critical system errors

#1 Moin, Ich hab mir "critical system errors" eingefangen. Kann mir jemand helfen es wieder loszuwerden? Ich hab sehr wenig Ahnung von solchen Sachen!!!
Ich habe mich an anderen Beiträgen orientiert und schon etwas "Vorgearbeitet".



biLogfile of HijackThis v1.99.1
Scan saved at 18:30:11, on 15.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Video ActiveX Object\pmsngr.exe
C:\Programme\Video ActiveX Object\isamonitor.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\Programme\Video ActiveX Object\pmmon.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Video ActiveX Object\isamini.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\DitExp.exe
C:\Programme\FRITZ!DSL\StCenter.exe
C:\WINDOWS\CNYHKey.exe
C:\Programme\deGruyter\Pschyrembel\bin\LibInst.Gui.exe
C:\Programme\FRITZ!DSL\FwebProt.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programme\Java\jre1.5.0_07\bin\jucheck.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\tom\LOKALE~1\Temp\Rar$EX00.047\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R3 - URLSearchHook: (no name) - {2B4D2DD2-73E9-CBCF-6045-E5BD050744FD} - prcmon.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Programme\Video ActiveX Object\isaddon.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O3 - Toolbar: Protection Bar - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - C:\Programme\Video ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmvzb.exe] C:\WINDOWS\system32\dmvzb.exe
O4 - HKLM\..\Run: [ExchangeMaster] Dest068.exe
O4 - HKLM\..\Run: [TorontoMail] prgsys0984.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [kis] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EXE32EXE] msag.exe
O4 - HKCU\..\Run: [backorif] TForm1.exe
O4 - HKCU\..\Run: [killall] utsgmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: FRITZ!DSL Protect.lnk = C:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Programme\FRITZ!DSL\StCenter.exe
O4 - Global Startup: Kontrollfeld für die kabellose Tastatur.lnk = C:\WINDOWS\CNYHKey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\powerpoint\Office10\OSA.EXE
O4 - Global Startup: NXT Library Installer.lnk = C:\Programme\deGruyter\Pschyrembel\bin\LibInst.Gui.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {84FAA847-1400-4400-BC93-D338EF03127B} - http://www.medionshop.de/ (file missing) (HKCU)
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Programme\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Programme\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{424D0D13-EFD8-430C-9852-8B333A4E5A44}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{425C4A54-0E8B-41F5-93FF-01612312F4A7}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{49831CA8-3C1B-4189-8D39-4D4E774FA205}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C0E6429-87B0-46CB-A610-04092D7CBA28}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C894BE4-8446-408C-9335-96106BBEE9D8}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{A97069D5-B17F-42C2-AAFE-91BEC3A473E2}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC382372-5EC4-434D-846F-51E94F7804AF}: NameServer = 85.255.116.110
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

tom - 06-12-15 19:00:21,65 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Dokumente und Einstellungen\tom\Eigene Dateien\Eigene Downloads"

((((((((((((((((((((((((((((((( Files Created from 2006-11-15 to 2006-12-15 ))))))))))))))))))))))))))))))))))


2006-12-15 18:51 <DIR> d-------- C:\Programme\CleanUp!
2006-12-15 16:25 19,456 --a------ C:\WINDOWS\system32\qrzsyr.dll
2006-12-15 16:24 <DIR> d-------- C:\Programme\Video ActiveX Object
2006-12-14 15:12 <DIR> d-------- C:\Programme\Kaspersky Lab
2006-12-14 15:12 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2006-11-15 01:35 <DIR> d-------- C:\Programme\MSXML 4.0


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-15 18:57 -------- d-------- C:\Dokumente und Einstellungen\tom\Anwendungsdaten\FRITZ!
2006-12-15 16:41 -------- d-------- C:\Programme\AOL 8.0
2006-12-15 13:40 18612 --a------ C:\Dokumente und Einstellungen\tom\Anwendungsdaten\wklnhst.dat
2006-12-15 11:25 -------- d-------- C:\Programme\Call of Duty
2006-12-15 01:41 -------- d-------- C:\Programme\Internet Explorer
2006-12-15 01:40 -------- d-------- C:\Programme\Outlook Express
2006-12-14 17:25 61584 --a------ C:\WINDOWS\system32\drivers\klick.sys
2006-12-14 17:25 59536 --a------ C:\WINDOWS\system32\drivers\klin.sys
2006-12-07 07:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-08 06:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-31 14:23 -------- d-------- C:\Programme\Google
2006-10-20 15:44 -------- d-------- C:\Programme\PokerStars.NET
2006-10-20 02:38 715776 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 13:35 146432 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Programme\\MSN Messenger\\msnmsgr.exe\" /background"
"EXE32EXE"="msag.exe"
"backorif"="TForm1.exe"
"killall"="utsgmon.exe"
"swg"="C:\\Programme\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Programme\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"Dit"="Dit.exe"
"CHotkey"="mHotkey.exe"
"PCMService"="\"C:\\Programme\\Medion Home Cinema XL II\\PowerCinema\\PCMService.exe\""
"PRISMSTA.EXE"="PRISMSTA.EXE START"
"Microsoft Works Update Detection"="C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"EPSON Stylus C86 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0R2.EXE /P23 \"EPSON Stylus C86 Series\" /O6 \"USB001\" /M \"Stylus C86\""
"PinnacleDriverCheck"="C:\\WINDOWS\\System32\\PSDrvCheck.exe"
"TkBellExe"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="C:\\Programme\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"dmvzb.exe"="C:\\WINDOWS\\system32\\dmvzb.exe"
"ExchangeMaster"="Dest068.exe"
"TorontoMail"="prgsys0984.exe"
"SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"kis"="\"C:\\Programme\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{01b55afa-f451-474b-9e91-c35b24d02641}"="boob"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"isamonitor.exe"="C:\\Programme\\Video ActiveX Object\\isamonitor.exe"
"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\%s"="C:\\Programme\\Video ActiveX Object\\isamonitor.exe"
"isamini.exe"="C:\\Programme\\Video ActiveX Object\\isamonitor.exe"
"pmsngr.exe"="C:\\Programme\\Video ActiveX Object\\pmsngr.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-15 19:01:43.28
C:\ComboFix.txt ... 06-12-15 19:01

#2 adi06

die internetverbindung wird auf einen Server in die Ukraine umgeleitet.... - kein Wunder - wer den UnSpyPC laedt, zerstoert sich den Rechner

1.
scanne und poste dieses log
http://virus-protect.org/artikel/tools/fixwareout.html

2.
poste dieses log
http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Moin,



Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="cssxs.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""

...
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\bzvmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Random Runs removed from HKLM
"dmvzb.exe"=-
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""

...




F-Secure:
12/16/06 11:40:46 [Info]: BlackLight Engine 1.0.47 initialized
12/16/06 11:40:46 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/16/06 11:40:47 [Note]: 7019 4
12/16/06 11:40:47 [Note]: 7005 0
12/16/06 11:40:50 [Note]: 7006 0
12/16/06 11:40:50 [Note]: 7011 1732
12/16/06 11:40:51 [Note]: 7026 0
12/16/06 11:40:51 [Note]: 7026 0
12/16/06 11:41:06 [Note]: FSRAW library version 1.7.1020
12/16/06 11:51:43 [Note]: 2000 1012
12/16/06 11:51:43 [Note]: 2000 1012
12/16/06 11:52:06 [Note]: 7007 0

#4 adi06

1.
arbeite das avenger script und smitfraudfix ab - poste hier das log von smitfraudfix ...interessiert mich, ob etwas ausgeloescht wird, was ich nicht im avengerscript habe..
http://virus-protect.org/artikel/spyware/videoactivexobject.html

2.
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

UnSpyPC

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

{2B4D2DD2-73E9-CBCF-6045-E5BD050744FD}

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

____________________________________________________________________________________

3.
öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R3 - URLSearchHook: (no name) - {2B4D2DD2-73E9-CBCF-6045-E5BD050744FD} - prcmon.dll (file missing)

O1 - Hosts: localhost 127.0.0.1

O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Programme\Video ActiveX Object\isaddon.dll

O3 - Toolbar: Protection Bar - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - C:\Programme\Video ActiveX Object\iesplugin.dll

O4 - HKLM\..\Run: [dmvzb.exe] C:\WINDOWS\system32\dmvzb.exe
O4 - HKLM\..\Run: [ExchangeMaster] Dest068.exe
O4 - HKLM\..\Run: [TorontoMail] prgsys0984.exe

O4 - HKCU\..\Run: [EXE32EXE] msag.exe
O4 - HKCU\..\Run: [backorif] TForm1.exe
O4 - HKCU\..\Run: [killall] utsgmon.exe

O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Programme\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Programme\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)

O17 - HKLM\System\CCS\Services\Tcpip\..\{424D0D13-EFD8-430C-9852-8B333A4E5A44}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{425C4A54-0E8B-41F5-93FF-01612312F4A7}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{49831CA8-3C1B-4189-8D39-4D4E774FA205}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C0E6429-87B0-46CB-A610-04092D7CBA28}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C894BE4-8446-408C-9335-96106BBEE9D8}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{A97069D5-B17F-42C2-AAFE-91BEC3A473E2}: NameServer = 85.255.116.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC382372-5EC4-434D-846F-51E94F7804AF}: NameServer = 85.255.116.110

PC neustarten

»»
Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

»»
scanne noch mal mit Fixwareout

««
poste das neue log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Ergebnisse von regsearch " unspypc"

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 16.12.2006 17:27:53 for strings:
; '
unspypc


unspypc

unspypc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


Die andren Ergebnisse:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 16.12.2006 17:32:48 for strings:
; '{2b4d2dd2-73e9-cbcf-6045-e5bd050744fd}
{2b4d2dd2-73e9-cbcf-6045-e5bd050744fd}
{2b4d2dd2-73e9-cbcf-6045-e5bd050744fd}
{2b4d2dd2-73e9-cbcf-6045-e5bd050744fd}
{2b4d2dd2-73e9-cbcf-6045-e5bd050744fd}
{2b4d2dd2-73e9-cbcf-6045-e5bd050744fd}
{2b4d2dd2-73e9-cbcf-6045-e5bd050744fd}
'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

#6 o.k. nun arbeite den rest ab
dann poste das neue log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Ich war gerade bei Schritt 3, neustart :-)

Zu Schritt 1: Das avenger script kann ich nicht öffnen!
Es erfolgt folgende Meldung: Error: could not open scriptfile. Please verify that path name is valia and file exists.


smitfraudfix - ich hab da mal alles angeklickt aber es ist eigentlich nichts passiert.

Schritt 2: ohne Probleme

Schritt 3: folgende Dateien konnte ich kein Häckchen vormachen!

O1 - Hosts: localhost 127.0.0.1

O4 - HKLM\..\Run: [dmvzb.exe] C:\WINDOWS\system32\dmvzb.exe

O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Programme\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)

Ich werde jetzt die weiteren Schritte durchgehen!
---------------------------
An dieser Stelle möchte ich mich schon mal für die eidrucksvolle Hilfe bedanken!!!!!
------------------------------




Schritt 4:
Press 'Restore Original Hosts' and press 'OK' Exit Program.

Diese Funktion kann ich in dem angegebenen Programm nicht betätigen!

#8 o.k.
poste das neue log vom HijackThis nach neustart
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Die letzten beiden Schritte:



Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""

...
...
Reg Entries that were deleted
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...






Logfile of HijackThis v1.99.1
Scan saved at 18:09:24, on 16.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\DitExp.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\FRITZ!DSL\StCenter.exe
C:\WINDOWS\CNYHKey.exe
C:\Programme\deGruyter\Pschyrembel\bin\LibInst.Gui.exe
C:\Programme\FRITZ!DSL\FwebProt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\tom\LOKALE~1\Temp\Rar$EX00.390\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [kis] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: FRITZ!DSL Protect.lnk = C:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Programme\FRITZ!DSL\StCenter.exe
O4 - Global Startup: Kontrollfeld für die kabellose Tastatur.lnk = C:\WINDOWS\CNYHKey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\powerpoint\Office10\OSA.EXE
O4 - Global Startup: NXT Library Installer.lnk = C:\Programme\deGruyter\Pschyrembel\bin\LibInst.Gui.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MedionShop - {84FAA847-1400-4400-BC93-D338EF03127B} - http://www.medionshop.de/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

#10 scanne und poste den scanreport
http://virus-protect.org/counterspy.html
__________
MfG Sabina

rund um die PC-Sicherheit

#11 So, da sind die Ergebnisse!
( Bitte gib mir weitere Anweisungen, ich bin ab Sonntag Abend ca. 23-24 Uhr wieder online. Ich wünsch dir noch ein schönes Wochenende!!!!!)

Spyware Scan Details
Start Date: 16.12.2006 18:24:43
End Date: 16.12.2006 18:55:37
Total Time: 30 mins 54 secs

Detected spyware

Trojan-Downloader.Zlob.Media-Codec Trojan Downloader more information...
Details: Trojan-Downloader.Zlob.Media-Codec is a program that typically purports to be a needed upgrade to Windows Media Player in order to view adult oriented videos on certain websites. However, Trojan-Downloader.Zlob.Media-Codec actually downloads and installs
Status: Ignored

Infected files detected
c:\programme\video activex object\iesplugin.dll
c:\programme\video activex object\iesuninst.exe
c:\programme\video activex object\isaddon.dll
c:\programme\video activex object\isamini.exe
c:\programme\video activex object\isamonitor.exe
c:\programme\video activex object\isauninst.exe
c:\programme\video activex object\ot.ico
c:\programme\video activex object\pmmon.exe
c:\programme\video activex object\pmsngr.exe
c:\programme\video activex object\pmuninst.exe
c:\programme\video activex object\ts.ico
c:\programme\video activex object\uninst.exe
c:\windows\system32\qrzsyr.dll

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 DisplayName Internet Explorer Security Plugin 2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 UninstallString "C:\Programme\Video ActiveX Object\iesuninst.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On DisplayName Internet Security Add-On
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On UninstallString "C:\Programme\Video ActiveX Object\isauninst.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 DisplayName Public Messenger ver 2.03
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 UninstallString "C:\Programme\Video ActiveX Object\pmuninst.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object URLInfoAbout www.mediaobjectsource.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayVersion 2.07
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayName Video ActiveX Object 2.07
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object ProductionEnvironment 1
HKEY_CLASSES_ROOT\CLSID\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2}
HKEY_CLASSES_ROOT\CLSID\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2}\InprocServer32 C:\Programme\Video ActiveX Object\iesplugin.dll
HKEY_CLASSES_ROOT\CLSID\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2} Protection Bar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object ProductionEnvironment 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayName Video ActiveX Object 2.07
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object UninstallString C:\Programme\Video ActiveX Object\uninst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayIcon C:\Programme\Video ActiveX Object\uninst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayVersion 2.07
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object URLInfoAbout www.mediaobjectsource.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object Publisher Video ActiveX Object Software


WindUpdates Browser Plug-in more information...
Details: WindUpdates is an adware application that installs as a browser plug-in and displays advertising on the desktop.
Status: Ignored

Infected files detected
c:\windows\system32\ide21201.vxd


DesktopScam Trojan Downloader more information...
Details: DesktopScam is a trojan that is downloaded with rogue security applicatons in order to frighten the affected user into purchasing the rogue program.
Status: Ignored

Infected files detected
c:\dokumente und einstellungen\all users\startmenü\security troubleshooting.url
c:\dokumente und einstellungen\all users\startmenü\online security guide.url
C:\Programme\Video ActiveX Object\ot.ico
C:\Programme\Video ActiveX Object\ts.ico


WindUpdates.MediaAccess Adware (General) more information...
Details: WindUpdates.MediaAccess is an adware program that spawns pop-ups on the desktop.
Status: Ignored

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Media Gateway
HKEY_LOCAL_MACHINE\SOFTWARE\Media Gateway zuk 0
HKEY_LOCAL_MACHINE\SOFTWARE\Media Gateway param 44a1a4a27909f8aaff7b21c72438955b4d8628c0d8d700197d9caef468e79771118a8648139344919bb65f:6435353235363637306562613837363639383437383934333034306261623961:msie:6:0:win:winxp:sp1:javascript


WindUpdates.MediaGateway Adware (General) more information...
Details: WindUpdates.MediaGateway is an adware application that displays advertising on the desktop, usually pop-ups.
Status: Ignored

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{D676F999-4608-4dc5-A135-4F51F4212739}
HKEY_CLASSES_ROOT\CLSID\{D676F999-4608-4dc5-A135-4F51F4212739} rsp 1261DF03704B669CC5A3E23076B1D38CD8141004


Trojan-Downloader.Win32.Banload.bkm Trojan Downloader more information...
Status: Ignored

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations


Cookie: Browseraccelerator Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Ignored

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@atdmt[2].txt


Cookie: ABetterInternet.Aurora Cookie Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Ignored

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@a[1].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Ignored

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@doubleclick[1].txt


Cookie: Hitbox.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Ignored

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@hitbox[2].txt


Cookie: Mediaplex.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Ignored

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@mediaplex[1].txt


Cookie: BS.Serving-Sys Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Ignored

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@serving-sys[1].txt

#12 ««
ja nun - Status: Ignored
loeschen bitte !

««
scanne mit option 2 im Normalmodus und poste den report hier
http://virus-protect.org/artikel/tools/smitfrautfix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Moin, den spyware scan hab noch mal gemacht und diesmal gelöscht! Den anderen Scan mach ich dann heute abend!




Spyware Scan Details
Start Date: 17.12.2006 11:49:58
End Date: 17.12.2006 12:43:42
Total Time: 53 mins 44 secs

Detected spyware

Trojan-Downloader.Zlob.Media-Codec Trojan Downloader more information...
Details: Trojan-Downloader.Zlob.Media-Codec is a program that typically purports to be a needed upgrade to Windows Media Player in order to view adult oriented videos on certain websites. However, Trojan-Downloader.Zlob.Media-Codec actually downloads and installs
Status: Quarantined

Infected files detected
c:\programme\video activex object\iesplugin.dll
c:\programme\video activex object\iesuninst.exe
c:\programme\video activex object\isaddon.dll
c:\programme\video activex object\isamini.exe
c:\programme\video activex object\isamonitor.exe
c:\programme\video activex object\isauninst.exe
c:\programme\video activex object\ot.ico
c:\programme\video activex object\pmmon.exe
c:\programme\video activex object\pmsngr.exe
c:\programme\video activex object\pmuninst.exe
c:\programme\video activex object\ts.ico
c:\programme\video activex object\uninst.exe
c:\windows\system32\qrzsyr.dll

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 DisplayName Internet Explorer Security Plugin 2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 UninstallString "C:\Programme\Video ActiveX Object\iesuninst.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On DisplayName Internet Security Add-On
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On UninstallString "C:\Programme\Video ActiveX Object\isauninst.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 DisplayName Public Messenger ver 2.03
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 UninstallString "C:\Programme\Video ActiveX Object\pmuninst.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object URLInfoAbout www.mediaobjectsource.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayVersion 2.07
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayName Video ActiveX Object 2.07
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object ProductionEnvironment 1
HKEY_CLASSES_ROOT\CLSID\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2}
HKEY_CLASSES_ROOT\CLSID\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2}\InprocServer32 C:\Programme\Video ActiveX Object\iesplugin.dll
HKEY_CLASSES_ROOT\CLSID\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2} Protection Bar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object ProductionEnvironment 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayName Video ActiveX Object 2.07
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object UninstallString C:\Programme\Video ActiveX Object\uninst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayIcon C:\Programme\Video ActiveX Object\uninst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object DisplayVersion 2.07
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object URLInfoAbout www.mediaobjectsource.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object Publisher Video ActiveX Object Software


WindUpdates Browser Plug-in more information...
Details: WindUpdates is an adware application that installs as a browser plug-in and displays advertising on the desktop.
Status: Quarantined

Infected files detected
c:\windows\system32\ide21201.vxd


DesktopScam Trojan Downloader more information...
Details: DesktopScam is a trojan that is downloaded with rogue security applicatons in order to frighten the affected user into purchasing the rogue program.
Status: Quarantined

Infected files detected
c:\dokumente und einstellungen\all users\startmenü\security troubleshooting.url
c:\dokumente und einstellungen\all users\startmenü\online security guide.url
C:\Programme\Video ActiveX Object\ot.ico
C:\Programme\Video ActiveX Object\ts.ico


WindUpdates.MediaAccess Adware (General) more information...
Details: WindUpdates.MediaAccess is an adware program that spawns pop-ups on the desktop.
Status: Quarantined

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Media Gateway
HKEY_LOCAL_MACHINE\SOFTWARE\Media Gateway zuk 0
HKEY_LOCAL_MACHINE\SOFTWARE\Media Gateway param 44a1a4a27909f8aaff7b21c72438955b4d8628c0d8d700197d9caef468e79771118a8648139344919bb65f:6435353235363637306562613837363639383437383934333034306261623961:msie:6:0:win:winxp:sp1:javascript


WindUpdates.MediaGateway Adware (General) more information...
Details: WindUpdates.MediaGateway is an adware application that displays advertising on the desktop, usually pop-ups.
Status: Quarantined

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{D676F999-4608-4dc5-A135-4F51F4212739}
HKEY_CLASSES_ROOT\CLSID\{D676F999-4608-4dc5-A135-4F51F4212739} rsp 1261DF03704B669CC5A3E23076B1D38CD8141004


Trojan-Downloader.Win32.Banload.bkm Trojan Downloader more information...
Status: Quarantined

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations


Cookie: Browseraccelerator Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@atdmt[2].txt


Cookie: ABetterInternet.Aurora Cookie Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@a[1].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@doubleclick[1].txt


Cookie: Hitbox.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@hitbox[2].txt


Cookie: Mediaplex.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@mediaplex[1].txt


Cookie: BS.Serving-Sys Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\tom\cookies\tom@serving-sys[2].txt

#14 poste das neue log vom HijacktHis
__________
MfG Sabina

rund um die PC-Sicherheit

#15 Hi, irgendwie funktioniert das mit smitfrautfix bei mir nicht!
Fofgende Meldung erhalte ich:

Parametre manquant ou incorrect





Logfile of HijackThis v1.99.1
Scan saved at 23:20:29, on 17.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\Thread.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\FRITZ!DSL\StCenter.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\DitExp.exe
C:\Programme\deGruyter\Pschyrembel\bin\LibInst.Gui.exe
C:\Programme\FRITZ!DSL\FwebProt.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\tom\LOKALE~1\Temp\Rar$EX00.953\HijackThis.exe
C:\Programme\Java\jre1.5.0_07\bin\jucheck.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [kis] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: FRITZ!DSL Protect.lnk = C:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Programme\FRITZ!DSL\StCenter.exe
O4 - Global Startup: Kontrollfeld für die kabellose Tastatur.lnk = C:\WINDOWS\CNYHKey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\powerpoint\Office10\OSA.EXE
O4 - Global Startup: NXT Library Installer.lnk = C:\Programme\deGruyter\Pschyrembel\bin\LibInst.Gui.exe
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MedionShop - {84FAA847-1400-4400-BC93-D338EF03127B} - http://www.medionshop.de/ (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe