungsdatenbank-Änderung, fixed) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2 CoolWWWSearch.SearchToolbar: Einstellungen (Registrierungsdatenbank-Schlüssel, fixed) HKEY_USERS\S-1-5-21-3502422098-1231007713-3040123213-1012\Software\SearchToolbar CoolWWWSearch.SearchToolbar: IE-Toolbar (Registrierungsdatenbank-Schlüssel, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar Pipas.A: Einstellungen (Registrierungsdatenbank-Schlüssel, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins --- Spybot - Search & Destroy version: 1.4 (build: 20050523) --- 2005-05-31 blindman.exe (1.0.0.1) 2005-05-31 SpybotSD.exe (1.4.0.3) 2005-05-31 TeaTimer.exe (1.4.0.2) 2006-07-29 unins000.exe (51.41.0.0) 2005-05-31 Update.exe (1.4.0.0) 2006-02-06 advcheck.dll (1.0.2.0) 2005-05-31 aports.dll (2.1.0.0) 2005-05-31 borlndmm.dll (7.0.4.453) 2005-05-31 delphimm.dll (7.0.4.453) 2005-05-31 SDHelper.dll (1.4.0.0) 2006-02-20 Tools.dll (2.0.0.2) 2005-05-31 UnzDll.dll (1.73.1.1) 2005-05-31 ZipDll.dll (1.73.2.0) 2006-07-28 Includes\Cookies.sbi (*) 2006-07-28 Includes\Dialer.sbi (*) 2006-07-28 Includes\Hijackers.sbi (*) 2006-07-28 Includes\Keyloggers.sbi (*) 2006-07-28 Includes\Malware.sbi (*) 2006-07-28 Includes\PUPS.sbi (*) 2006-07-28 Includes\Revision.sbi (*) 2006-07-28 Includes\Security.sbi (*) 2006-07-28 Includes\Spybots.sbi (*) 2005-02-17 Includes\Tracks.uti 2006-07-28 Includes\Trojans.sbi (*) --- Report generated: 2006-07-29 23:33 --- Gratulation!: Es wurden keine Spione gefunden. () --- Spybot - Search & Destroy version: 1.4 (build: 20050523) --- 2005-05-31 blindman.exe (1.0.0.1) 2005-05-31 SpybotSD.exe (1.4.0.3) 2005-05-31 TeaTimer.exe (1.4.0.2) 2006-07-29 unins000.exe (51.41.0.0) 2005-05-31 Update.exe (1.4.0.0) 2006-02-06 advcheck.dll (1.0.2.0) 2005-05-31 aports.dll (2.1.0.0) 2005-05-31 borlndmm.dll (7.0.4.453) 2005-05-31 delphimm.dll (7.0.4.453) 2005-05-31 SDHelper.dll (1.4.0.0) 2006-02-20 Tools.dll (2.0.0.2) 2005-05-31 UnzDll.dll (1.73.1.1) 2005-05-31 ZipDll.dll (1.73.2.0) 2006-07-28 Includes\Cookies.sbi (*) 2006-07-28 Includes\Dialer.sbi (*) 2006-07-28 Includes\Hijackers.sbi (*) 2006-07-28 Includes\Keyloggers.sbi (*) 2006-07-28 Includes\Malware.sbi (*) 2006-07-28 Includes\PUPS.sbi (*) 2006-07-28 Includes\Revision.sbi (*) 2006-07-28 Includes\Security.sbi (*) 2006-07-28 Includes\Spybots.sbi (*) 2005-02-17 Includes\Tracks.uti 2006-07-28 Includes\Trojans.sbi (*) Dieser Beitrag wurde am 30.07.2006 um 00:11 Uhr von Uli B editiert.
|
|
|
||
http://virus-protect.org/silentrunner.html
__________
MfG Sabina
rund um die PC-Sicherheit