Home » Spyware & Browser Hijacker Support Forum » Explorer/Virenscanner/Adaware stürzen ab; » Themenansicht
Explorer/Virenscanner/Adaware stürzen ab; |
||
|---|---|---|
| #0
| ||
|
02.12.2006, 10:49
...neu hier
Beiträge: 8 |
||
 
|
|
|
|
02.12.2006, 17:32
Ehrenmitglied
 Beiträge: 29434 |
#2
ver_me
wer den KillAndClean laedt - braucht sich nicht ueber einen zerstoerten Rechner zu wundern  0. http://www.f-secure.com/blacklight/ starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei - poste den report 1. poste dieses log http://virus-protect.org/artikel/tools/combofix.html 2 .stelle den CleanUp genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html 3 Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
02.12.2006, 19:39
...neu hier
Themenstarter Beiträge: 8 |
#3
Hallo Sabina,
1000000 DANK für deine Hilfe! Hier das Logfile des F-Secure; das combofix (1) läuft nicht - auch nicht im abgesicherten Modus. Kann ich Kill&Clean schon mal löschen? Hast du eine Alternative zu Combofix oder eine andere Idee? Und soll ich Schritt 2 und 3 ausführen oder muss Schritt 1 erst abgeschlossen sein? Ich danke dir!!!!!!!!!!!!!! und hier das Logfile: 12/02/06 18:36:26 [Info]: BlackLight Engine 1.0.47 initialized 12/02/06 18:36:26 [Info]: OS: 5.1 build 2600 (Service Pack 2) 12/02/06 18:36:27 [Note]: 7019 4 12/02/06 18:36:27 [Note]: 7005 0 12/02/06 18:36:32 [Note]: 7006 0 12/02/06 18:36:32 [Note]: 7011 1908 12/02/06 18:36:32 [Note]: 7026 0 12/02/06 18:36:32 [Note]: 7026 0 12/02/06 18:36:43 [Note]: FSRAW library version 1.7.1020 12/02/06 18:40:05 [Note]: 7006 0 12/02/06 18:40:05 [Note]: 7011 1908 12/02/06 18:40:06 [Note]: 7026 0 12/02/06 18:40:06 [Note]: 7026 0 12/02/06 18:40:08 [Note]: FSRAW library version 1.7.1020 12/02/06 18:47:43 [Info]: Hidden file: c:\WINDOWS\system32\csdwj.exe 12/02/06 18:47:43 [Note]: 7002 32 12/02/06 18:47:43 [Note]: 7003 1 12/02/06 18:47:43 [Note]: 10002 1 12/02/06 18:47:44 [Info]: Hidden file: c:\WINDOWS\system32\filesafer23.exe 12/02/06 18:47:44 [Note]: 10002 1 12/02/06 18:47:48 [Info]: Hidden file: c:\WINDOWS\system32\kilacln.exe 12/02/06 18:47:48 [Note]: 10002 1 12/02/06 18:47:49 [Info]: Hidden file: c:\WINDOWS\system32\pppcgm.exe 12/02/06 18:47:49 [Note]: 10002 1 12/02/06 18:47:52 [Info]: Hidden file: c:\WINDOWS\system32\dmkhc.exe 12/02/06 18:47:52 [Note]: 7002 5 12/02/06 18:47:52 [Note]: 7003 1 12/02/06 18:47:52 [Note]: 10002 1 12/02/06 18:47:54 [Info]: Hidden file: c:\WINDOWS\system32\{3FAD6375-2C85-493B-8AEA-7992BF3514B4}.exe 12/02/06 18:47:54 [Note]: 7002 5 12/02/06 18:47:54 [Note]: 7003 1 12/02/06 18:47:54 [Note]: 10002 1 12/02/06 18:47:54 [Info]: Hidden file: c:\WINDOWS\system32\{920703CC-D2CB-4E04-B034-A5EBBD5C023E}.exe 12/02/06 18:47:54 [Note]: 7002 5 12/02/06 18:47:54 [Note]: 7003 1 12/02/06 18:47:54 [Note]: 10002 1 12/02/06 18:47:55 [Info]: Hidden file: c:\WINDOWS\system32\{B74D139D-525F-4C14-9474-7A0799E9BEBB}.exe 12/02/06 18:47:55 [Note]: 7002 5 12/02/06 18:47:55 [Note]: 7003 1 12/02/06 18:47:55 [Note]: 10002 1 12/02/06 18:47:55 [Info]: Hidden file: c:\WINDOWS\system32\{C8C1586B-65C0-46F5-B849-D6D33FF793C2}.exe 12/02/06 18:47:55 [Note]: 10002 1 12/02/06 18:47:55 [Info]: Hidden file: c:\WINDOWS\system32\{CA395C48-1465-4E0C-A82E-6789D830C55E}.exe 12/02/06 18:47:55 [Note]: 7002 5 12/02/06 18:47:55 [Note]: 7003 1 12/02/06 18:47:55 [Note]: 10002 1 12/02/06 18:47:56 [Info]: Hidden file: c:\WINDOWS\system32\{E15C0EF8-3271-4047-BC54-1BF68CD8F1ED}.exe 12/02/06 18:47:56 [Note]: 7002 5 12/02/06 18:47:56 [Note]: 7003 1 12/02/06 18:47:56 [Note]: 10002 1 12/02/06 18:51:04 [Note]: 2000 1012 12/02/06 18:51:04 [Note]: 2000 1012 12/02/06 18:52:42 [Note]: 7007 0 |
|
|
|
|
|
|
02.12.2006, 19:48
Ehrenmitglied
Beiträge: 29434 |
#4
Avenger
http://virus-protect.org/artikel/tools/avenger.html kopiere rein Zitat Files to delete:Klicke die grüne Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten ** poste hier das log vom Avenger, was nach neustart erscheint »» lösche das Backup vom Avenger unter C:\Avenger\backup.zip + leere den Papierkorb «« Hoster.zip http://www.funkytoad.com/download/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. «« Download FixWareout http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt - poste hier den report ---------------------------------------------------------------------------- öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Zitat O1 - Hosts: localhost 127.0.0.1PC neustarten Arbeitsplatz - Systemsteuerung - Netzwerk Eigenschaften von TCP/IP, Register Allgemein, Option IP-Adresse automatisch beziehen - anhaken 85.255.113.130 85.255.112.113 muss raus !!! ----------------------------------------------------------------------- F-Secure Online Scanner Next Generation Beta http://support.f-secure.com/enu/home/ols3.shtml 1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta". 2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren 3. Installiere diese ActiveX-Komponente 4. Lies die Anleitung und klicke: "Accept" 5. Klicke "Full System Scan" 6. klicke "Show report" - kopiere den Scanreport + das neue log vom Hijackthis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
02.12.2006, 20:21
...neu hier
Themenstarter Beiträge: 8 |
#5
hiiiieeeelfe... das Logfile des Avenger erscheint nach dem Neustart nicht - sollte es doch, oder? oder muss ich irgenderwas aufrufen?
 DANKE!Avenger schreibt: Can not create zip file error 1813 nachdem er wieder hichgefahren ist lässt sich auch nicht auf C:\Avenger zugreifen... Dieser Beitrag wurde am 02.12.2006 um 20:41 Uhr von ver_me editiert.
|
|
|
|
|
|
|
02.12.2006, 20:45
Ehrenmitglied
Beiträge: 29434 |
#6
kopiere das script noch mal ein, aber bitte korrekt (ohne "Zitat" oder andere Fehler) - schau noch mal auf meiner seite, wie man es macht
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
02.12.2006, 22:47
...neu hier
Themenstarter Beiträge: 8 |
#7
Hallo,
hat jetzt etwas länger gedauert.... Habe bevor ich hier das erste Mal gepostet habe versucht, in der Registry mich des KillandCleans und einiger anderer Applikationen durch verhindern des Ausführens beim Systemneustart zu entledigen. Dies hatte Probleme nach sich gezogen, weswegen ich die Systemwiederherstellung ausgefhrt habe und den Rechner auf einen zurückliegenden Status zurückgesetzt habe. Nun habe ich alle von Dir empfohlenen Schritte nochmal ausgeführt. Blacklight (1) Combofix (2) Cleanup (3) [„Delete Prefetch Files“ war grau hinterlegt, so dass man es nicht anwählen konnte] datfind (4) Beim Avenger (5)schreibt er "cannot create zip file" und es konnte nichts ausgeführt werden, hab daher das Logfile als Anhang drangehängt. Hoster(6) Fehlermeldung: "grid index out of range" Fixwareout (7) Hijackthis (8) (neue Version) Vielen Dank für Deine Unterstützung. Hatte die Hoffnung schon fast aufgegeben.. Hier die Logs: Blacklight (1): 12/02/06 21:49:20 [Info]: BlackLight Engine 1.0.47 initialized 12/02/06 21:49:20 [Info]: OS: 5.1 build 2600 (Service Pack 2) 12/02/06 21:49:20 [Note]: 7019 4 12/02/06 21:49:20 [Note]: 7005 0 12/02/06 21:49:52 [Note]: 7006 0 12/02/06 21:49:52 [Note]: 7011 1872 12/02/06 21:49:52 [Note]: 7026 0 12/02/06 21:49:52 [Note]: 7026 0 12/02/06 21:49:59 [Note]: FSRAW library version 1.7.1020 12/02/06 21:59:21 [Note]: 7007 0 Combofix (2): Joe - 06-12-02 21:42:07,71 Service Pack 2 ComboFix 06.11.27W - Running from: "C:\Dokumente und Einstellungen\Joe\Desktop\antivir" ((((((((((((((((((((((((((((((( Files Created from 2006-11-02 to 2006-12-02 )))))))))))))))))))))))))))))))))) 2006-12-02 21:12 <DIR> d-------- C:\fixwareout 2006-12-02 21:04 51,270 --a------ C:\WINDOWS\system32\csppr.exe 2006-12-02 20:57 60,416 --a------ C:\WINDOWS\system32\drivers\fceisugy.sys 2006-12-02 20:57 1,080 --a------ C:\vnbnsplm.bat 2006-12-02 20:56 60,416 --a------ C:\WINDOWS\system32\drivers\rpnbinni.sys 2006-12-02 20:56 1,080 --a------ C:\ffftsfmt.bat 2006-12-02 20:45 <DIR> d-------- C:\Programme\CleanUp! 2006-12-02 20:38 60,416 --a------ C:\WINDOWS\system32\drivers\rpqnakcr.sys 2006-12-02 20:38 1,080 --a------ C:\inojfqnv.bat 2006-12-02 20:15 60,416 --a------ C:\WINDOWS\system32\drivers\wpbqglmb.sys 2006-12-02 20:15 1,080 --a------ C:\moembpbk.bat 2006-12-02 20:02 60,416 --a------ C:\WINDOWS\system32\drivers\bmyybiay.sys 2006-12-02 20:02 126,976 --a------ C:\zip.exe 2006-12-02 20:02 1,080 --a------ C:\phwlqfrs.bat 2006-12-02 20:01 <DIR> d-------- C:\Avenger (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-12-02 21:05 -------- d-------- C:\Programme\Veoh 2006-12-02 09:17 -------- d-------- C:\Programme\mirc 2006-10-21 16:27 -------- d-------- C:\Programme\a-squared Anti-Malware (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /installquiet" "LTSMMSG"="LTSMMSG.exe" "SigmaTel StacMon"="C:\\Programme\\SigmaTel\\SigmaTel AC97 Audio-Treiber\\stacmon.exe" "SynTPLpr"="C:\\Programme\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Programme\\Synaptics\\SynTP\\SynTPEnh.exe" "TFNF5"="TFNF5.exe" "TouchED"="C:\\Programme\\TOSHIBA\\TouchED\\TouchED.Exe" "00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe" "000StTHK"="000StTHK.exe" "TPSMain"="TPSMain.exe" "TFncKy"="C:\\Programme\\TOSHIBA\\TOSHIBA Controls\\TFncKy.exe" "SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe" "KernelFaultCheck"="C:\\WINDOWS\\system32\\dumprep 0 -k" "TkBellExe"="\"C:\\Programme\\K-Lite Codec Pack\\real\\Update_OB\\realsched.exe\" -osboot" "DXM6Patch_981116"="C:\\WINDOWS\\p_981116.exe /Q:A" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "Adobe Photo Downloader"="\"C:\\Programme\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "Zone Labs Client"="C:\\Programme\\Zone Labs\\ZoneAlarm\\zlclient.exe" "IntelZeroConfig"="\"C:\\Programme\\Intel\\Wireless\\bin\\ZCfgSvc.exe\"" "IntelWireless"="\"C:\\Programme\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless" "EOUApp"="\"C:\\Programme\\Intel\\Wireless\\Bin\\EOUWiz.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Die derzeitige Homepage" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,80,02,00,00,00,00,00,00,80,02,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "SRUUninstall"="\"C:\\WINDOWS\\System32\\msiexec.exe\" /L*v C:\\WINDOWS\\TEMP\\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce] "SRUUninstall"="\"C:\\WINDOWS\\System32\\msiexec.exe\" /L*v C:\\WINDOWS\\TEMP\\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Skype"="\"C:\\Programme\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" "Steam"="C:\\Valve\\Steam\\Steam.exe -silent" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "WinampAgent"="\"C:\\Programme\\Winamp\\Winampa.exe\"" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Completion time: 06-12-02 21:43:47.79 C:\ComboFix.txt ... 06-12-02 21:43 C:\ComboFix2.txt ... 06-12-02 19:22 C:\ComboFix3.txt ... 06-12-02 19:12 datfind (4) (a) System32: 02.12.2006 22:25 48.882 vsconfig.xml 02.12.2006 21:35 1.158 wpa.dbl 02.12.2006 21:34 139.648 FNTCACHE.DAT 02.12.2006 21:33 102.641 ikhcore.log 11.11.2006 11:00 374.398 perfh009.dat 11.11.2006 11:00 384.790 perfh007.dat 11.11.2006 11:00 50.866 perfc009.dat 11.11.2006 11:00 61.492 perfc007.dat 11.11.2006 11:00 879.502 PerfStringBackup.INI 26.07.2006 23:20 4.212 zllictbl.dat (b) Temp. System ist leer! (c)windows: 02.12.2006 22:25 1.336.758 WindowsUpdate.log 02.12.2006 22:25 50 wiaservc.log 02.12.2006 22:25 159 wiadebug.log 02.12.2006 22:25 0 0.log 02.12.2006 22:24 2.048 bootstat.dat 02.12.2006 21:44 140.166 setupapi.log 02.12.2006 20:37 702 win.ini 02.12.2006 20:37 227 system.ini 02.12.2006 19:21 990.468 ntbtlog.txt 02.12.2006 10:05 132 winamp.ini 02.12.2006 09:22 116 NeroDigital.ini 28.11.2006 19:20 2.563.254 ACD Wallpaper.cmp 16.08.2006 17:43 49.620 wmsetup.log (d) temp Verzeichnis von C:\WINDOWS\Temp 02.12.2006 22:25 256 ZLT04137.TMP 02.12.2006 22:25 256 ZLT04134.TMP 2 Datei(en) 512 Bytes (e) Downloaded Program Files Verzeichnis von C:\WINDOWS\Downloaded Program Files 29.07.2006 09:48 2.072 vscanmsx.dat [War mit dem Teil schon was länger nicht mehr on...] (f) Verzeichnis von C:\ 02.12.2006 22:39 0 sys.txt 02.12.2006 22:38 2.097 down.txt 02.12.2006 22:37 327 tmp.txt 02.12.2006 22:36 14.260 system.txt 02.12.2006 22:35 131 systemtemp.txt 02.12.2006 22:33 111.266 system32.txt 02.12.2006 22:24 535.810.048 hiberfil.sys 02.12.2006 22:24 805.306.368 pagefile.sys 02.12.2006 22:24 25.236 avenger.txt 02.12.2006 21:43 7.314 ComboFix.txt 02.12.2006 20:57 1.080 vnbnsplm.bat 02.12.2006 20:56 1.080 ffftsfmt.bat 02.12.2006 20:38 1.080 inojfqnv.bat 02.12.2006 20:37 211 boot.ini 02.12.2006 20:15 1.080 moembpbk.bat 02.12.2006 20:02 1.080 phwlqfrs.bat 02.12.2006 19:22 97 ComboFix2.txt 02.12.2006 19:12 137 ComboFix3.txt 01.07.2006 10:26 12.404.748 AVG7QT.DAT 25.06.2006 17:56 268 sqmdata01.sqm 25.06.2006 17:56 244 sqmnoopt01.sqm 24.06.2006 13:41 244 sqmnoopt00.sqm 24.06.2006 13:41 268 sqmdata00.sqm 11.11.2005 14:48 13.030 PDOXUSRS.NET 11.04.2005 19:14 0 COMLOG.txt 05.10.2004 08:55 47.564 NTDETECT.COM 05.10.2004 08:55 251.184 ntldr 25.08.2004 15:24 142 debugInstaller.txt Fixwareout (7) Fixwareout ver 1.003 Last edited 8/11/2006 Post this report in the forums please Reg Entries that were deleted ... Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Searching by size/names... * csr.exe C:\WINDOWS\System32\CSPPR.EXE »»»»» Search five digit cs, dm and jb files. This WILL/CAN also list Legit Files, Submit them at Virustotal C:\WINDOWS\SYSTEM32\CSPPR.EXE 51.270 2006-07-01 Other suspects. Directory of C:\WINDOWS\system32 »»»»» Misc files. »»»»» Checking for older varients covered by the Rem3 tool. Hijackthis (8) Logfile of HijackThis v1.99.1 Scan saved at 23:21:56, on 02.12.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Intel\Wireless\Bin\EvtEng.exe C:\Programme\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\WINDOWS\System32\nvsvc32.exe C:\Programme\Advanced Registry Doctor\RegManServ.exe C:\Programme\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\LTSMMSG.exe C:\Programme\SigmaTel\SigmaTel AC97 Audio-Treiber\stacmon.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\TFNF5.exe C:\Programme\TOSHIBA\TouchED\TouchED.Exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\system32\TPSMain.exe C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\TPSBattM.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe C:\Programme\Intel\Wireless\Bin\EOUWiz.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Programme\WinRAR\WinRAR.exe C:\DOKUME~1\Joe\LOKALE~1\Temp\Rar$EX00.168\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\Programme\FolderBox\FolderBox.dll (file missing) O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programme\SigmaTel\SigmaTel AC97 Audio-Treiber\stacmon.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TouchED] C:\Programme\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TFncKy] C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [EOUApp] "C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O12 - Plugin for .m4p: C:\Programme\Internet Explorer\PLUGINS\npqtplugin5.dll O15 - Trusted Zone: http://www.onlineumfragen.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124374654116 O17 - HKLM\System\CCS\Services\Tcpip\..\{CCA26E55-FD79-49DE-B0FE-46B8C9D248B5}: NameServer = 194.25.2.129,194.25.2.130 O18 - Protocol: Festoon - (no CLSID) - (no file) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Programme\Advanced Registry Doctor\RegManServ.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Danke nochmal... Viele Grüße, ver_me Anhang: avenger.txt Dieser Beitrag wurde am 02.12.2006 um 23:25 Uhr von ver_me editiert.
|
|
|
|
|
|
|
03.12.2006, 11:12
Ehrenmitglied
Beiträge: 29434 |
#8
loesche mit der killbox:
http://virus-protect.org/killbox.html C:\WINDOWS\system32\csppr.exe C:\vnbnsplm.bat C:\ffftsfmt.bat C:\inojfqnv.bat C:\moembpbk.bat C:\phwlqfrs.bat PC neustarten ** scanne und poste den scanreport http://virus-protect.org/artikel/tools/superantispyware.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
03.12.2006, 16:49
...neu hier
Themenstarter Beiträge: 8 |
#9
Einen wunderschönen guten Abend,
anbei die Logs von Killbox (1) und SUPERantispyware (2). Was ist mit Hoster und v.a. dem Avenger? Braucht man die jetzt nicht mehr? SUPERantispyware hat die Favoriten ja auch gefunden... Killbox (1) Pocket Killbox version 2.0.0.648 Running on Windows XP as Joe(Administrator) was started @ Sonntag, Dezember 03, 2006, 3:21 PM # 1 [Delete on Reboot] Path = C:\WINDOWS\system32\csppr.exe # 2 [Delete on Reboot] Path = C:\vnbnsplm.bat # 3 [Delete on Reboot] Path = C:\ffftsfmt.bat # 4 [Delete on Reboot] Path = C:\inojfqnv.bat # 5 [Delete on Reboot] Path = C:\moembpbk.bat # 6 [Delete on Reboot] Path = C:\phwlqfrs.bat I Rebooted @ 3:55:54 PM Killbox Closed(Exit) @ 3:56:02 PM __________________________________________________ SUPERantispyware (2) SUPERAntiSpyware Scan Log Generated 12/03/2006 at 04:17 PM Application Version : 3.3.1020 Core Rules Database Version : 3141 Trace Rules Database Version: 1157 Scan type : Complete Scan Total Scan Time : 00:07:06 Memory items scanned : 444 Memory Thread detected : 0 Registry items scanned : 6029 Registry Thread detected : 0 File items scanned : 442 File Thread detected : 30 Adware.Tracking Cookie C:\Dokumente und Einstellungen\Joe\Cookies\joe@rambler[2].txt C:\Dokumente und Einstellungen\Joe\Cookies\joe@atwola[1].txt Browser Hijacker.Favorites C:\Dokumente und Einstellungen\Joe\Favoriten\Download Free Spyware Remover.url C:\Dokumente und Einstellungen\Joe\Favoriten\NEW VIAGRA at Half Price!.url C:\Dokumente und Einstellungen\Joe\Favoriten\Online Chat With Nude Girls.url C:\Dokumente und Einstellungen\Joe\Favoriten\Order CIALIS online without leaving home..url C:\Dokumente und Einstellungen\Joe\Favoriten\PC protection in under 2 minutes!.url C:\Dokumente und Einstellungen\Joe\Favoriten\SEX Dating - Real Girls For Real SEX.url C:\Dokumente und Einstellungen\Joe\Favoriten\Stop PopUps On Your Computer.url C:\Dokumente und Einstellungen\Joe\Favoriten\VIAGRA at incredible low price. Bonus Pills!.url C:\Dokumente und Einstellungen\Joe\Favoriten\View ADULT photos of REAL GIRLS!.url C:\Dokumente und Einstellungen\Joe\Favoriten\Online Pharmacy\CHEAPEST VIAGRA ONLINE.url C:\Dokumente und Einstellungen\Joe\Favoriten\Online Pharmacy\Cialis at HALF PRICE!.url C:\Dokumente und Einstellungen\Joe\Favoriten\Online Pharmacy\Fast Way To Loose Your Weight!.url C:\Dokumente und Einstellungen\Joe\Favoriten\Online Pharmacy\Guaranteed low price at Pills..url C:\Dokumente und Einstellungen\Joe\Favoriten\Online Pharmacy\SOMA at Special LOW PRICE.url C:\Dokumente und Einstellungen\Joe\Favoriten\Online Pharmacy\Tramadol Special Offer!.url C:\Dokumente und Einstellungen\Joe\Favoriten\Online Pharmacy\Try New VIAGRA! Works Faster and Longer!.url C:\Dokumente und Einstellungen\Joe\Favoriten\Online Pharmacy C:\Dokumente und Einstellungen\Joe\Favoriten\Sex and Dating\Meet Girls Who Want To Get Laid!.url C:\Dokumente und Einstellungen\Joe\Favoriten\Sex and Dating\Meet Horny Girls In Your Area!.url C:\Dokumente und Einstellungen\Joe\Favoriten\Sex and Dating\Read profiles and Chat With Nude Girls!.url C:\Dokumente und Einstellungen\Joe\Favoriten\Sex and Dating\SEX Dating - people looking for SEX.url C:\Dokumente und Einstellungen\Joe\Favoriten\Sex and Dating\View XXX photos of Real Sexy Girls..url C:\Dokumente und Einstellungen\Joe\Favoriten\Sex and Dating C:\Dokumente und Einstellungen\Joe\Favoriten\Spyware Uninstall\Easy Detect and Uninstall Spyware..url C:\Dokumente und Einstellungen\Joe\Favoriten\Spyware Uninstall\Free Spyware Scanner..url C:\Dokumente und Einstellungen\Joe\Favoriten\Spyware Uninstall\Search & Destroy Annoying Adware..url C:\Dokumente und Einstellungen\Joe\Favoriten\Spyware Uninstall\Stop PopUps on your PC..url C:\Dokumente und Einstellungen\Joe\Favoriten\Spyware Uninstall Bin jetzt auch endlich wieder mit dem Rechner online... Vielen Dank und viele Grüße, ver_me |
|
|
|
|
|
|
03.12.2006, 17:07
Ehrenmitglied
Beiträge: 29434 |
#10
das sieht doch schon gut aus
 poste dieses log http://virus-protect.org/silentrunner.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
03.12.2006, 17:30
...neu hier
Themenstarter Beiträge: 8 |
#11
Da isser:
Bin so froh, dass das bislang so gut klappt.... "Silent Runners.vbs", revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "SUPERAntiSpyware" = "C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"] "LTSMMSG" = "LTSMMSG.exe" ["LT"] "SigmaTel StacMon" = "C:\Programme\SigmaTel\SigmaTel AC97 Audio-Treiber\stacmon.exe" ["SigmaTel Inc."] "SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "TFNF5" = "TFNF5.exe" ["TOSHIBA Corp."] "TouchED" = "C:\Programme\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"] "00THotkey" = "C:\WINDOWS\System32\00THotkey.exe" ["TOSHIBA Corp."] "000StTHK" = "000StTHK.exe" [null data] "TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"] "TFncKy" = "C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe" ["TOSHIBA Corporation"] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "TkBellExe" = ""C:\Programme\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot" [file not found] "DXM6Patch_981116" = "C:\WINDOWS\p_981116.exe /Q:A" [MS] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "Adobe Photo Downloader" = ""C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" [file not found] "IntelZeroConfig" = ""C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"" ["Intel Corporation"] "IntelWireless" = ""C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless" ["Intel Corporation"] "EOUApp" = ""C:\Programme\Intel\Wireless\Bin\EOUWiz.exe"" ["Intel Corporation"] "!AVG Anti-Spyware" = ""C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."] "Zone Labs Client" = ""C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\FolderBox\FolderBox.dll" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop-Explorer" -> {HKLM...CLSID} = "Desktop-Explorer" \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED" -> {HKLM...CLSID} = "TouchShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\K-Lite Codec Pack\Media Player Classic\rpshell.dll" ["RealNetworks, Inc."] "{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx" -> {HKLM...CLSID} = "AlcoholShellEx" \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"] "{C5098102-EAF2-493A-883A-B7B751B21534}" = "FolderBox Shell Extensions" -> {HKLM...CLSID} = "FolderBox Shell Extensions" \InProcServer32\(Default) = "C:\Programme\FolderBox\FolderBoxShell.dll" [file not found] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson Datei-Manager" -> {HKLM...CLSID} = "Sony Ericsson Datei-Manager" \InProcServer32\(Default) = "C:\Programme\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."] <<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided) -> {HKLM...CLSID} = "SABShellExecuteHook Class" \InProcServer32\(Default) = "C:\Programme\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"] HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ "load" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ "System" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> !SASWinLogon\DLLName = "C:\Programme\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"] HKLM\Software\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] CIB pdf brewer\(Default) = "{9CB3ED0A-1CFA-11D9-9A43-000476F770CC}" -> {HKLM...CLSID} = "CIBpdfBrContextMenu Class" \InProcServer32\(Default) = "C:\Programme\CIB software GmbH\CIB pdf brewer\CIBpdfBrContextMenu.dll" ["CIB software GmbH, München"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}" -> {HKLM...CLSID} = "IMMenuShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\INCRED~1\bin\ImShExt.dll" ["IncrediMail, Ltd."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] {C5098102-EAF2-493A-883A-B7B751B21534}\(Default) = "{C5098102-EAF2-493A-883A-B7B751B21534}" -> {HKLM...CLSID} = "FolderBox Shell Extensions" \InProcServer32\(Default) = "C:\Programme\FolderBox\FolderBoxShell.dll" [file not found] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] {C5098102-EAF2-493A-883A-B7B751B21534}\(Default) = "{C5098102-EAF2-493A-883A-B7B751B21534}" -> {HKLM...CLSID} = "FolderBox Shell Extensions" \InProcServer32\(Default) = "C:\Programme\FolderBox\FolderBoxShell.dll" [file not found] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Joe\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS] Startup items in "Joe" & "All Users" startup folders: ----------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" ["Matsushita Electric Industrial Co., Ltd."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" -> {HKLM...CLSID} = "ICQ Toolbar" \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" -> {HKLM...CLSID} = "ICQ Toolbar" \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided) -> {HKLM...CLSID} = "ICQ Toolbar" \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {3F5A62E2-51F2-11D3-A075-CC7364CAE42B}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Folder Box" \InProcServer32\(Default) = "C:\Programme\FolderBox\FolderBox.dll" [file not found] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Recherchieren" {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided) -> {HKLM...CLSID} = "ICQ Toolbar" \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe" [null data] ConfigFree Service, CFSvcs, "C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"] DVD-RAM_Service, DVD-RAM_Service, "C:\WINDOWS\System32\DVDRAMSV.exe" ["Matsushita Electric Industrial Co., Ltd."] HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Programme\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"] Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Programme\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"] Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Programme\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "] NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] Registry Management Service, RegManServ, "C:\Programme\Advanced Registry Doctor\RegManServ.exe" [null data] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] ---------- <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 26 seconds) |
|
|
|
|
|
|
03.12.2006, 18:46
Ehrenmitglied
Beiträge: 29434 |
#12
avenger
Zitat registry keys to delete:poste den report vom avenger nach neustart - ich weiss nicht, ob ich das script korrekt erstellt habe............. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
03.12.2006, 20:05
...neu hier
Themenstarter Beiträge: 8 |
#13
Moin,
Bezüglich Software: Darfst Du Empfehlungen abgeben? Den Superantispyware immer im Hintergrund mitlaufen lassen (bspw. statt dem AVG-Pendant)? Hier das Avenger-Skript: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\scq^ludo ******************* Script file located at: \??\C:\WINDOWS\kjnmrmbo.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C5098102-EAF2-493A-883A-B7B751B21534} not found! Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C5098102-EAF2-493A-883A-B7B751B21534} failed! Status: 0xc0000034 Registry key HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\{C5098102-EAF2-493A-883A-B7B751B21534} deleted successfully. Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} deleted successfully. Completed script processing. ******************* Finished! Terminate. Passwörter sollten jetzt mal generell großflächig geändert werden, nehme ich an?
|
|
|
|
|
|
|
03.12.2006, 23:54
Ehrenmitglied
Beiträge: 29434 |
#14
Passworte brauchst du keine zu aendern - es muesste wieder alles o.k. sein
die Art der verseuchung besteht im Umleiten der Internetverbindung und des Browsers auf Seiten, die von den Erstellern vorgegeben werden - damit verdienen sie dann Geld.. wenn es noch probleme geben sollte, melde dich Gruesse aus Lissabon  __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
04.12.2006, 09:18
...neu hier
Themenstarter Beiträge: 8 |
#15
Vielen vielen Dank,
bin wirklich erleichtert und froh dass Du mir so toll geholfen hast. Benutze immer nur Opera, werden solche 'Umleitungen' dann auch (im Hintergrund) ausgeführt, oder passiert dann nichts? Muss für Opera noch separat etwas getan werden? Lissabon? Beneidenswert. Hier in Hamburch ind wir sicherlich nicht so gesegnet mit gutem Wetter... Viele Grüße und eine frohe Weihnachtszeit! ver_me |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
habe seit einiger Zeit Probleme mit meinem Laptop.
Sämtliche Virenscanner stürzen ab oder finden nach mehreren Stunden etwas, reparieren aber nichts.
Wollte dann Daten auf eine externe Festplatte schaufeln und den Rechner platt machen, aber der Explorer hängt sich auf.
Applikationen wie zum Beispiel ein auf dem Desktop hinterlegter hijack-Ordner lassen sich nicht starten (nur vom USB-Stick).
Hier mal das Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 09:13:21, on 02.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Advanced Registry Doctor\RegManServ.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Veoh\VeohClientService.exe
C:\Programme\SigmaTel\SigmaTel AC97 Audio-Treiber\stacmon.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Joe\LOKALE~1\Temp\Rar$EX21.379\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: (no name) - {839B455D-E25F-ABA0-BE07-3A8CFCA913F9} - teqq32.dll (file missing)
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\Programme\FolderBox\FolderBox.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programme\SigmaTel\SigmaTel AC97 Audio-Treiber\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Programme\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Programme\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [ERTYDF] keybdll.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Programme\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O12 - Plugin for .m4p: C:\Programme\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://www.onlineumfragen.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124374654116
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
O18 - Protocol: Festoon - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Programme\Advanced Registry Doctor\RegManServ.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programme\Spyware Doctor\sdhelp.exe
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Programme\Veoh\VeohClientService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe