Home » Spyware & Browser Hijacker Support Forum » TR/Vundo.Gen trojaner in mljgf.dll » Themenansicht

TR/Vundo.Gen trojaner in mljgf.dll
#0
11.03.2007, 00:14
raffy
...neu hier

Beiträge: 5
#1 bitte um hilfe, hab nen hijacker auf dem pc..

TR/Vundo.Gen gefunden durch avira antivir personal edition classic in C:\WINDOWS\system32\mljgf.dll

öffnet fenster zu broadcaster.com und anderen sites.

vielen dank für eure mühe!
hab alle logs da

Logfile of HijackThis v1.99.1
Scan saved at 23:42:52, on 10.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\CPUCooL\CooLSrv.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\CPUCooL\CPUCooL.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Desktop\comboscan.exe
C:\DOKUME~1\TAIPAN~1.SKY\Desktop\Taipan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.versatel.de/internet-cd/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.versatel.de/internet-cd/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {084AD332-470B-4687-8C59-BA7402E374B3} - C:\WINDOWS\system32\mljgf.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Startup: CPUCooL.lnk = C:\Programme\CPUCooL\CPUCooL.exe
O4 - Startup: Sygate Personal Firewall.lnk = C:\Programme\Sygate\SPF\Smc.exe
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Programme\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.versatel.de/internet-cd/
O17 - HKLM\System\CCS\Services\Tcpip\..\{E93D7D52-D783-4EAD-A500-4FB8CAFF9B99}: NameServer = 212.7.148.65,212.7.148.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mljgf - C:\WINDOWS\system32\mljgf.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Programme\CPUCooL\CooLSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe


Hallo nochmal- ich denke ich habs hingekommen! combofix, vundofix drüber und dann highjackthis/AVG antispayware.. alles palletti- sehr cooles forum- DANKE!
Dieser Beitrag wurde am 11.03.2007 um 13:30 Uhr von raffy editiert.
Seitenanfang Seitenende
11.03.2007, 14:39
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 raffy

««
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

««
Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

««
poste die zwei logs, die bei comboscan erzestellt werden
http://virus-protect.org/artikel/tools/comboscan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.03.2007, 18:39
raffy
...neu hier

Themenstarter

Beiträge: 5
#3 so hier die logs.
ich hab schon selber versucht den wegzubekommen mit vundofix. kann sein das es funktioniert hat. um sicherzugehen, hier die logs. Supplementary.txt wurde jedoch nicht erstellt von comboscan. gestern hats noch funktioniert...


Logfile of HijackThis v1.99.1
Scan saved at 18:24:22, on 11.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\CPUCooL\CooLSrv.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\CPUCooL\CPUCooL.exe
C:\Programme\Trillian\trillian.exe
C:\Programme\mozilla.org\Mozilla\mozilla.exe
C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Desktop\Taipan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.versatel.de/internet-cd/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.versatel.de/internet-cd/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: CPUCooL.lnk = C:\Programme\CPUCooL\CPUCooL.exe
O4 - Startup: Sygate Personal Firewall.lnk = C:\Programme\Sygate\SPF\Smc.exe
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Programme\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.versatel.de/internet-cd/
O17 - HKLM\System\CCS\Services\Tcpip\..\{E93D7D52-D783-4EAD-A500-4FB8CAFF9B99}: NameServer = 212.7.148.65,212.7.148.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Programme\CPUCooL\CooLSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe



Datentr„ger in Laufwerk C: ist Sil RAID 0 28,3GB Partition1
Volumeseriennummer: 9052-34F5

Verzeichnis von C:\WINDOWS\system32

11.03.2007 01:02 466.096 fgjlm.ini2
11.03.2007 01:02 24.576 VundoFixSVC.exe
08.03.2007 19:48 2.206 wpa.dbl
04.03.2007 21:46 467.378 fgjlm.bak2
02.03.2007 23:16 36.864 unpdf.exe
02.03.2007 23:16 81.920 emfxp.dll
01.03.2007 11:55 550.816 fgjlm.tmp
12.02.2007 22:32 143 mcrh.tmp
03.02.2007 12:47 477.126 fgjlm.ini
05.01.2007 18:56 87 ssprs.tgz
05.01.2007 18:56 73 ssprs.dll
05.01.2007 18:56 335 lsprst7.dll
05.01.2007 18:56 349 lsprst7.tgz
02.01.2007 12:42 413.696 wrap_oal.dll
02.01.2007 12:42 86.016 OpenAL32.dll

Datentr„ger in Laufwerk C: ist Sil RAID 0 28,3GB Partition1
Volumeseriennummer: 9052-34F5

Verzeichnis von C:\DOKUME~1\TAIPAN~1.SKY\LOKALE~1\Temp

11.03.2007 18:24 16.384 ~DF22AF.tmp
11.03.2007 18:22 16.384 Perflib_Perfdata_e04.dat
2 Datei(en) 32.768 Bytes
0 Verzeichnis(se), 8.917.778.432 Bytes frei

Datentr„ger in Laufwerk C: ist Sil RAID 0 28,3GB Partition1
Volumeseriennummer: 9052-34F5

Verzeichnis von C:\WINDOWS

11.03.2007 17:55 0 0.log
11.03.2007 17:55 159 wiadebug.log
11.03.2007 17:55 50 wiaservc.log
11.03.2007 17:55 2.048 bootstat.dat
11.03.2007 13:56 1.210 SchedLgU.Txt
11.03.2007 13:56 48.033 WindowsUpdate.log
11.03.2007 13:02 274 system.ini
11.03.2007 13:02 2.013 win.ini
11.03.2007 03:52 155 winamp.ini
11.03.2007 00:54 315 setupact.log
10.03.2007 23:48 519.074 setupapi.log
10.03.2007 21:38 854.356 ntbtlog.txt
09.03.2007 19:35 69 NeroDigital.ini
26.02.2007 20:54 323.380 DirectX.log
14.02.2007 20:56 4.021 NMRPROC.INI
10.02.2007 21:45 337 wincmd.ini
10.02.2007 20:59 321 wcx_ftp.ini
07.02.2007 17:09 34 cdplayer.ini
31.01.2007 18:42 9.159 HPOins07.log
31.01.2007 18:38 20 Hposcv07.INI
31.01.2007 18:30 2.733 DevMgr.ini
13.01.2007 19:50 720.896 iun6002ev.exe
02.01.2007 12:44 98.304 system32CmdLineExt.dll

Datentr„ger in Laufwerk C: ist Sil RAID 0 28,3GB Partition1
Volumeseriennummer: 9052-34F5

Verzeichnis von C:\WINDOWS\Temp

Datentr„ger in Laufwerk C: ist Sil RAID 0 28,3GB Partition1
Volumeseriennummer: 9052-34F5

Verzeichnis von C:\WINDOWS\Downloaded Program Files

06.02.2006 22:43 2.072 vscanmsx.dat
02.02.2006 01:00 2.390 catalog.dat
02.02.2006 01:00 32 virscant.dat
02.02.2006 01:00 6.899 ecbootil.vxd
02.02.2006 01:00 3.037.912 virscan9.dat
02.02.2006 01:00 97.072 scrauth.dat
02.02.2006 01:00 14 symaveng.cat
02.02.2006 01:00 901 symaveng.inf
02.02.2006 01:00 41.752 tcdefs.dat
02.02.2006 01:00 908.114 tcscan7.dat

Datentr„ger in Laufwerk C: ist Sil RAID 0 28,3GB Partition1
Volumeseriennummer: 9052-34F5

Verzeichnis von C:\

11.03.2007 18:27 0 sys.txt
11.03.2007 18:27 1.867 down.txt
11.03.2007 18:26 132 tmp.txt
11.03.2007 18:26 6.255 system.txt
11.03.2007 18:26 376 systemtemp.txt
11.03.2007 18:25 120.123 system32.txt
11.03.2007 13:02 223 boot.ini


ComboScan v20070306.20 run by Taipan on 2007-03-11 at 18:29:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Taipan.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:29:22, on 11.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\CPUCooL\CooLSrv.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\CPUCooL\CPUCooL.exe
C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Desktop\Anti Spyware progs\comboscan.exe
C:\DOKUME~1\TAIPAN~1.SKY\Desktop\Taipan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.versatel.de/internet-cd/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.versatel.de/internet-cd/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: CPUCooL.lnk = C:\Programme\CPUCooL\CPUCooL.exe
O4 - Startup: Sygate Personal Firewall.lnk = C:\Programme\Sygate\SPF\Smc.exe
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Programme\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Programme\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.versatel.de/internet-cd/
O17 - HKLM\System\CCS\Services\Tcpip\..\{E93D7D52-D783-4EAD-A500-4FB8CAFF9B99}: NameServer = 212.7.148.65,212.7.148.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Programme\CPUCooL\CooLSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe


-- Files created between 2007-02-11 and 2007-03-11 -----------------------------

2007-03-11 01:07:54 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-11 01:07:52 0 d-------- C:\Programme\Grisoft
2007-03-11 01:02:46 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe<VUNDOF~1.EXE>
2007-03-10 23:25:19 126976 --a------ C:\WINDOWS\system32\zip.exe
2007-03-10 23:25:19 175616 --a------ C:\WINDOWS\system32\strings.exe
2007-03-10 23:25:19 73728 --a------ C:\WINDOWS\system32\pv.exe
2007-03-10 23:25:19 39184 --a------ C:\WINDOWS\system32\Ntrights.exe
2007-03-10 23:25:19 11254 --a------ C:\WINDOWS\system32\locate.com
2007-03-10 21:56:26 0 d-------- C:\Programme\AmoK
2007-03-02 23:19:30 0 d-------- C:\Programme\Gizmoz Talking Headz<GIZMOZ~1>
2007-03-02 23:16:42 36864 --a------ C:\WINDOWS\system32\unpdf.exe
2007-03-02 23:16:42 81920 --a------ C:\WINDOWS\system32\emfxp.dll
2007-03-02 21:37:39 0 d-------- C:\Programme\Gemeinsame Dateien\Skype
2007-03-01 14:08:05 0 d-------- C:\Programme\uTorrent
2007-03-01 11:56:33 466096 ---hs---- C:\WINDOWS\system32\fgjlm.ini2<FGJLM~1.INI>
2007-02-26 20:54:59 68888 --a------ C:\WINDOWS\system32\xinput1_3.dll<XINPUT~4.DLL>
2007-02-26 20:54:59 237848 --a------ C:\WINDOWS\system32\xactengine2_4.dll<XA3856~1.DLL>
2007-02-26 20:54:59 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll<X3DAUD~2.DLL>
2007-02-26 20:54:59 2414360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-02-25 05:02:41 0 d-------- C:\Programme\Fraps


-- Find3M Report ---------------------------------------------------------------

2007-03-11 18:29:17 0 d-------- C:\Programme\Trillian
2007-03-11 13:56:21 0 d-------- C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\uTorrent
2007-03-11 01:25:50 0 d--h----- C:\Programme\InstallShield Installation Information<INSTAL~1>
2007-03-10 21:21:36 0 d-------- C:\Programme\AntiVir PersonalEdition Classic<ANTIVI~1>
2007-03-09 20:05:25 0 d-------- C:\Programme\CPU-Z
2007-03-09 01:00:21 0 d-------- C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\Skype
2007-03-04 21:46:11 467378 ---hs---- C:\WINDOWS\system32\fgjlm.bak2<FGJLM~1.BAK>
2007-03-04 19:46:54 0 d-------- C:\Programme\emule Xtreme<EMULEX~1>
2007-03-02 23:22:15 0 d-------- C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\skySpace
2007-03-02 23:19:40 0 d-------- C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\Gizmoz
2007-03-01 20:07:36 0 d-------- C:\Programme\Ad-Aware SE Personal<AD-AWA~1>
2007-02-12 23:23:09 0 d-------- C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\Hamachi
2007-02-10 04:40:21 0 d-------- C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\Azureus
2007-02-09 19:23:17 0 d-------- C:\Programme\Azureus
2007-02-07 20:37:42 0 d-------- C:\Programme\audiograbber<AUDIOG~1>
2007-02-04 11:41:23 0 d-------- C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\dvdcss
2007-02-04 11:25:34 0 d-------- C:\Programme\Hamachi
2007-01-31 18:48:00 0 d-------- C:\Programme\Hewlett-Packard<HEWLET~1>
2007-01-13 19:50:17 720896 --a------ C:\WINDOWS\iun6002ev.exe<IUN600~1.EXE>
2007-01-05 18:56:44 73 --a------ C:\WINDOWS\system32\ssprs.dll
2007-01-05 18:56:44 335 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-01-02 12:44:43 98304 --a------ C:\WINDOWS\system32CmdLineExt.dll<SYSTEM~1.DLL>
2007-01-02 12:42:01 413696 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-01-02 12:42:01 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-12-21 14:36:10 40960 --a------ C:\WINDOWS\system32\frapsvid.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"Logitech Utility"="Logi_MwX.Exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"!AVG Anti-Spyware"="\"C:\\Programme\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^Acrobat Assistant.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\Acrobat Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^Adobe Gamma Loader.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\GEMEIN~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\Adobe Reader - Schnellstart.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader - Schnellstart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader - Schnellstart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^CAPIControl.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\CAPIControl.lnk"
"backup"="C:\\WINDOWS\\pss\\CAPIControl.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EUMEX5~1\\Capictrl.exe "
"item"="CAPIControl"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^HPAiODevice(hp officejet g series) - 1.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\HPAiODevice(hp officejet g series) - 1.lnk"
"backup"="C:\\WINDOWS\\pss\\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\AiO\\HPOFFI~1\\Bin\\hpoavn07.exe -DeviceID 1170265322"
"item"="HPAiODevice(hp officejet g series) - 1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^SATARaid.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\SATARaid.lnk"
"backup"="C:\\WINDOWS\\pss\\SATARaid.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SIISAT~1\\SATARaid.exe "
"item"="SATARaid"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^Taipan.SKYNET-SERVER^Startmenü^Programme^Autostart^ShutDownPro.lnk]
"path"="C:\\Dokumente und Einstellungen\\Taipan.SKYNET-SERVER\\Startmenü\\Programme\\Autostart\\ShutDownPro.lnk"
"backup"="C:\\WINDOWS\\pss\\ShutDownPro.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SHUTDO~1\\SHUTDO~1.EXE "
"item"="ShutDownPro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATITool]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ATITool"
"hkey"="HKLM"
"command"="\"C:\\Programme\\ATITool\\ATITool.exe\" -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgnt"
"hkey"="HKLM"
"command"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c0d4a8c3.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="c0d4a8c3"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\c0d4a8c3.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Programme\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DataLayer"
"hkey"="HKLM"
"command"="C:\\Programme\\Gemeinsame Dateien\\PCSuite\\DataLayer\\DataLayer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nccucusm"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\nccucusm.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G44H0L]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="G44H0L"
"hkey"="HKLM"
"command"="c:\\windows\\temp\\G44H0L.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Programme\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Auto Updates]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="slserves"
"hkey"="HKLM"
"command"="slserves.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~1"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVC32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVC32"
"hkey"="HKLM"
"command"="NVC32.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMixerTray"
"hkey"="HKLM"
"command"="\"C:\\Programme\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="outlook"
"hkey"="HKLM"
"command"="C:\\Programme\\outlook\\outlook.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LaunchApplication"
"hkey"="HKLM"
"command"="C:\\Programme\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlrH]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qyhidv"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\qyhidv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\routcnf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="routcnf"
"hkey"="HKLM"
"command"="C:\\Programme\\Eumex 504PC USB\\routcnf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seeve]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="seeve"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\seeve.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Programme\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlog]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlog"
"hkey"="HKLM"
"command"="winlog.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=dword:00000002
"SharedAccess"=dword:00000002
"SandraTheSrv"=dword:00000003
"SandraDataSrv"=dword:00000003
"RadClock"=dword:00000002
"IDriverT"=dword:00000003
"FastUserSwitchingCompatibility"=dword:00000003
"iPodService"=dword:00000003
"ATI Smart"=dword:00000002
"AntiVirService"=dword:00000002
"AntiVirScheduler"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"="RadExe Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NAV Auto Updates"="slserves.exe"
"180ClientStubInstall"="\"C:\\WINDOWS\\stubinstaller4292.exe\" "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"NAV Auto Updates"="slserves.exe"
"180ClientStubInstall"="\"C:\\WINDOWS\\stubinstaller4292.exe\" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ishost.exe"="ishost.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoWinKeys"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoFileAssociate"=dword:00000000
"NoFileMenu"=dword:00000000
"NoFolderOptions"=dword:00000000
"NoFind"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoRecentDocsHistory"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoSimpleStartMenu"=dword:00000000
"HideClock"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"StartMenuLogoff"=dword:00000000
"NoSMHelp"=dword:00000001
"NoTrayContextMenu"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"explorer"="C:\\WINDOWS\\system.exe"
"{905234F5-080D-1031-0619-040309050031}"="\"C:\\Programme\\Gemeinsame Dateien\\{905234F5-080D-1031-0619-040309050031}\\Update.exe\" mc-110-12-0000140"
"{905234F5-03EA-1031-0619-040309050031}"="\"C:\\Programme\\Gemeinsame Dateien\\{905234F5-03EA-1031-0619-040309050031}\\Update.exe\" mc-110-12-0000272"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\N]
Shell\AutoRun\command N:\TrueCrypt\TrueCrypt.exe /e /m rm
Shell\dismount\command N:\TrueCrypt\TrueCrypt.exe /q /d
Shell\open\command N:\TrueCrypt\TrueCrypt.exe /e /m rm

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{98c5ccd1-c909-11db-9655-00012927e7d5}]
Shell\AutoRun\command I:\starter.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c6a314e0-0f68-11db-93c7-00012927e7d5}]
Shell\AutoRun\command N:\TrueCrypt\TrueCrypt.exe /e /m rm
Shell\dismount\command N:\TrueCrypt\TrueCrypt.exe /q /d
Shell\open\command N:\TrueCrypt\TrueCrypt.exe /e /m rm


-- End of ComboScan: finished at 2007-03-11 at 18:29:38 ------------------------
Seitenanfang Seitenende
11.03.2007, 21:00
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 raffy

««
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

Zitat

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=-
"NoRun"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NAV Auto Updates"=-
"180ClientStubInstall"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"NAV Auto Updates"=-
"180ClientStubInstall"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{905234F5-080D-1031-0619-040309050031}"=-
"{905234F5-03EA-1031-0619-040309050031}"=-
"explorer"=-


Avenger
http://virus-protect.org/artikel/tools/avenger.html

Input script manually (anhaken)
kopiere in: View/edit script

Zitat

Registry values to delete:
HKLM\software\microsoft\windows\currentversion\policies\explorer\run|ishost.exe

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c0d4a8c3.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G44H0L
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlrH
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seeve
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlog

Files to delete:
C:\WINDOWS\system.exe
C:\WINDOWS\seeve.exe
C:\WINDOWS\qyhidv.exe
C:\WINDOWS\stubinstaller4292.exe
c:\windows\temp\G44H0L.exe
C:\WINDOWS\System32\slserves.exe
C:\WINDOWS\system32\nccucusm.dll
C:\WINDOWS\system32\c0d4a8c3.exe
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\unpdf.exe
C:\WINDOWS\system32\emfxp.dll
C:\WINDOWS\system32\fgjlm.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\fgjlm.ini

Folders to delete:
C:\Programme\outlook
C:\Programme\Gemeinsame Dateien\{905234F5-080D-1031-0619-040309050031}
C:\Programme\Gemeinsame Dateien\{905234F5-03EA-1031-0619-040309050031}

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

-------------------------------------------------------------------------------------

««
smitfraud.fix abarbeiten (Option 1 und 2 - lasse auch die Registry mitreinigen)
http://virus-protect.org/artikel/tools/smitfrautfix.html

------------

««
http://virus-protect.org/artikel/tools/sdfix.html
SDFix.zip entpacken

es erscheint folgende Meldung:

"The SDFix Folder has been extracted to %systemdrive% - Please run from that location.
(%systemdrive% = drive that contains the Windows directory - typically C:\SDFix )"

unter C:\ findet man nun den SDFix-Ordner

boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet)

gehe in den Ordner C:\SDFix

RunThis.bat doppelt klicken

schreibe: Y
folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten
kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.03.2007, 19:49
raffy
...neu hier

Themenstarter

Beiträge: 5
#5 so bitteschön- soweit hatz alles geklappt...

SDFix: Version 1.71

Run by Taipan - 12.03.2007 / 19:47:17,73

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*;)isabled:@xpsp2res.dll,-22019"
"E:\\Spiele\\Command & Conquer Generals Zero Hour\\generals.exe"="E:\\Spiele\\Command & Conquer Generals Zero Hour\\generals.exe:*:Enabled:Command & Conquer Generäle Die Stunde Null "
"C:\\Programme\\GameSpy Arcade\\Aphex.exe"="C:\\Programme\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Programme\\Radeon Omega Drivers\\v2.6.12\\MultiRes\\multires.exe"="C:\\Programme\\Radeon Omega Drivers\\v2.6.12\\MultiRes\\multires.exe:*:Enabled;)Re) Install Multires 1.49"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"


Remaining Files:
---------------


Checking For Files with Hidden Attributes :

C:\Programme\Trillian\users\default\downloads\MSN\rafael_s_@hotmail.com\Thumbs.db
C:\WINDOWS\twain.dll
C:\WINDOWS\twain_32.dll
C:\WINDOWS\system32\mfc42.dll
C:\WINDOWS\system32\msvcirt.dll
C:\WINDOWS\system32\msvcp60.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\olepro32.dll
C:\Dokumente und Einstellungen\All Users.WINDOWS\Desktop\W40K.exe.lnk
C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Desktop\sd4hide.exe
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\Microsoft\Word\~WRL0846.tmp
C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\Microsoft\Word\~WRL1384.tmp
C:\Dokumente und Einstellungen\Taipan.SKYNET-SERVER\Anwendungsdaten\Microsoft\Word\~WRL1871.tmp

Finished
Seitenanfang Seitenende
13.03.2007, 09:13
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 raffy

««
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html

««
scanne mit ewido - poste den report - dann: "remove infections" klicken
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
14.03.2007, 21:34
raffy
...neu hier

Themenstarter

Beiträge: 5
#7 Start Time= 14.03.2007 20:46:13,39

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-12 22:32:54 ( .D... ) "C:\Programme\Gemeinsame Dateien\Skype"
2007-03-12 19:37:52 1580 ( A.... ) "C:\WINDOWS\system32\tmp.reg"
2007-03-11 01:07:54 ( .D... ) "C:\Programme\Grisoft"
2007-03-11 01:02:48 24576 ( A.... ) "C:\WINDOWS\system32\VundoFixSVC.exe"
2007-03-10 23:33:30 ( .D... ) "C:\Programme\CleanUp!"
2007-03-10 21:56:28 ( .D... ) "C:\Programme\AmoK"
2007-03-02 23:19:32 ( .D... ) "C:\Programme\Gizmoz Talking Headz"
2007-03-01 14:08:06 ( .D... ) "C:\Programme\uTorrent"
2007-02-25 05:02:42 ( .D... ) "C:\Programme\Fraps"
2007-02-09 19:23:16 ( .D... ) "C:\Programme\Azureus"
2007-01-31 18:36:38 ( .D... ) "C:\Programme\Hewlett-Packard"
2007-01-13 19:50:18 720896 ( A.... ) "C:\WINDOWS\iun6002ev.exe"
2007-01-05 18:56:46 335 ( A.... ) "C:\WINDOWS\system32\lsprst7.dll"
2007-01-05 18:56:46 73 ( A.... ) "C:\WINDOWS\system32\ssprs.dll"
2007-01-02 12:44:44 98304 ( A.... ) "C:\WINDOWS\system32CmdLineExt.dll"
2007-01-02 12:42:02 413696 ( A.... ) "C:\WINDOWS\system32\wrap_oal.dll"
2007-01-02 12:42:02 86016 ( A.... ) "C:\WINDOWS\system32\OpenAL32.dll"
2006-12-21 14:36:10 40960 ( A.... ) "C:\WINDOWS\system32\frapsvid.dll"
2003-10-25 02:00:00 2238 ( A.... ) "C:\Programme\shutdown.ico"
2003-10-25 02:00:00 2238 ( A.... ) "C:\Programme\restart.ico"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"Logitech Utility"="Logi_MwX.Exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"!AVG Anti-Spyware"="\"C:\\Programme\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{35B2861B-2B26-4691-9FF0-09083722C736}"="RadExe Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^Acrobat Assistant.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\Acrobat Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^Adobe Gamma Loader.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\GEMEIN~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\Adobe Reader - Schnellstart.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader - Schnellstart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader - Schnellstart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^CAPIControl.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\CAPIControl.lnk"
"backup"="C:\\WINDOWS\\pss\\CAPIControl.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EUMEX5~1\\Capictrl.exe "
"item"="CAPIControl"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^HPAiODevice(hp officejet g series) - 1.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\HPAiODevice(hp officejet g series) - 1.lnk"
"backup"="C:\\WINDOWS\\pss\\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\AiO\\HPOFFI~1\\Bin\\hpoavn07.exe -DeviceID 1170265322"
"item"="HPAiODevice(hp officejet g series) - 1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users.WINDOWS^Startmenü^Programme^Autostart^SATARaid.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users.WINDOWS\\Startmenü\\Programme\\Autostart\\SATARaid.lnk"
"backup"="C:\\WINDOWS\\pss\\SATARaid.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SIISAT~1\\SATARaid.exe "
"item"="SATARaid"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^Taipan.SKYNET-SERVER^Startmenü^Programme^Autostart^ShutDownPro.lnk]
"path"="C:\\Dokumente und Einstellungen\\Taipan.SKYNET-SERVER\\Startmenü\\Programme\\Autostart\\ShutDownPro.lnk"
"backup"="C:\\WINDOWS\\pss\\ShutDownPro.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SHUTDO~1\\SHUTDO~1.EXE "
"item"="ShutDownPro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATITool]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ATITool"
"hkey"="HKLM"
"command"="\"C:\\Programme\\ATITool\\ATITool.exe\" -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgnt"
"hkey"="HKLM"
"command"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Programme\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DataLayer"
"hkey"="HKLM"
"command"="C:\\Programme\\Gemeinsame Dateien\\PCSuite\\DataLayer\\DataLayer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Programme\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Auto Updates]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="slserves"
"hkey"="HKLM"
"command"="slserves.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVC32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVC32"
"hkey"="HKLM"
"command"="NVC32.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMixerTray"
"hkey"="HKLM"
"command"="\"C:\\Programme\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LaunchApplication"
"hkey"="HKLM"
"command"="C:\\Programme\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\routcnf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="routcnf"
"hkey"="HKLM"
"command"="C:\\Programme\\Eumex 504PC USB\\routcnf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Programme\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=dword:00000002
"SharedAccess"=dword:00000002
"SandraTheSrv"=dword:00000003
"SandraDataSrv"=dword:00000003
"RadClock"=dword:00000002
"IDriverT"=dword:00000003
"FastUserSwitchingCompatibility"=dword:00000003
"iPodService"=dword:00000003
"ATI Smart"=dword:00000002
"AntiVirService"=dword:00000002
"AntiVirScheduler"=dword:00000002


Contents of the 'Scheduled Tasks' folder

Completion time: 14.03.2007 20:46:56,47
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt


__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: Adware.WebSearch
Path: HKLM\SOFTWARE\Toolbar
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\Toolbar\Files
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\Toolbar\Files\APP
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\Toolbar\Files\COMMON
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\Toolbar\Files\RADIO
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\Toolbar\Files\SVC
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\Toolbar\Files\TBR
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m\ef
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m\q8
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m\qe
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m\qt
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m\tg
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m\tgv
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m\tt1
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m\ttt
Risk: Medium

Name: Adware.WebSearch
Path: HKLM\SOFTWARE\WinTools\nlibx4m\vv
Risk: Medium

Name: Adware.WebSearch
Path: HKU\.DEFAULT\Software\Toolbar
Risk: Medium

Name: Adware.WebSearch
Path: HKU\.DEFAULT\Software\Toolbar\PlugIns
Risk: Medium

Name: Adware.WebSearch
Path: HKU\.DEFAULT\Software\Toolbar\PlugIns\COMMON
Risk: Medium

Name: Adware.WebSearch
Path: HKU\.DEFAULT\Software\Toolbar\PlugIns\RADIO
Risk: Medium

Name: Adware.WebSearch
Path: HKU\.DEFAULT\Software\Toolbar\UrlSearchHooks
Risk: Medium

Name: Adware.WebSearch
Path: HKU\S-1-5-18\Software\Toolbar
Risk: Medium

Name: Adware.WebSearch
Path: HKU\S-1-5-18\Software\Toolbar\PlugIns
Risk: Medium

Name: Adware.WebSearch
Path: HKU\S-1-5-18\Software\Toolbar\PlugIns\COMMON
Risk: Medium

Name: Adware.WebSearch
Path: HKU\S-1-5-18\Software\Toolbar\PlugIns\RADIO
Risk: Medium

Name: Adware.WebSearch
Path: HKU\S-1-5-18\Software\Toolbar\UrlSearchHooks
Risk: Medium
Dieser Beitrag wurde am 14.03.2007 um 22:19 Uhr von raffy editiert.
Seitenanfang Seitenende
15.03.2007, 10:11
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml

1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere den Scanreport
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
15.03.2007, 23:24
raffy
...neu hier

Themenstarter

Beiträge: 5
#9 Scanning Report
Thursday, March 15, 2007 19:47:31 - 23:26:58
Computer name: SKYNET-SERVER
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\


--------------------------------------------------------------------------------

Result: 4 malware found
Adware.Websearch (spyware)
System (Disinfected)
IBIS Toolbar (spyware)
System (Disinfected)
JS/IstBar.C@dl (virus)
C:\RECYCLER\S-1-5-21-1715567821-813497703-839522115-1003\DF25.IE5\OU8WAY3I\D[1].HTM (Submitted)
W32/Hupigon.RPZ (virus)
D:\DOWNLOADS\PROGRAMME,SHAREWARE\JAPSETUP.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 41726
System: 6062
Not scanned: 2
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
None: 2
Submitted: 2
Files not scanned:
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-03-15
F-Secure AVP: 7.0.171, 2007-03-15
F-Secure Orion: 1.2.37, 2007-03-15
F-Secure Blacklight: 1.0.53, 0000-00-00
F-Secure Draco: 1.0.35, 0260-02-44
F-Secure Pegasus: 1.19.0, 2007-02-15
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics
Seitenanfang Seitenende
16.03.2007, 15:50
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 scanne + poste den report
Bitdefender/Online - funktioniert nur mit dem IE
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 1