Wenn ich bei Google eine Seite anklicke werde ich umgeleitet

#0
09.03.2007, 20:20
...neu hier

Beiträge: 9
#1 Da ich einige Tipps dazu schon gelesen habe, habe ich gleich den Log beigefügt:

Start Time= 09.03.2007 20:05:37,48

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-08 09:26:42 43520 ( A.... ) "C:\WINDOWS\system32\CmdLineExt03.dll"
2007-03-08 09:24:52 ( .D... ) "C:\Documents and Settings\Micha\Application Data\AdobeUM"
2007-03-02 15:21:32 ( .D... ) "C:\Program Files\TransportGigant"
2007-02-21 13:59:32 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2007-02-19 13:54:50 ( .D... ) "C:\Documents and Settings\Micha\Application Data\ICQ Toolbar"
2007-02-19 13:53:04 ( .D... ) "C:\Program Files\ICQToolbar"
2007-02-19 13:52:04 ( .D... ) "C:\Program Files\ICQLite"
2007-02-19 13:52:04 ( .D... ) "C:\Documents and Settings\Micha\Application Data\ICQLite"
2007-02-10 20:24:46 ( .D... ) "C:\Program Files\AntiVir PersonalEdition Classic"
2007-02-08 19:35:36 ( .D... ) "C:\Program Files\Cultures"
2007-02-08 18:53:00 ( .D... ) "C:\Program Files\CulturesSaga"
2007-02-07 13:49:32 1395659 ( A.... ) "C:\Documents and Settings\Micha\Application Data\Install.dat"
2007-02-07 12:27:32 ( .D... ) "C:\Program Files\Common Files\Alice"
2007-02-07 12:27:26 ( .D... ) "C:\Program Files\Alice"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"PixAlertMonitor"="C:\\Program Files\\BOS\\PixAlert Monitor Home\\MCtrlA5-0.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"USBTA"="C:\\WINDOWS\\System32\\usbtapnp.exe"
"JVM0.12"="C:\\WINDOWS\\System32\\tcvk.exe"
"tibs5"="C:\\WINDOWS\\System32\\tibs5.exe"
"Web Service"="C:\\WINDOWS\\System32\\sm.exe"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"JVM0.14"="C:\\WINDOWS\\System32\\clqby.exe"
"iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe"
"addgq.exe"="C:\\WINDOWS\\system32\\addgq.exe"
"iprc.exe"="C:\\WINDOWS\\system32\\iprc.exe"
"atlfo.exe"="C:\\WINDOWS\\atlfo.exe"
"ipfc32.exe"="C:\\WINDOWS\\system32\\ipfc32.exe"
"appje.exe"="C:\\WINDOWS\\system32\\appje.exe"
"javaqy32.exe"="C:\\WINDOWS\\javaqy32.exe"
"ipbv.exe"="C:\\WINDOWS\\system32\\ipbv.exe"
"atlqj32.exe"="C:\\WINDOWS\\atlqj32.exe"
"ipdx.exe"="C:\\WINDOWS\\system32\\ipdx.exe"
"mfckr.exe"="C:\\WINDOWS\\system32\\mfckr.exe"
"ntkk32.exe"="C:\\WINDOWS\\system32\\ntkk32.exe"
"atljm.exe"="C:\\WINDOWS\\system32\\atljm.exe"
"mfcmz.exe"="C:\\WINDOWS\\system32\\mfcmz.exe"
"ieiq32.exe"="C:\\WINDOWS\\ieiq32.exe"
"winfh32.exe"="C:\\WINDOWS\\system32\\winfh32.exe"
"javavt32.exe"="C:\\WINDOWS\\javavt32.exe"
"d3jl.exe"="C:\\WINDOWS\\system32\\d3jl.exe"
"sysia.exe"="C:\\WINDOWS\\sysia.exe"
"apiqt.exe"="C:\\WINDOWS\\system32\\apiqt.exe"
"mfcpw.exe"="C:\\WINDOWS\\mfcpw.exe"
"javaoo.exe"="C:\\WINDOWS\\javaoo.exe"
"addux32.exe"="C:\\WINDOWS\\system32\\addux32.exe"
"iewc32.exe"="C:\\WINDOWS\\iewc32.exe"
"winej32.exe"="C:\\WINDOWS\\winej32.exe"
"addlw32.exe"="C:\\WINDOWS\\system32\\addlw32.exe"
"crvc32.exe"="C:\\WINDOWS\\crvc32.exe"
"sdktl32.exe"="C:\\WINDOWS\\sdktl32.exe"
"atlag.exe"="C:\\WINDOWS\\system32\\atlag.exe"
"sdkpk32.exe"="C:\\WINDOWS\\system32\\sdkpk32.exe"
"atlpa32.exe"="C:\\WINDOWS\\system32\\atlpa32.exe"
"sysvl32.exe"="C:\\WINDOWS\\system32\\sysvl32.exe"
"crjm32.exe"="C:\\WINDOWS\\system32\\crjm32.exe"
"msed.exe"="C:\\WINDOWS\\msed.exe"
"ipmd32.exe"="C:\\WINDOWS\\system32\\ipmd32.exe"
"sysje.exe"="C:\\WINDOWS\\sysje.exe"
"msqe.exe"="C:\\WINDOWS\\msqe.exe"
"apiqo.exe"="C:\\WINDOWS\\system32\\apiqo.exe"
"ierm.exe"="C:\\WINDOWS\\system32\\ierm.exe"
"atlzh32.exe"="C:\\WINDOWS\\atlzh32.exe"
"ietv.exe"="C:\\WINDOWS\\system32\\ietv.exe"
"addgc32.exe"="C:\\WINDOWS\\system32\\addgc32.exe"
"mfcjs32.exe"="C:\\WINDOWS\\system32\\mfcjs32.exe"
"sdkif.exe"="C:\\WINDOWS\\sdkif.exe"
"wintg.exe"="C:\\WINDOWS\\wintg.exe"
"links"="links.exe"
"8.tmp"="C:\\DOCUME~1\\Silvana\\LOCALS~1\\Temp\\8.tmp.exe"
"8.tmp.exe"="C:\\DOCUME~1\\Silvana\\LOCALS~1\\Temp\\8.tmp.exe"
"D.tmp"="C:\\DOCUME~1\\Silvana\\LOCALS~1\\Temp\\D.tmp.exe"
"D.tmp.exe"="C:\\DOCUME~1\\Silvana\\LOCALS~1\\Temp\\D.tmp.exe"
"15.tmp"="C:\\DOCUME~1\\Silvana\\LOCALS~1\\Temp\\15.tmp.exe"
"15.tmp.exe"="C:\\DOCUME~1\\Silvana\\LOCALS~1\\Temp\\15.tmp.exe"
"NAVNet"="\"C:\\WINDOWS\\System32\\dgprpsetup.exe\" /m"
"ExchangeMaster"="corrida.exe"
"InpriseMon"="systemdll.exe"
"klsmoupb"="c:\\windows\\system32\\klsmoupb.exe klsmoupb"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"="mscornet.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"UnSpyPC"="\"C:\\Program Files\\UnSpyPC\\UnSpyPC.exe\""
"sysconf16"="PasswdMon.exe"
"SpyElim"="install2.exe"
"init32"="avpmondll.exe"
"Spyware Vanisher"="C:\\spywarevanisher-free\\FreeScanner.exe -FastScan"
"KillAndClean"="\"C:\\Program Files\\KillAndClean\\KillAndClean.exe\""
"Windows update loader"="C:\\Windows\\xpupdate.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"="C:\\Program Files\\ICQLite\\ICQLite.exe -trayboot"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"="C:\\WINDOWS\\desktop.html"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Power2GoExpress"="\"C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Power2GoExpress"="\"C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}"="st3"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job


Completion time: 09.03.2007 20:08:53,43
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

Bitte um Hilfe.

Danke!
Seitenanfang Seitenende
10.03.2007, 21:21
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Oere

wer KillAndClean und UnSpyPC laedt, zerschiesst sich den rechner und die Internetverbindung wird auf einen Server in die Ukraine umgeleitet ;)

««
poste das log vom HijackThis
http://virus-protect.org/hjtkurz.html

««
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

««
Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.03.2007, 08:20
...neu hier

Themenstarter

Beiträge: 9
#3 Hallo Sabina.

Danke für die Antwort. Hier Schritt 1:

Logfile of HijackThis v1.99.1
Scan saved at 08:17:08, on 11.03.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\usbtapnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiVir PersonalEdition Classic\avnotify.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Micha\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iqon.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.hockey-manager.com
R3 - URLSearchHook: (no name) - {302B6285-2B5D-4975-5B67-AE8D593CD1A9} - MNTP.dll (file missing)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll (file missing)
O2 - BHO: (no name) - {3AB67B47-82F1-0D5A-3B0E-17180F06E907} - (no file)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll (file missing)
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O2 - BHO: (no name) - {49E4EAA1-6B9B-AA8F-8BA9-2A2183C0ECC0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {95750FDC-44D2-AA0D-EDAA-47B7561A69A9} - C:\WINDOWS\msge.dll (file missing)
O2 - BHO: (no name) - {B0822B0C-F861-4FB9-94C1-AAF05DBE3146} - (no file)
O2 - BHO: Class - {D54006DD-F98A-C0B8-572B-C19E36BC7181} - C:\WINDOWS\nten.dll (file missing)
O2 - BHO: Class - {F820586B-B64E-CA18-010C-8EE429E06F22} - C:\WINDOWS\msge.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PixAlertMonitor] C:\Program Files\BOS\PixAlert Monitor Home\MCtrlA5-0.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [USBTA] C:\WINDOWS\System32\usbtapnp.exe
O4 - HKLM\..\Run: [JVM0.12] C:\WINDOWS\System32\tcvk.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\System32\clqby.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [addgq.exe] C:\WINDOWS\system32\addgq.exe
O4 - HKLM\..\Run: [iprc.exe] C:\WINDOWS\system32\iprc.exe
O4 - HKLM\..\Run: [atlfo.exe] C:\WINDOWS\atlfo.exe
O4 - HKLM\..\Run: [ipfc32.exe] C:\WINDOWS\system32\ipfc32.exe
O4 - HKLM\..\Run: [appje.exe] C:\WINDOWS\system32\appje.exe
O4 - HKLM\..\Run: [javaqy32.exe] C:\WINDOWS\javaqy32.exe
O4 - HKLM\..\Run: [ipbv.exe] C:\WINDOWS\system32\ipbv.exe
O4 - HKLM\..\Run: [atlqj32.exe] C:\WINDOWS\atlqj32.exe
O4 - HKLM\..\Run: [ipdx.exe] C:\WINDOWS\system32\ipdx.exe
O4 - HKLM\..\Run: [mfckr.exe] C:\WINDOWS\system32\mfckr.exe
O4 - HKLM\..\Run: [ntkk32.exe] C:\WINDOWS\system32\ntkk32.exe
O4 - HKLM\..\Run: [atljm.exe] C:\WINDOWS\system32\atljm.exe
O4 - HKLM\..\Run: [mfcmz.exe] C:\WINDOWS\system32\mfcmz.exe
O4 - HKLM\..\Run: [ieiq32.exe] C:\WINDOWS\ieiq32.exe
O4 - HKLM\..\Run: [winfh32.exe] C:\WINDOWS\system32\winfh32.exe
O4 - HKLM\..\Run: [javavt32.exe] C:\WINDOWS\javavt32.exe
O4 - HKLM\..\Run: [d3jl.exe] C:\WINDOWS\system32\d3jl.exe
O4 - HKLM\..\Run: [sysia.exe] C:\WINDOWS\sysia.exe
O4 - HKLM\..\Run: [apiqt.exe] C:\WINDOWS\system32\apiqt.exe
O4 - HKLM\..\Run: [mfcpw.exe] C:\WINDOWS\mfcpw.exe
O4 - HKLM\..\Run: [javaoo.exe] C:\WINDOWS\javaoo.exe
O4 - HKLM\..\Run: [addux32.exe] C:\WINDOWS\system32\addux32.exe
O4 - HKLM\..\Run: [iewc32.exe] C:\WINDOWS\iewc32.exe
O4 - HKLM\..\Run: [winej32.exe] C:\WINDOWS\winej32.exe
O4 - HKLM\..\Run: [addlw32.exe] C:\WINDOWS\system32\addlw32.exe
O4 - HKLM\..\Run: [crvc32.exe] C:\WINDOWS\crvc32.exe
O4 - HKLM\..\Run: [sdktl32.exe] C:\WINDOWS\sdktl32.exe
O4 - HKLM\..\Run: [atlag.exe] C:\WINDOWS\system32\atlag.exe
O4 - HKLM\..\Run: [sdkpk32.exe] C:\WINDOWS\system32\sdkpk32.exe
O4 - HKLM\..\Run: [atlpa32.exe] C:\WINDOWS\system32\atlpa32.exe
O4 - HKLM\..\Run: [sysvl32.exe] C:\WINDOWS\system32\sysvl32.exe
O4 - HKLM\..\Run: [crjm32.exe] C:\WINDOWS\system32\crjm32.exe
O4 - HKLM\..\Run: [msed.exe] C:\WINDOWS\msed.exe
O4 - HKLM\..\Run: [ipmd32.exe] C:\WINDOWS\system32\ipmd32.exe
O4 - HKLM\..\Run: [sysje.exe] C:\WINDOWS\sysje.exe
O4 - HKLM\..\Run: [msqe.exe] C:\WINDOWS\msqe.exe
O4 - HKLM\..\Run: [apiqo.exe] C:\WINDOWS\system32\apiqo.exe
O4 - HKLM\..\Run: [ierm.exe] C:\WINDOWS\system32\ierm.exe
O4 - HKLM\..\Run: [atlzh32.exe] C:\WINDOWS\atlzh32.exe
O4 - HKLM\..\Run: [ietv.exe] C:\WINDOWS\system32\ietv.exe
O4 - HKLM\..\Run: [addgc32.exe] C:\WINDOWS\system32\addgc32.exe
O4 - HKLM\..\Run: [mfcjs32.exe] C:\WINDOWS\system32\mfcjs32.exe
O4 - HKLM\..\Run: [sdkif.exe] C:\WINDOWS\sdkif.exe
O4 - HKLM\..\Run: [wintg.exe] C:\WINDOWS\wintg.exe
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\Silvana\LOCALS~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [8.tmp.exe] C:\DOCUME~1\Silvana\LOCALS~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\Silvana\LOCALS~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [D.tmp.exe] C:\DOCUME~1\Silvana\LOCALS~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [15.tmp] C:\DOCUME~1\Silvana\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [15.tmp.exe] C:\DOCUME~1\Silvana\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [NAVNet] "C:\WINDOWS\System32\dgprpsetup.exe" /m
O4 - HKLM\..\Run: [ExchangeMaster] corrida.exe
O4 - HKLM\..\Run: [InpriseMon] systemdll.exe
O4 - HKLM\..\Run: [klsmoupb] c:\windows\system32\klsmoupb.exe klsmoupb
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [sysconf16] PasswdMon.exe
O4 - HKCU\..\Run: [SpyElim] install2.exe
O4 - HKCU\..\Run: [init32] avpmondll.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O16 - DPF: {DA511858-B44C-439E-A0EA-704ED20035E7} (EphoxEditLive4.EditLive) - http://www.beepworld.de/hp/activexeditor/editlive4.cab
O16 - DPF: {E3943A24-2F83-4505-9AE5-F705E81B50CB} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1055_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7E2738-6956-41D8-B172-08BBDDAC6208}: NameServer = 213.191.92.87 213.191.74.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{715ECE91-D3C0-41BC-B0B2-18CC35474A8F}: NameServer = 85.255.116.162,85.255.112.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A873C96-EA93-448D-9046-040D966A6341}: NameServer = 85.255.116.162,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.111
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A7E2738-6956-41D8-B172-08BBDDAC6208}: NameServer = 213.191.92.87 213.191.74.19
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.111
O20 - Winlogon Notify: st3 - C:\WINDOWS\q1489765_disk.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: peahtzamdbxx (dcenlmfn6) - Unknown owner - C:\WINDOWS\System32\ruvvfijx6.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Schritt 2 (Clean up) durchgeführt. Über 10.000(!!!!) Einträge wurden gelöscht.

Schritt 3:
system32.txt
Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\WINDOWS\system32

09.03.2007 16:56 1.170 wpa.dbl
08.03.2007 09:26 43.520 CmdLineExt03.dll
21.02.2007 13:59 98.304 CmdLineExt.dll
11.02.2007 00:09 364 results.txt
07.02.2007 18:53 383.104 perfh009.dat
07.02.2007 18:53 54.942 perfc009.dat
07.02.2007 18:53 444.512 PerfStringBackup.INI
08.11.2006 15:10 664 d3d9caps.dat

systemtemp.txt
Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\DOCUME~1\Micha\LOCALS~1\Temp

system.txt
Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\WINDOWS

11.03.2007 08:12 0 0.log
11.03.2007 08:11 1.137.125 WindowsUpdate.log
11.03.2007 08:11 159 wiadebug.log
11.03.2007 08:11 50 wiaservc.log
11.03.2007 08:11 2.048 bootstat.dat
09.03.2007 20:09 235.726 setupact.log
09.03.2007 17:05 32.560 SchedLgU.Txt
08.03.2007 09:18 709.934 setupapi.log
08.03.2007 08:16 84.192 iis6.log
08.03.2007 08:16 195.460 comsetup.log
08.03.2007 08:16 121.864 ntdtcsetup.log
08.03.2007 08:16 235.366 tsoc.log
08.03.2007 08:16 1.891 imsins.log
08.03.2007 08:16 23.521 ocmsn.log
08.03.2007 08:16 360.255 ocgen.log
08.03.2007 08:16 29.714 msgsocm.log
08.03.2007 08:16 566.773 FaxSetup.log
04.03.2007 13:05 1.409 QTFont.for
04.03.2007 13:05 54.156 QTFont.qfn
01.03.2007 19:20 337.675 DirectX.log
01.03.2007 10:47 2.972 ModemLog_DrayTek ISDN PPP.txt
01.03.2007 10:47 3.846 ModemLog_CastleNet 56K PCI Modem.txt
07.02.2007 13:05 17 wininit.ini
07.02.2007 13:05 6.157 netcfg.log
07.02.2007 12:54 227 awprotoc.txt
07.02.2007 12:27 61 awerror.txt
06.02.2007 17:10 419 lexstat.ini
03.01.2007 16:31 55.808 ALCFDRTM.VER

tmp.txt
Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\WINDOWS\Temp

down.txt
Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\WINDOWS\Downloaded Program Files

10.11.2005 13:05 876 jinstall-1_5_0_06.inf
27.08.2005 13:30 5.065 swflash.inf
31.07.2004 01:57 65 desktop.ini
29.07.2004 19:04 780 fastvideoplayer.inf
20.05.2004 14:36 237.568 MISBH.dll
30.06.2003 21:41 1.689 WMV9VCM.inf
20.06.2003 06:12 728 jinstall-1_4_2.inf

sys.txt
Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\

11.03.2007 08:36 0 sys.txt
11.03.2007 08:35 590 down.txt
11.03.2007 08:35 105 tmp.txt
11.03.2007 08:34 95.222 system.txt
11.03.2007 08:33 121 systemtemp.txt
11.03.2007 08:33 174.855 system32.txt
11.03.2007 08:11 1.073.741.824 pagefile.sys
09.03.2007 20:08 8.238 ComboFix.txt
26.02.2007 12:40 5.985 crashAddress.txt
Dieser Beitrag wurde am 11.03.2007 um 08:40 Uhr von Oere editiert.
Seitenanfang Seitenende
11.03.2007, 13:44
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Oere

««
http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei - poste den report

Dann starte blacklight nochmal und lasse alle Dateien, die es anzeigt umbenennen
Dann lass Blacklight den Rechner neu starten.

««
öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked"

Zitat

R3 - URLSearchHook: (no name) - {302B6285-2B5D-4975-5B67-AE8D593CD1A9} - MNTP.dll (file missing)

O2 - BHO: (no name) - {3AB67B47-82F1-0D5A-3B0E-17180F06E907} - (no file)

O2 - BHO: (no name) - {49E4EAA1-6B9B-AA8F-8BA9-2A2183C0ECC0} - (no file)

O2 - BHO: (no name) - {95750FDC-44D2-AA0D-EDAA-47B7561A69A9} - C:\WINDOWS\msge.dll (file missing)

O2 - BHO: (no name) - {B0822B0C-F861-4FB9-94C1-AAF05DBE3146} - (no file)

O2 - BHO: Class - {D54006DD-F98A-C0B8-572B-C19E36BC7181} - C:\WINDOWS\nten.dll (file missing)

O2 - BHO: Class - {F820586B-B64E-CA18-010C-8EE429E06F22} - C:\WINDOWS\msge.dll (file missing)

O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

O4 - HKLM\..\Run: [USBTA] C:\WINDOWS\System32\usbtapnp.exe
O4 - HKLM\..\Run: [JVM0.12] C:\WINDOWS\System32\tcvk.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\System32\clqby.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [addgq.exe] C:\WINDOWS\system32\addgq.exe
O4 - HKLM\..\Run: [iprc.exe] C:\WINDOWS\system32\iprc.exe
O4 - HKLM\..\Run: [atlfo.exe] C:\WINDOWS\atlfo.exe
O4 - HKLM\..\Run: [ipfc32.exe] C:\WINDOWS\system32\ipfc32.exe
O4 - HKLM\..\Run: [appje.exe] C:\WINDOWS\system32\appje.exe
O4 - HKLM\..\Run: [javaqy32.exe] C:\WINDOWS\javaqy32.exe
O4 - HKLM\..\Run: [ipbv.exe] C:\WINDOWS\system32\ipbv.exe
O4 - HKLM\..\Run: [atlqj32.exe] C:\WINDOWS\atlqj32.exe
O4 - HKLM\..\Run: [ipdx.exe] C:\WINDOWS\system32\ipdx.exe
O4 - HKLM\..\Run: [mfckr.exe] C:\WINDOWS\system32\mfckr.exe
O4 - HKLM\..\Run: [ntkk32.exe] C:\WINDOWS\system32\ntkk32.exe
O4 - HKLM\..\Run: [atljm.exe] C:\WINDOWS\system32\atljm.exe
O4 - HKLM\..\Run: [mfcmz.exe] C:\WINDOWS\system32\mfcmz.exe
O4 - HKLM\..\Run: [ieiq32.exe] C:\WINDOWS\ieiq32.exe
O4 - HKLM\..\Run: [winfh32.exe] C:\WINDOWS\system32\winfh32.exe
O4 - HKLM\..\Run: [javavt32.exe] C:\WINDOWS\javavt32.exe
O4 - HKLM\..\Run: [d3jl.exe] C:\WINDOWS\system32\d3jl.exe
O4 - HKLM\..\Run: [sysia.exe] C:\WINDOWS\sysia.exe
O4 - HKLM\..\Run: [apiqt.exe] C:\WINDOWS\system32\apiqt.exe
O4 - HKLM\..\Run: [mfcpw.exe] C:\WINDOWS\mfcpw.exe
O4 - HKLM\..\Run: [javaoo.exe] C:\WINDOWS\javaoo.exe
O4 - HKLM\..\Run: [addux32.exe] C:\WINDOWS\system32\addux32.exe
O4 - HKLM\..\Run: [iewc32.exe] C:\WINDOWS\iewc32.exe
O4 - HKLM\..\Run: [winej32.exe] C:\WINDOWS\winej32.exe
O4 - HKLM\..\Run: [addlw32.exe] C:\WINDOWS\system32\addlw32.exe
O4 - HKLM\..\Run: [crvc32.exe] C:\WINDOWS\crvc32.exe
O4 - HKLM\..\Run: [sdktl32.exe] C:\WINDOWS\sdktl32.exe
O4 - HKLM\..\Run: [atlag.exe] C:\WINDOWS\system32\atlag.exe
O4 - HKLM\..\Run: [sdkpk32.exe] C:\WINDOWS\system32\sdkpk32.exe
O4 - HKLM\..\Run: [atlpa32.exe] C:\WINDOWS\system32\atlpa32.exe
O4 - HKLM\..\Run: [sysvl32.exe] C:\WINDOWS\system32\sysvl32.exe
O4 - HKLM\..\Run: [crjm32.exe] C:\WINDOWS\system32\crjm32.exe
O4 - HKLM\..\Run: [msed.exe] C:\WINDOWS\msed.exe
O4 - HKLM\..\Run: [ipmd32.exe] C:\WINDOWS\system32\ipmd32.exe
O4 - HKLM\..\Run: [sysje.exe] C:\WINDOWS\sysje.exe
O4 - HKLM\..\Run: [msqe.exe] C:\WINDOWS\msqe.exe
O4 - HKLM\..\Run: [apiqo.exe] C:\WINDOWS\system32\apiqo.exe
O4 - HKLM\..\Run: [ierm.exe] C:\WINDOWS\system32\ierm.exe
O4 - HKLM\..\Run: [atlzh32.exe] C:\WINDOWS\atlzh32.exe
O4 - HKLM\..\Run: [ietv.exe] C:\WINDOWS\system32\ietv.exe
O4 - HKLM\..\Run: [addgc32.exe] C:\WINDOWS\system32\addgc32.exe
O4 - HKLM\..\Run: [mfcjs32.exe] C:\WINDOWS\system32\mfcjs32.exe
O4 - HKLM\..\Run: [sdkif.exe] C:\WINDOWS\sdkif.exe
O4 - HKLM\..\Run: [wintg.exe] C:\WINDOWS\wintg.exe
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\Silvana\LOCALS~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [8.tmp.exe] C:\DOCUME~1\Silvana\LOCALS~1\Temp\8.tmp.exe
O4 - HKLM\..\Run: [D.tmp] C:\DOCUME~1\Silvana\LOCALS~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [D.tmp.exe] C:\DOCUME~1\Silvana\LOCALS~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [15.tmp] C:\DOCUME~1\Silvana\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [15.tmp.exe] C:\DOCUME~1\Silvana\LOCALS~1\Temp\15.tmp.exe
O4 - HKLM\..\Run: [NAVNet] "C:\WINDOWS\System32\dgprpsetup.exe" /m
O4 - HKLM\..\Run: [ExchangeMaster] corrida.exe
O4 - HKLM\..\Run: [InpriseMon] systemdll.exe
O4 - HKLM\..\Run: [klsmoupb] c:\windows\system32\klsmoupb.exe klsmoupb

O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [sysconf16] PasswdMon.exe
O4 - HKCU\..\Run: [SpyElim] install2.exe
O4 - HKCU\..\Run: [init32] avpmondll.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7E2738-6956-41D8-B172-08BBDDAC6208}: NameServer = 213.191.92.87 213.191.74.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{715ECE91-D3C0-41BC-B0B2-18CC35474A8F}: NameServer = 85.255.116.162,85.255.112.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A873C96-EA93-448D-9046-040D966A6341}: NameServer = 85.255.116.162,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.111
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A7E2738-6956-41D8-B172-08BBDDAC6208}: NameServer = 213.191.92.87 213.191.74.19
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.162 85.255.112.111

O20 - Winlogon Notify: st3 - C:\WINDOWS\q1489765_disk.dll (file missing)
««
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop.
Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

Zitat

REGEDIT4

[-HKEY_CURRENT_USER\Software\KillAndClean]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"UnSpyPC"=-
"sysconf16"=-
"SpyElim"=-
"init32"=-
"Spyware Vanisher"=-
"KillAndClean"=-
"Windows update loader"=
««
Avenger
http://virus-protect.org/artikel/tools/avenger.html
«
Input script manually (anhaken)
kopiere in: View/edit script

Zitat

Registry values to delete:
HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler|{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}
HKLM\software\microsoft\windows\currentversion\policies\explorer\run|wininet.dll
HKLM\software\microsoft\windows\currentversion\run|USBTA
HKLM\software\microsoft\windows\currentversion\run|JVM0.12
HKLM\software\microsoft\windows\currentversion\run|tibs5
HKLM\software\microsoft\windows\currentversion\run|Web Service
HKLM\software\microsoft\windows\currentversion\run|Desktop Search
HKLM\software\microsoft\windows\currentversion\run|JVM0.14
HKLM\software\microsoft\windows\currentversion\run|iexplore.exe
HKLM\software\microsoft\windows\currentversion\run|addgq.exe
HKLM\software\microsoft\windows\currentversion\run|iprc.exe
HKLM\software\microsoft\windows\currentversion\run|atlfo.exe
HKLM\software\microsoft\windows\currentversion\run|ipfc32.exe
HKLM\software\microsoft\windows\currentversion\run|appje.exe
HKLM\software\microsoft\windows\currentversion\run|javaqy32.exe
HKLM\software\microsoft\windows\currentversion\run|ipbv.exe
HKLM\software\microsoft\windows\currentversion\run|atlqj32.exe
HKLM\software\microsoft\windows\currentversion\run|ipdx.exe
HKLM\software\microsoft\windows\currentversion\run|mfckr.exe
HKLM\software\microsoft\windows\currentversion\run|ntkk32.exe
HKLM\software\microsoft\windows\currentversion\run|atljm.exe
HKLM\software\microsoft\windows\currentversion\run|mfcmz.exe
HKLM\software\microsoft\windows\currentversion\run|ieiq32.exe
HKLM\software\microsoft\windows\currentversion\run|winfh32.exe
HKLM\software\microsoft\windows\currentversion\run|javavt32.exe
HKLM\software\microsoft\windows\currentversion\run|d3jl.exe
HKLM\software\microsoft\windows\currentversion\run|sysia.exe
HKLM\software\microsoft\windows\currentversion\run|apiqt.exe
HKLM\software\microsoft\windows\currentversion\run|mfcpw.exe
HKLM\software\microsoft\windows\currentversion\run|javaoo.exe
HKLM\software\microsoft\windows\currentversion\run|addux32.exe
HKLM\software\microsoft\windows\currentversion\run|iewc32.exe
HKLM\software\microsoft\windows\currentversion\run|winej32.exe
HKLM\software\microsoft\windows\currentversion\run|addlw32.exe
HKLM\software\microsoft\windows\currentversion\run|crvc32.exe
HKLM\software\microsoft\windows\currentversion\run|sdktl32.exe
HKLM\software\microsoft\windows\currentversion\run|atlag.exe
HKLM\software\microsoft\windows\currentversion\run|sdkpk32.exe
HKLM\software\microsoft\windows\currentversion\run|atlpa32.exe
HKLM\software\microsoft\windows\currentversion\run|sysvl32.exe
HKLM\software\microsoft\windows\currentversion\run|crjm32.exe
HKLM\software\microsoft\windows\currentversion\run|msed.exe
HKLM\software\microsoft\windows\currentversion\run|ipmd32.exe
HKLM\software\microsoft\windows\currentversion\run|sysje.exe
HKLM\software\microsoft\windows\currentversion\run|msqe.exe
HKLM\software\microsoft\windows\currentversion\run|apiqo.exe
HKLM\software\microsoft\windows\currentversion\run|ierm.exe
HKLM\software\microsoft\windows\currentversion\run|atlzh32.exe
HKLM\software\microsoft\windows\currentversion\run|ietv.exe
HKLM\software\microsoft\windows\currentversion\run|addgc32.exe
HKLM\software\microsoft\windows\currentversion\run|mfcjs32.exe
HKLM\software\microsoft\windows\currentversion\run|sdkif.exe
HKLM\software\microsoft\windows\currentversion\run|wintg.exe
HKLM\software\microsoft\windows\currentversion\run|links
HKLM\software\microsoft\windows\currentversion\run|8.tmp
HKLM\software\microsoft\windows\currentversion\run|8.tmp.exe
HKLM\software\microsoft\windows\currentversion\run|D.tmp
HKLM\software\microsoft\windows\currentversion\run|D.tmp.exe
HKLM\software\microsoft\windows\currentversion\run|15.tmp
HKLM\software\microsoft\windows\currentversion\run|15.tmp.exe
HKLM\software\microsoft\windows\currentversion\run|NAVNet
HKLM\software\microsoft\windows\currentversion\run|ExchangeMaster
HKLM\software\microsoft\windows\currentversion\run|InpriseMon
HKLM\software\microsoft\windows\currentversion\run|klsmoupb

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{302B6285-2B5D-4975-5B67-AE8D593CD1A9}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DCENLMFN6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dcenlmfn6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DCENLMFN6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dcenlmfn6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DCENLMFN6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6

Files to delete:
C:\WINDOWS\desktop.html
C:\WINDOWS\balloon.wav
C:\WINDOWS\rdt.ini
C:\WINDOWS\System32\usbtapnp.exe
C:\WINDOWS\System32\tcvk.exe
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\Windows\xpupdate.exe
C:\Documents and Settings\Micha\Application Data\Install.dat
C:\Documents and Settings\Micha\Application Data\kc.tmp
C:\Documents and Settings\Micha\Application Data\wo.tmp

Folders to delete:
C:\Program Files\UnSpyPC
C:\spywarevanisher-free
C:\Program Files\KillAndClean
C:\WINDOWS\isrvs
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

««
smitfraud.fix abarbeiten (Option 1 und 2 - lasse auch die Registry mitreinigen)
http://virus-protect.org/artikel/tools/smitfrautfix.html

------------
««
Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

««
scanne und poste den scanreport + das neue log vom HijackTHis
http://virus-protect.org/artikel/tools/fixwareout.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.03.2007, 13:09
...neu hier

Themenstarter

Beiträge: 9
#5 Hallo Sabina.

Hier der Report:

03/12/07 12:59:59 [Info]: BlackLight Engine 1.0.55 initialized
03/12/07 12:59:59 [Info]: OS: 5.1 build 2600 (Service Pack 1)
03/12/07 12:59:59 [Note]: 7019 4
03/12/07 12:59:59 [Note]: 7005 0
03/12/07 13:00:09 [Note]: 7006 0
03/12/07 13:00:09 [Note]: 7011 2660
03/12/07 13:00:10 [Note]: 7026 0
03/12/07 13:00:10 [Note]: 7026 0
03/12/07 13:00:22 [Note]: FSRAW library version 1.7.1021
03/12/07 13:06:45 [Note]: 2000 1012
03/12/07 13:06:45 [Note]: 2000 1012
03/12/07 13:07:02 [Note]: 7007 0

Er sagt mir:
Scan complete.
No hidden items found.

Hijack durchlaufen lassen.

Datei fixme.reg gespeichert und per Doppelklick hinzugefügt.

Avenger, wie oben beschrieben, abgearbeitet.

Smitfraud - beide Optionen abgearbeitet.

Mit dem Hoster gibt es ein Problem:
Wenn ich den Link aktiviere erscheint eine Fehlermeldung.

Welcome to www.funkytoad.com!

Unfortunately we can't process your request because it simply doesn't exist.
---------------------------------------------------------------------------
You can head to the Home Page: www.funkytoad.com
or Go directly to the ZonedOut page: http://www.funkytoad.com/content/view/15/33/
or were you looking for Hoster the Hosts file editor? : http://www.funkytoad.com/content/view/13/31/
or perhaps Homer, the most excellent localhost webserver found here: http://www.funkytoad.com/content/view/14/32/

---------------------------------------------------------------------------

Was soll ich jetzt als nächstes machen?
Dieser Beitrag wurde am 12.03.2007 um 13:56 Uhr von Oere editiert.
Seitenanfang Seitenende
12.03.2007, 13:54
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

««
scanne und poste den scanreport + das neue log vom HijackTHis
http://virus-protect.org/artikel/tools/fixwareout.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.03.2007, 15:01
...neu hier

Themenstarter

Beiträge: 9
#7 Hallo Sabina.

Mit dem Hoster-Link kann ich nichts anfangen. Diese Seite gibt es nicht. Und ich weiss nicht, wie ich zu dem Punkt "Restore Original Hosts" kommen kann.

Ich erhalte immer eine identische Fehlermeldung und bin von da ab hilflos.

Welcome to www.funkytoad.com!

Unfortunately we can't process your request because it simply doesn't exist.

You can head to the Home Page: www.funkytoad.com
or Go directly to the ZonedOut page: http://www.funkytoad.com/content/view/15/33/
or were you looking for Hoster the Hosts file editor? : http://www.funkytoad.com/content/view/13/31/
or perhaps Homer, the most excellent localhost webserver found here: http://www.funkytoad.com/content/view/14/32/

Scanreport von Hijack:
Logfile of HijackThis v1.99.1
Scan saved at 14:57:53, on 12.03.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\LXBKPSWX.EXE
C:\Documents and Settings\Micha\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.de/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll (file missing)
O2 - BHO: (no name) - {3AB67B47-82F1-0D5A-3B0E-17180F06E907} - (no file)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll (file missing)
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O2 - BHO: (no name) - {49E4EAA1-6B9B-AA8F-8BA9-2A2183C0ECC0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B0822B0C-F861-4FB9-94C1-AAF05DBE3146} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PixAlertMonitor] C:\Program Files\BOS\PixAlert Monitor Home\MCtrlA5-0.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O16 - DPF: {DA511858-B44C-439E-A0EA-704ED20035E7} (EphoxEditLive4.EditLive) - http://www.beepworld.de/hp/activexeditor/editlive4.cab
O16 - DPF: {E3943A24-2F83-4505-9AE5-F705E81B50CB} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1055_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7E2738-6956-41D8-B172-08BBDDAC6208}: NameServer = 213.191.92.87 213.191.74.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A7E2738-6956-41D8-B172-08BBDDAC6208}: NameServer = 213.191.92.87 213.191.74.19
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: peahtzamdbxx (dcenlmfn6) - Unknown owner - C:\WINDOWS\System32\ruvvfijx6.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Seitenanfang Seitenende
12.03.2007, 15:06
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 ««
HostsXpert.zip
http://www.funkytoad.com/download/HostsXpert.zip

»»
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html

-------------------------------------------------------------------

««
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

peahtzamdbxx

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

dcenlmfn6

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

UnSpyPC

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

KillAndClean

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

{302B6285-2B5D-4975-5B67-AE8D593CD1A9}

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.03.2007, 16:20
...neu hier

Themenstarter

Beiträge: 9
#9 Bei HostsXpert habe ich den "Restore Microsoft´s Hosts File"-Button gedrückt. Muss ich da noch einen anderen Button drücken?

ComboFix-Log:
tart Time= 12.03.2007 15:14:10,82

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-12 13:43:08 2746 ( A.... ) "C:\WINDOWS\system32\tmp.reg"
2007-03-12 13:30:28 9500 ( A.... ) "C:\Program Files\lxyeebcw.txt"
2007-03-11 08:20:38 ( .D... ) "C:\Program Files\CleanUp!"
2007-03-08 09:26:42 43520 ( A.... ) "C:\WINDOWS\system32\CmdLineExt03.dll"
2007-03-08 09:24:52 ( .D... ) "C:\Documents and Settings\Micha\Application Data\AdobeUM"
2007-03-02 15:21:32 ( .D... ) "C:\Program Files\TransportGigant"
2007-02-21 13:59:32 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2007-02-19 13:54:50 ( .D... ) "C:\Documents and Settings\Micha\Application Data\ICQ Toolbar"
2007-02-19 13:53:04 ( .D... ) "C:\Program Files\ICQToolbar"
2007-02-19 13:52:04 ( .D... ) "C:\Program Files\ICQLite"
2007-02-19 13:52:04 ( .D... ) "C:\Documents and Settings\Micha\Application Data\ICQLite"
2007-02-10 20:24:46 ( .D... ) "C:\Program Files\AntiVir PersonalEdition Classic"
2007-02-08 19:35:36 ( .D... ) "C:\Program Files\Cultures"
2007-02-08 18:53:00 ( .D... ) "C:\Program Files\CulturesSaga"
2007-02-07 12:27:32 ( .D... ) "C:\Program Files\Common Files\Alice"
2007-02-07 12:27:26 ( .D... ) "C:\Program Files\Alice"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"PixAlertMonitor"="C:\\Program Files\\BOS\\PixAlert Monitor Home\\MCtrlA5-0.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Power2GoExpress"="\"C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Power2GoExpress"="\"C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

Completion time: 12.03.2007 15:16:58,50
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

Log für die Suche nach "peahtzamdbxx":
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 12.03.2007 15:29:25 for strings:
; 'peahtzamdbxx'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DCENLMFN6\0000]
"DeviceDesc"="peahtzamdbxx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dcenlmfn6]
"DisplayName"="peahtzamdbxx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DCENLMFN6\0000]
"DeviceDesc"="peahtzamdbxx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dcenlmfn6]
"DisplayName"="peahtzamdbxx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DCENLMFN6\0000]
"DeviceDesc"="peahtzamdbxx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6]
"DisplayName"="peahtzamdbxx"

; End Of The Log...

Log für die Suche nach "dcenlmfn6":
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 12.03.2007 16:19:46 for strings:
; 'dcenlmfn6'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DCENLMFN6]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DCENLMFN6\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DCENLMFN6\0000]
"Service"="dcenlmfn6"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dcenlmfn6]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dcenlmfn6\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dcenlmfn6\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dcenlmfn6\Enum]
"0"="Root\\LEGACY_DCENLMFN6\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DCENLMFN6]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DCENLMFN6\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DCENLMFN6\0000]
"Service"="dcenlmfn6"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dcenlmfn6]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dcenlmfn6\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DCENLMFN6]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DCENLMFN6\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DCENLMFN6\0000]
"Service"="dcenlmfn6"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6\Enum]
"0"="Root\\LEGACY_DCENLMFN6\\0000"

; End Of The Log...

Log für die Suche nach "UnSpyPC":
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 12.03.2007 16:31:36 for strings:
; 'unspypc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\UnSpyPC]

[HKEY_CURRENT_USER\Software\UnSpyPC\FirstRun]

[HKEY_CURRENT_USER\Software\UnSpyPC\Options]

[HKEY_CURRENT_USER\Software\UnSpyPC\Registration]

; End Of The Log...

Log für die Suche nach "KillAndClean":
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 12.03.2007 16:42:40 for strings:
; 'killandclean'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

Log für die Suche nach "{302B6285-2B5D-4975-5B67-AE8D593CD1A9}":
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 12.03.2007 16:53:44 for strings:
; '{302b6285-2b5d-4975-5b67-ae8d593cd1a9}'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{302B6285-2B5D-4975-5B67-AE8D593CD1A9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{302B6285-2B5D-4975-5B67-AE8D593CD1A9}\InprocServer32]

; End Of The Log...
Dieser Beitrag wurde am 12.03.2007 um 17:04 Uhr von Oere editiert.
Seitenanfang Seitenende
12.03.2007, 16:35
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 1.
««
scanne und poste den scanreport
http://virus-protect.org/artikel/tools/fixwareout.html

2.
scanne mit
Finditnt2000xp.zip - und poste den report
http://virus-protect.org/artikel/tools/FindItNt2kXP.html

--------
3.
in: "Enter search strings" (reinschreiben oder reinkopieren)

UnSpyPC

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

KillAndClean


in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

{302B6285-2B5D-4975-5B67-AE8D593CD1A9}

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

-------------------------------------------------------------------
ist fuer mich

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DCENLMFN6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dcenlmfn6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DCENLMFN6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dcenlmfn6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DCENLMFN6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6

C:\WINDOWS\System32\ruvvfijx6.exe
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.03.2007, 17:09
...neu hier

Themenstarter

Beiträge: 9
#11 1.
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmbsy"
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmevz"
HKLM\SOFTWARE\~\Winlogon\ "System"="csnif.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\version\Run\ "dmbsy"
HKLM\SOFTWARE\~\version\Run\ "dmevz"
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32refaselif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "ysbmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}F1EBF1931BC7-461A-A364-61D9-C3E8380A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}7F99EB5029A4-479B-8C84-0FB5-CD17C642{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}6743B7E3EF67-0718-2AD4-95C5-99397A63{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}609BBC288697-B279-B724-E093-B347B5A0{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}96130789D578-CAF9-F544-2FF9-4CCE2AA5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8A77845C78E7-B87B-1524-BB7E-5EF91415{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}2429CB6FE77A-332B-17B4-AF61-BBE483C2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "17" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "18" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "19" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "20" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "21" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "22" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "24" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "25" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "26" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "27" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "28" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "29" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "30" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "31" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "33" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "34" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "35" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "36" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "37" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "38" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "39" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "40" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "zvemd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "http://69.50.166.98/users/conrad/web/ipdnssec6.gif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "http://69.50.166.98/users/conrad/web/fixiemapi.gif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "http://69.50.166.98/users/conrad/web/dmsadmins.gif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "http://69.50.166.98/users/conrad/web/qwinnta.gif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "http://69.50.166.98/users/conrad/web/sesmgr.gif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "http://69.50.166.98/users/conrad/web/dumpsprep.gif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "http://69.50.166.98/users/conrad/web/mqspbkup.gif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "http://69.50.166.98/users/conrad/web/mptsgsvc.gif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "http://69.50.166.98/users/conrad/web/cithlper.gif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "swen" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "eno" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "owt" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "eerht" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ruof" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "evif" Deleted
HKLM\~\currentversion\run "dmbsy.exe" Deleted
HKLM\~\currentversion\run "dmevz.exe" Deleted
C:\WINDOWS\System32\dmaho.exe Deleted
C:\WINDOWS\System32\dmaqs.exe Deleted
C:\WINDOWS\System32\dmevz.exe Deleted
C:\WINDOWS\System32\dmhdk.exe Deleted
C:\WINDOWS\System32\dmkxn.exe Deleted
C:\WINDOWS\System32\dmmvf.exe Deleted
C:\WINDOWS\System32\dmnqm.exe Deleted
C:\WINDOWS\System32\dmqeh.exe Deleted
C:\WINDOWS\System32\dmrdo.exe Deleted
C:\WINDOWS\System32\dmxdp.exe Deleted
C:\WINDOWS\System32\dmyil.exe Deleted
....
»»»»» Misc files.
C:\Documents and Settings\Micha\Application Data\kc.tmp Deleted
C:\Documents and Settings\Micha\Application Data\uns.tmp Deleted
C:\WINDOWS\BALLOON.WAV Deleted
C:\WINDOWS\RDT.INI Deleted
C:\WINDOWS\System32\close.bmp Deleted
C:\WINDOWS\System32\dating.bmp Deleted
C:\WINDOWS\System32\drivers\zpmodemnt.sys Deleted
C:\WINDOWS\System32\gambling.bmp Deleted
C:\WINDOWS\System32\idesk.conf Deleted
C:\WINDOWS\System32\insurance.bmp Deleted
C:\WINDOWS\System32\pharmacy.bmp Deleted
C:\WINDOWS\System32\spyware.bmp Deleted
C:\WINDOWS\System32\xxx.bmp Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.Jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"PixAlertMonitor"="C:\\Program Files\\BOS\\PixAlert Monitor Home\\MCtrlA5-0.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

2.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Micha\My Documents\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\WINDOWS\System32

28.01.2005 16:32 3.567 rmblx.txt
28.01.2005 05:29 0 fslmg.dll
24.01.2005 14:09 3.567 rpvet.log
22.01.2005 22:54 0 sdwnw.txt
08.01.2005 20:12 0 iesq.exe
07.01.2005 16:03 0 netln.exe
6 File(s) 7.134 bytes
0 Dir(s) 36.556.750.848 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\WINDOWS\System32

13.03.2006 17:28 4.212 zllictbl.dat
28.01.2005 16:32 3.567 rmblx.txt
28.01.2005 05:29 0 fslmg.dll
24.01.2005 14:09 3.567 rpvet.log
22.01.2005 22:54 0 sdwnw.txt
08.01.2005 20:12 0 iesq.exe
07.01.2005 16:03 0 netln.exe
31.07.2004 01:57 488 WindowsLogon.manifest
31.07.2004 01:57 488 logonui.exe.manifest
31.07.2004 01:57 749 cdplayer.exe.manifest
31.07.2004 01:57 749 sapi.cpl.manifest
31.07.2004 01:57 749 wuaucpl.cpl.manifest
31.07.2004 01:57 749 ncpa.cpl.manifest
31.07.2004 01:57 749 nwc.cpl.manifest
14 File(s) 16.067 bytes
0 Dir(s) 36.556.619.776 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is Wirbelwind
Volume Serial Number is 948F-573C

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\d3dx9_26.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\d3dx9_27.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\d3dx9_28.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\d3dx9_29.dll: D3DXUVAtlasPack
C:\WINDOWS\system32\d3dx9_30.dll: D3DXUVAtlasPack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"PixAlertMonitor"="C:\\Program Files\\BOS\\PixAlert Monitor Home\\MCtrlA5-0.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"




3.
Log für die Suche nach "UnSpyPC":
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 12.03.2007 16:31:36 for strings:
; 'unspypc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\UnSpyPC]

[HKEY_CURRENT_USER\Software\UnSpyPC\FirstRun]

[HKEY_CURRENT_USER\Software\UnSpyPC\Options]

[HKEY_CURRENT_USER\Software\UnSpyPC\Registration]

; End Of The Log...

Log für die Suche nach "KillAndClean":
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 12.03.2007 16:42:40 for strings:
; 'killandclean'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

Log für die Suche nach "{302B6285-2B5D-4975-5B67-AE8D593CD1A9}":
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 12.03.2007 16:53:44 for strings:
; '{302b6285-2b5d-4975-5b67-ae8d593cd1a9}'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{302B6285-2B5D-4975-5B67-AE8D593CD1A9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{302B6285-2B5D-4975-5B67-AE8D593CD1A9}\InprocServer32]

; End Of The Log...
Dieser Beitrag wurde am 12.03.2007 um 17:19 Uhr von Oere editiert.
Seitenanfang Seitenende
12.03.2007, 18:28
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 hast du das avengerscript (siehe oben) angewendet ?
wende es an und poste den report nach neustart
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.03.2007, 18:49
...neu hier

Themenstarter

Beiträge: 9
#13 Da will er wohl einiges nicht deleten:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kyrkbwnq

*******************

Script file located at: \??\C:\WINDOWS\waoumjqj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DCENLMFN6 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dcenlmfn6 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DCENLMFN6 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dcenlmfn6 deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DCENLMFN6 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DCENLMFN6 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DCENLMFN6
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcenlmfn6
Status: 0xc0000034



File C:\WINDOWS\desktop.html not found!
Deletion of file C:\WINDOWS\desktop.html failed!

Could not process line:
C:\WINDOWS\desktop.html
Status: 0xc0000034



File C:\WINDOWS\balloon.wav not found!
Deletion of file C:\WINDOWS\balloon.wav failed!

Could not process line:
C:\WINDOWS\balloon.wav
Status: 0xc0000034



File C:\WINDOWS\rdt.ini not found!
Deletion of file C:\WINDOWS\rdt.ini failed!

Could not process line:
C:\WINDOWS\rdt.ini
Status: 0xc0000034

File C:\WINDOWS\System32\usbtapnp.exe deleted successfully.


File C:\WINDOWS\System32\tcvk.exe not found!
Deletion of file C:\WINDOWS\System32\tcvk.exe failed!

Could not process line:
C:\WINDOWS\System32\tcvk.exe
Status: 0xc0000034



File C:\WINDOWS\System32\tibs5.exe not found!
Deletion of file C:\WINDOWS\System32\tibs5.exe failed!

Could not process line:
C:\WINDOWS\System32\tibs5.exe
Status: 0xc0000034



File C:\WINDOWS\tasks\At1.job not found!
Deletion of file C:\WINDOWS\tasks\At1.job failed!

Could not process line:
C:\WINDOWS\tasks\At1.job
Status: 0xc0000034

File C:\WINDOWS\tasks\At10.job deleted successfully.


File C:\WINDOWS\tasks\At2.job not found!
Deletion of file C:\WINDOWS\tasks\At2.job failed!

Could not process line:
C:\WINDOWS\tasks\At2.job
Status: 0xc0000034

File C:\WINDOWS\tasks\At3.job deleted successfully.
File C:\WINDOWS\tasks\At8.job deleted successfully.
File C:\WINDOWS\tasks\At9.job deleted successfully.


File C:\Windows\xpupdate.exe not found!
Deletion of file C:\Windows\xpupdate.exe failed!

Could not process line:
C:\Windows\xpupdate.exe
Status: 0xc0000034



File C:\Documents and Settings\Micha\Application Data\Install.dat not found!
Deletion of file C:\Documents and Settings\Micha\Application Data\Install.dat failed!

Could not process line:
C:\Documents and Settings\Micha\Application Data\Install.dat
Status: 0xc0000034



File C:\Documents and Settings\Micha\Application Data\kc.tmp not found!
Deletion of file C:\Documents and Settings\Micha\Application Data\kc.tmp failed!

Could not process line:
C:\Documents and Settings\Micha\Application Data\kc.tmp
Status: 0xc0000034



File C:\Documents and Settings\Micha\Application Data\wo.tmp not found!
Deletion of file C:\Documents and Settings\Micha\Application Data\wo.tmp failed!

Could not process line:
C:\Documents and Settings\Micha\Application Data\wo.tmp
Status: 0xc0000034



Folder C:\Program Files\UnSpyPC not found!
Deletion of folder C:\Program Files\UnSpyPC failed!

Could not process line:
C:\Program Files\UnSpyPC
Status: 0xc0000034



Folder C:\spywarevanisher-free not found!
Deletion of folder C:\spywarevanisher-free failed!

Could not process line:
C:\spywarevanisher-free
Status: 0xc0000034



Folder C:\Program Files\KillAndClean not found!
Deletion of folder C:\Program Files\KillAndClean failed!

Could not process line:
C:\Program Files\KillAndClean
Status: 0xc0000034

Folder C:\WINDOWS\isrvs deleted successfully.


Could not delete registry value HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler|{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}
Deletion of registry value HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler|{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\policies\explorer\run|wininet.dll
Deletion of registry value HKLM\software\microsoft\windows\currentversion\policies\explorer\run|wininet.dll failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|USBTA
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|USBTA failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|JVM0.12
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|JVM0.12 failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|tibs5
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|tibs5 failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|Web Service
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|Web Service failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|Desktop Search
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|Desktop Search failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|JVM0.14
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|JVM0.14 failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|iexplore.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|iexplore.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|addgq.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|addgq.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|iprc.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|iprc.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|atlfo.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|atlfo.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|ipfc32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|ipfc32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|appje.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|appje.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|javaqy32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|javaqy32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|ipbv.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|ipbv.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|atlqj32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|atlqj32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|ipdx.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|ipdx.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|mfckr.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|mfckr.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|ntkk32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|ntkk32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|atljm.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|atljm.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|mfcmz.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|mfcmz.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|ieiq32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|ieiq32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|winfh32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|winfh32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|javavt32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|javavt32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|d3jl.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|d3jl.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|sysia.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|sysia.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|apiqt.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|apiqt.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|mfcpw.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|mfcpw.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|javaoo.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|javaoo.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|addux32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|addux32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|iewc32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|iewc32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|winej32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|winej32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|addlw32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|addlw32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|crvc32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|crvc32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|sdktl32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|sdktl32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|atlag.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|atlag.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|sdkpk32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|sdkpk32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|atlpa32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|atlpa32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|sysvl32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|sysvl32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|crjm32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|crjm32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|msed.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|msed.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|ipmd32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|ipmd32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|sysje.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|sysje.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|msqe.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|msqe.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|apiqo.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|apiqo.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|ierm.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|ierm.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|atlzh32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|atlzh32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|ietv.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|ietv.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|addgc32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|addgc32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|mfcjs32.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|mfcjs32.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|sdkif.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|sdkif.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|wintg.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|wintg.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|links
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|links failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|8.tmp
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|8.tmp failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|8.tmp.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|8.tmp.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|D.tmp
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|D.tmp failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|D.tmp.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|D.tmp.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|15.tmp
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|15.tmp failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|15.tmp.exe
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|15.tmp.exe failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|NAVNet
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|NAVNet failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|ExchangeMaster
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|ExchangeMaster failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|InpriseMon
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|InpriseMon failed!
Status: 0xc0000034



Could not delete registry value HKLM\software\microsoft\windows\currentversion\run|klsmoupb
Deletion of registry value HKLM\software\microsoft\windows\currentversion\run|klsmoupb failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{302B6285-2B5D-4975-5B67-AE8D593CD1A9} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Seitenanfang Seitenende
12.03.2007, 23:52
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 1.
gehe in die registry
Start - Ausfuehren - regedit

HKEY_CURRENT_USER\Software\UnSpyPC - loeschen

»»
PC neustarten

2.
scanne und poste den scanreport
http://virus-protect.org/artikel/tools/superantispyware.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.03.2007, 17:19
...neu hier

Themenstarter

Beiträge: 9
#15 1. UnSpyPC ist nicht zu finden.

2. (Achtung! Sehr lang!!!)

SUPERAntiSpyware Scan Log
Generated 03/13/2007 at 05:16 PM

Application Version : 3.5.1016

Core Rules Database Version : 3198
Trace Rules Database Version: 1208

Scan type : Complete Scan
Total Scan Time : 00:35:26

Memory items scanned : 329
Memory Thread detected : 0
Registry items scanned : 7848
Registry Thread detected : 90
File items scanned : 37182
File Thread detected : 197

Adware.Tracking Cookie
C:\Documents and Settings\Micha\Cookies\micha@advertising[2].txt
C:\Documents and Settings\Micha\Cookies\micha@mediaplex[1].txt
C:\Documents and Settings\Micha\Cookies\micha@doubleclick[1].txt
C:\Documents and Settings\Micha\Cookies\micha@hasenet.122.2o7[1].txt
C:\Documents and Settings\Micha\Cookies\micha@hmt.connexpromotions[2].txt
C:\Documents and Settings\Micha\Cookies\micha@overture[2].txt
C:\Documents and Settings\Micha\Cookies\micha@mediavantage[1].txt
C:\Documents and Settings\Micha\Cookies\micha@as1.falkag[1].txt
C:\Documents and Settings\Micha\Cookies\micha@indextools[2].txt
C:\Documents and Settings\Silvana\Cookies\silvana@2o7[1].txt
C:\Documents and Settings\Silvana\Cookies\silvana@adtech[2].txt
C:\Documents and Settings\Silvana\Cookies\silvana@adultfriendfinder[2].txt
C:\Documents and Settings\Silvana\Cookies\silvana@as-eu.falkag[2].txt
C:\Documents and Settings\Silvana\Cookies\silvana@atwola[1].txt
C:\Documents and Settings\Silvana\Cookies\silvana@doubleclick[1].txt
C:\Documents and Settings\Silvana\Cookies\silvana@hmt.connexpromotions[2].txt
C:\Documents and Settings\Silvana\Cookies\silvana@indextools[2].txt
C:\Documents and Settings\Silvana\Cookies\silvana@komtrack[2].txt
C:\Documents and Settings\Silvana\Cookies\silvana@mediaplex[1].txt
C:\Documents and Settings\Silvana\Cookies\silvana@overture[1].txt
C:\Documents and Settings\Silvana\Cookies\silvana@partners.webmasterplan[1].txt
C:\Documents and Settings\Silvana\Cookies\silvana@sevenoneintermedia.112.2o7[1].txt
C:\Documents and Settings\Silvana\Cookies\silvana@stat.dealtime[2].txt
C:\Documents and Settings\Silvana\Cookies\silvana@stats.drivecleaner[2].txt
C:\Documents and Settings\Silvana\Cookies\silvana@statse.webtrendslive[2].txt

Unclassified.Unknown Origin
HKCR\CLSID\{127B258A-8F8E-75B6-D538-4A7711988318}
HKCR\CLSID\{127B258A-8F8E-75B6-D538-4A7711988318}\Data
HKCR\CLSID\{40D569C1-F9AA-178A-455D-97CE4369C208}
HKCR\CLSID\{40D569C1-F9AA-178A-455D-97CE4369C208}\Data
HKCR\CLSID\{4410D8C5-0277-7086-4641-DD5178D4D6ED}
HKCR\CLSID\{4410D8C5-0277-7086-4641-DD5178D4D6ED}\Data
HKCR\CLSID\{779EFE93-0121-038F-5AA1-C43DA75BE5F3}
HKCR\CLSID\{779EFE93-0121-038F-5AA1-C43DA75BE5F3}\Data
HKCR\CLSID\{AF4B5B80-CD07-0D06-FD03-077EBB4D0093}
HKCR\CLSID\{AF4B5B80-CD07-0D06-FD03-077EBB4D0093}\Data
HKCR\CLSID\{C458CC4F-5C18-CF54-5A23-59323340458C}
HKCR\CLSID\{C458CC4F-5C18-CF54-5A23-59323340458C}\Data
HKCR\CLSID\{D01EB607-FCB6-D9F9-F253-E432410DA962}
HKCR\CLSID\{D01EB607-FCB6-D9F9-F253-E432410DA962}\Data
HKCR\CLSID\{E904118E-1B8F-F317-ED73-F02C7E6CF6EE}
HKCR\CLSID\{E904118E-1B8F-F317-ED73-F02C7E6CF6EE}\Data
HKCR\CLSID\{0E38DF3A-AB9F-0EFB-7061-A012D46F8C4F}
HKCR\CLSID\{0E38DF3A-AB9F-0EFB-7061-A012D46F8C4F}\Data
HKCR\CLSID\{7DB64B28-1BB0-D8F6-CB9A-E8FB11BD47AD}
HKCR\CLSID\{7DB64B28-1BB0-D8F6-CB9A-E8FB11BD47AD}\Data
HKCR\CLSID\{C8E09E11-D541-F895-3F54-4597E03FF821}
HKCR\CLSID\{C8E09E11-D541-F895-3F54-4597E03FF821}\Data
HKCR\CLSID\{D9E6A9B5-3F53-2528-E4D5-6A543FF55E1D}
HKCR\CLSID\{D9E6A9B5-3F53-2528-E4D5-6A543FF55E1D}\Data
HKCR\CLSID\{E07FEBA7-DA76-CC40-6C75-197B46A15FC9}
HKCR\CLSID\{E07FEBA7-DA76-CC40-6C75-197B46A15FC9}\Data
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data_2
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data0
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data1
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data2
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data3
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Set
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data_4
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data_5
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data_6
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data_7
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data#Data_1
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data3
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#DataA
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data0
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data1
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data2
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data4
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data5
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data6
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data7
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data9
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#DataB
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#DataC
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data10
HKCR\CLSID\{F69A992B-1259-FA8F-7BB7-3DCC5E875A96}\Data\MD#Data11
HKCR\CLSID\{FE94E0C2-14CD-147B-0E5B-B655DA646058}
HKCR\CLSID\{FE94E0C2-14CD-147B-0E5B-B655DA646058}\Data
HKCR\CLSID\{2627C43B-FB1D-F815-04DA-3D4D787AEB82}
HKCR\CLSID\{2627C43B-FB1D-F815-04DA-3D4D787AEB82}\Data
HKCR\CLSID\{59032CD0-6861-388D-3398-80FD4CCFF228}
HKCR\CLSID\{59032CD0-6861-388D-3398-80FD4CCFF228}\Data
HKCR\CLSID\{AC143F1D-AC5E-2BFB-3800-4506564697DB}
HKCR\CLSID\{AC143F1D-AC5E-2BFB-3800-4506564697DB}\Data
HKCR\CLSID\{E908A374-1683-3463-4B58-B04FA802CF30}
HKCR\CLSID\{E908A374-1683-3463-4B58-B04FA802CF30}\Data

Parasite.CoolWebSearch Variant
HKCR\CLSID\{1168F197-9125-6D52-2D9D-CBCE51B1F230}
HKCR\CLSID\{1168F197-9125-6D52-2D9D-CBCE51B1F230}\Data
HKCR\CLSID\{2791C729-2474-F3F0-7441-0CF258BD877E}
HKCR\CLSID\{2791C729-2474-F3F0-7441-0CF258BD877E}\Data
HKCR\CLSID\{3D9AD4EE-16C6-72F9-85E6-92DA8D18F8D0}
HKCR\CLSID\{3D9AD4EE-16C6-72F9-85E6-92DA8D18F8D0}\Data
HKCR\CLSID\{658EFEAF-9C53-F605-3515-7DACA09B05B6}
HKCR\CLSID\{658EFEAF-9C53-F605-3515-7DACA09B05B6}\Data
HKCR\CLSID\{A1478393-27A6-A004-43B7-4A801508772A}
HKCR\CLSID\{A1478393-27A6-A004-43B7-4A801508772A}\Data
HKCR\CLSID\{A19B27CF-5741-F8BA-D784-95739AD24FF8}
HKCR\CLSID\{A19B27CF-5741-F8BA-D784-95739AD24FF8}\Data
HKCR\CLSID\{C448539A-1A24-DCB9-3152-D2DCA94E1831}
HKCR\CLSID\{C448539A-1A24-DCB9-3152-D2DCA94E1831}\Data
HKCR\CLSID\{E5DB0597-B34F-ED80-7618-542E6788F6C7}
HKCR\CLSID\{E5DB0597-B34F-ED80-7618-542E6788F6C7}\Data
HKCR\CLSID\{E61B04D3-5684-9F05-B849-0B1AC13A3F3F}
HKCR\CLSID\{E61B04D3-5684-9F05-B849-0B1AC13A3F3F}\Data
HKCR\CLSID\{E9125959-C0B8-678A-E0B8-139867622A9B}
HKCR\CLSID\{E9125959-C0B8-678A-E0B8-139867622A9B}\Data
HKCR\CLSID\{FFCDF546-F480-31CB-7C6B-5F25BAA47B24}
HKCR\CLSID\{FFCDF546-F480-31CB-7C6B-5F25BAA47B24}\Data

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
C:\WINDOWS\system32\stera.job

Trojan.Avpe64/32
C:\WINDOWS\system32\klgcptini.dat

Adware.IST/YourSiteBar
HKCR\YSBactivex.Installer
HKCR\YSBactivex.Installer\CLSID
HKCR\YSBactivex.Installer\CurVer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\ysbactivex.dll [  ]

Malware.DriveCleaner
C:\DOCUMENTS AND SETTINGS\SILVANA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\G8IAT34E\INSTALLDRIVECLEANERSTART[1].EXE

Trojan.DOmen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP101\A0435443.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP101\A0436442.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP101\A0437442.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP101\A0437448.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP101\A0438448.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP101\A0439448.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP101\A0440448.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP101\A0440474.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP102\A0440482.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP102\A0440493.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP102\A0441493.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP102\A0441499.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP102\A0442499.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP106\A0442651.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP106\A0443649.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP106\A0443655.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP106\A0444655.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP106\A0445655.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP106\A0445661.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP106\A0445671.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP106\A0445677.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP106\A0445684.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0445692.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0446692.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0446701.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0447701.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0448701.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0449701.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0450701.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0450707.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0451707.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0452707.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0452713.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0453713.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0453719.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0453727.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP107\A0453733.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP109\A0453915.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0453996.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0454996.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0455002.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0455008.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0456008.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0456014.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0457014.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0457020.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0457026.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0457032.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0457038.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0457044.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0457050.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP111\A0457056.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP113\A0457124.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP113\A0458124.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP113\A0458137.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP113\A0458143.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0459143.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0459151.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0460156.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0460165.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0461165.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0461172.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0461179.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0461188.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0461194.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0461202.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0462202.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0462211.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP115\A0463222.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP116\A0463224.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP116\A0463235.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP116\A0463270.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP117\A0463315.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP117\A0463329.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP117\A0464337.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP117\A0464343.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP117\A0465343.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP117\A0466343.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP117\A0466514.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP117\A0466523.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP117\A0466598.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466629.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466630.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466631.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466632.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466633.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466634.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466635.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466636.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466637.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466638.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP118\A0466639.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0389955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0390955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0391955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0392955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0393955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0394955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0395955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0396955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0397955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0398955.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0399960.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0400960.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0400973.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0400979.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0400985.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0400991.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0401991.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0401997.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0402997.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0403004.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0404004.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0404010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0405010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0406010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0407010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0408010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0409010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0410010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0411010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0412010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0413010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0414010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0414017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0415017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0416017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0417017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0418017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0419017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0420017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0421017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0422017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0423017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0424017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0425017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0425026.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0426026.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0427026.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0427282.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0428281.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0429281.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0430281.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0432281.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0433281.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP98\A0434281.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B2118C24-6640-4C7A-BA22-6EF3AB5B3D3B}\RP99\A0435282.EXE

Trojan.IEFY32
C:\WINDOWS\IEFY32.EXE

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\ADDLQ32.EXE
C:\WINDOWS\SYSTEM32\APIKQ32.EXE
C:\WINDOWS\SYSTEM32\ATLCS32.EXE
C:\WINDOWS\SYSTEM32\D3GC.EXE
C:\WINDOWS\SYSTEM32\IELA.EXE
C:\WINDOWS\SYSTEM32\IESF.EXE
C:\WINDOWS\SYSTEM32\IPIW32.EXE
C:\WINDOWS\SYSTEM32\MFCDA32.EXE
C:\WINDOWS\SYSTEM32\MFCFI32.EXE
C:\WINDOWS\SYSTEM32\MSNK32.EXE
C:\WINDOWS\SYSTEM32\SDKPG32.EXE
C:\WINDOWS\SYSTEM32\SYSEB32.EXE
C:\WINDOWS\SYSTEM32\SYSVF.EXE
C:\WINDOWS\SYSTEM32\WINDT32.EXE

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\JAVALU32.EXE
C:\WINDOWS\SYSTEM32\WINSUB.XML

Trojan.JAVAMS32
C:\WINDOWS\SYSTEM32\JAVAMS32.EXE

Trojan.PSA3D
C:\WINDOWS\SYSTEM32\PS.A3D

Trojan.Downloader-Gen/Win
C:\WINDOWS\SYSTEM32\SVCP.CSV

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\VX.TLL

Trojan.RBot/Variant
C:\WINDOWS\SYSTEM32\WINSI32.EXE
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: