Rogue Antispyware ! - KillAndClean - SpyMarshalThema ist geschlossen! |
||
---|---|---|
Thema ist geschlossen! |
||
#0
| ||
13.03.2007, 11:43
Member
Beiträge: 12 |
||
|
||
13.03.2007, 11:56
Ehrenmitglied
Beiträge: 29434 |
#2
AgathoN
«« stelle den CleanUp genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html «« Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html «« poste dieses log http://virus-protect.org/artikel/tools/combofix.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.03.2007, 12:18
Member
Themenstarter Beiträge: 12 |
#3
done! *händereib*
Echt gruselig hihihi |
|
|
||
13.03.2007, 12:25
Ehrenmitglied
Beiträge: 29434 |
#4
««
http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) {303CF927-07FB-3442-E53E-FEAB15862EC7} in edit und klicke "Ok". Notepad wird sich öffnen -- kopiere den Text ab und poste ihn. in: "Enter search strings" (reinschreiben oder reinkopieren) {08BEC6AA-49FC-4379-3587-4B21E286C19E} in edit und klicke "Ok". Notepad wird sich öffnen -- kopiere den Text ab und poste ihn. in: "Enter search strings" (reinschreiben oder reinkopieren) KillAndClean in edit und klicke "Ok". Notepad wird sich öffnen -- kopiere den Text ab und poste ihn. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.03.2007, 12:47
Member
Themenstarter Beiträge: 12 |
#5
Entschuldige bitte, das es etwas dauert, aber der PC ist sehr langsam, da ich nebenbei noch fehlende Windowsupdates lade oO
Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.2.0 ; Results at 13.03.2007 12:39:19 for strings: ; '{303cf927-07fb-3442-e53e-feab15862ec7}' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7}\InprocServer32] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{303CF927-07FB-3442-E53E-FEAB15862EC7}"="clamav" ; End Of The Log... Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.2.0 ; Results at 13.03.2007 12:44:37 for strings: ; '{08bec6aa-49fc-4379-3587-4b21e286c19e}' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08BEC6AA-49FC-4379-3587-4B21E286C19E}] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08BEC6AA-49FC-4379-3587-4B21E286C19E}\iexplore] ; End Of The Log... Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.2.0 ; Results at 13.03.2007 12:46:17 for strings: ; 'killandclean killandclean killandclean killandclean killandclean' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... |
|
|
||
13.03.2007, 13:13
Ehrenmitglied
Beiträge: 29434 |
#6
AgathoN
öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked" Zitat R3 - URLSearchHook: (no name) - {303CF927-07FB-3442-E53E-FEAB15862EC7} - ATLIEHELPER.dll (file missing)«« Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen Zitat REGEDIT4-------------------------------- Avenger http://virus-protect.org/artikel/tools/avenger.html Input script manually (anhaken) kopiere in: View/edit script Zitat registry keys to delete:Klicke die grüne Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten --------------------- «« http://www.funkytoad.com/download/HostsXpert.zip Press 'Restore Microstoft's Hosts File' and press 'OK' Exit Program. «« Arbeitsplatz - Systemsteuerung - Netzwerk Eigenschaften von TCP/IP, Register Allgemein, Option: IP-Adresse automatisch + DNS-Server-Adresse automatisch beziehen - anhaken «« Um die Diensteverwaltung explizit aufzurufen, eingeben unter: Start - Ausführen : services.msc TCP/IP-NetBIOS-Hilfsprogramm - DEAKTIVIEREN Ermöglicht die Unterstützung vom NetBIOS-über-TCP/IP-Dienst --------- poste das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.03.2007, 20:55
Member
Themenstarter Beiträge: 12 |
#7
Hallo Sabina :)
Sorry für die Verzögerung aber ich musste leider arbeiten :/ Avenger ******************* Beginning to process script file: File C:\Windows\xpupdate.exe not found! Deletion of file C:\Windows\xpupdate.exe failed! Could not process line: C:\Windows\xpupdate.exe Status: 0xc0000034 File C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll not found! Deletion of file C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll failed! Could not process line: C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll Status: 0xc0000034 Folder C:\Programme\BitComet deleted successfully. Folder C:\Programme\VVSN deleted successfully. Folder C:\Programme\KillAndClean not found! Deletion of folder C:\Programme\KillAndClean failed! Could not process line: C:\Programme\KillAndClean Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7} failed! Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. «« http://www.funkytoad.com/download/HostsXpert.zip Press 'Restore Microstoft's Hosts File' and press 'OK' Exit Program. Erledigt. «« Um die Diensteverwaltung explizit aufzurufen, eingeben unter: Start - Ausführen : services.msc TCP/IP-NetBIOS-Hilfsprogramm - DEAKTIVIEREN Ermöglicht die Unterstützung vom NetBIOS-über-TCP/IP-Dienst erledigt. Neues Hijackthis Log: Logfile of HijackThis v1.99.1 Scan saved at 20:55:31, on 13.03.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\CyberLink\PowerDVD\PDVDServ.exe C:\Programme\Ahead\ODD Toolkit\DVDTray.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Iomega\DriveIcons\ImgIcon.exe C:\Programme\Java\jre1.5.0_10\bin\jusched.exe C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Programme\QuickTime\qttask.exe C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe C:\Programme\FRITZ!\IWatch.exe C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\sc_watch.exe C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\PROFIL~1.EXE C:\Programme\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\T-Online\T-ONLI~2\Notifier\Notifier.exe C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_6\BROWSER\BROWSER.EXE C:\Dokumente und Einstellungen\!\Desktop\Neuer Ordner\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DVDTray] C:\Programme\Ahead\ODD Toolkit\DVDTray.exe O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Iomega Startup Options] C:\Programme\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programme\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [ALDI_NORD_FotoSuite_Download] "C:\Programme\ALDI Foto Service Nord\ALDI_Foto_Service\FotoSuite.exe" /autorun O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: ISDNWatch.lnk = C:\Programme\FRITZ!\IWatch.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download all links using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe Kann ich nun davon ausgehen, das der Rechner auch Trojanerfrei ist? (Antivir findet nichts.....jedoch halte ich nicht besonders viel von dem Programm) Edit: Er gibt 4 Warnungen: Beginne mit der Suche in 'C:\' C:\pagefile.sys [WARNUNG] Die Datei konnte nicht geöffnet werden! C:\WINDOWS\system32\drivers\dtscsi.sys [WARNUNG] Die Datei konnte nicht geöffnet werden! C:\WINDOWS\system32\drivers\sptd.sys [WARNUNG] Die Datei konnte nicht geöffnet werden! C:\WINDOWS\system32\drivers\sptd5549.sys [WARNUNG] Die Datei konnte nicht geöffnet werden! Sagt dir das was? Dieser Beitrag wurde am 13.03.2007 um 22:36 Uhr von AgathoN editiert.
|
|
|
||
13.03.2007, 23:23
Ehrenmitglied
Beiträge: 29434 |
#8
F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml 1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta". 2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren 3. Installiere diese ActiveX-Komponente 4. Lies die Anleitung und klicke: "Accept" 5. Klicke "Full System Scan" 6. klicke "Show report" - kopiere den Scanreport __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.03.2007, 00:54
Member
Themenstarter Beiträge: 12 |
#9
ich finde den link für show report net.
Er hat 2 Virus + 8 Spyware not-virus:Hoax.Win32.Renos.ff (C:\WINDOWS\SYSTEM32\SIX.EXE) NoneDisinfectRenameDelete W32/Spywad.DBR (C:\PROGRAM FILES\SPYMARSHAL\UNINSTAL...) NoneDisinfectRenameDelete Tracking Cookie NoneDisinfect Tracking Cookie NoneDisinfect Tracking Cookie NoneDisinfect Tracking Cookie NoneDisinfect Tracking Cookie NoneDisinfect Tracking Cookie und GAIN, das mistige Adware-Teil vom DivX Codec Nach dem Bereinigen konnte ich doch Show Report klicken: Scanning Report Tuesday, March 13, 2007 23:47:34 - 00:56:19 Computer name: J616BUIIQXCOOQK Scanning type: Scan system for viruses, rootkits, spyware Target: C:\ D:\ -------------------------------------------------------------------------------- Result: 10 malware found Adware.GAIN.Dashbar (spyware) System (Disinfected) GAIN (spyware) System Tracking Cookie (spyware) System (Disinfected) System System System System System W32/Spywad.DBR (virus) C:\PROGRAM FILES\SPYMARSHAL\UNINSTALL.EXE (Submitted) not-virus:Hoax.Win32.Renos.ff (virus) C:\WINDOWS\SYSTEM32\SIX.EXE (Submitted) -------------------------------------------------------------------------------- Statistics Scanned: Files: 34459 System: 4442 Not scanned: 6 Actions: Disinfected: 2 Renamed: 0 Deleted: 0 None: 8 Submitted: 2 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{47A31A4A-534F-4600-BBAC-9B54C3159645}.BIN C:\DOKUMENTE UND EINSTELLUNGEN\!\LOKALE EINSTELLUNGEN\TEMP\HSPERFDATA_!\1460 |
|
|
||
15.03.2007, 09:46
Ehrenmitglied
Beiträge: 29434 |
#10
AgathoN
Info:SpyMarshal http://virus-protect.org/artikel/spyware/spymarshal_remove.html ---------------- Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Die Datei "fix.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen Zitat REGEDIT4Avenger http://virus-protect.org/artikel/tools/avenger.html Input script manually (anhaken) kopiere in: View/edit script Zitat Files to delete:»» scanne mit option 1 und 2 und poste beide reporte http://virus-protect.org/artikel/tools/smitfrautfix.html -------- «« Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung --> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. (dann wieder aktivieren) »» noch mal: fixwareout http://virus-protect.org/artikel/tools/fixwareout.html poste den report __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
15.03.2007, 10:29
Member
Themenstarter Beiträge: 12 |
#11
Hm, kann es sein das das F-Dingens das schon gefixt hatte? Zumindest gibt es keinen Program Files Ordner mehr etc.
Nevertheless: Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\SYSTEM32\SIX.EXE deleted successfully. File C:\Dokumente und Einstellungen\!\Anwendungsdaten\Install.dat not found! Deletion of file C:\Dokumente und Einstellungen\!\Anwendungsdaten\Install.dat failed! Could not process line: C:\Dokumente und Einstellungen\!\Anwendungsdaten\Install.dat Status: 0xc0000034 File C:\Dokumente und Einstellungen\!\Desktop\bitcomet_setup84.exe deleted successfully. lies sich net anders löschen -.- Could not open folder C:\PROGRAM FILES\SPYMARSHAL for deletion Deletion of folder C:\PROGRAM FILES\SPYMARSHAL failed! Could not process line: C:\PROGRAM FILES\SPYMARSHAL Status: 0xc000003a Folder C:\Dokumente und Einstellungen\!\Startmenü\Programme\SpyMarshal not found! Deletion of folder C:\Dokumente und Einstellungen\!\Startmenü\Programme\SpyMarshal failed! Could not process line: C:\Dokumente und Einstellungen\!\Startmenü\Programme\SpyMarshal Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\!\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Programme »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Die derzeitige Homepage" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "system"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Nr.2 im abgesicherten Modus_: SmitFraudFix v2.148 Scan done at 10:35:31,28, 15.03.2007 Run from C:\Dokumente und Einstellungen\!\Desktop\Neuer Ordner\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "system"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End ------------------------------------------------------------------------- »»»»» Postrun check HKLM\SOFTWARE\~\Winlogon\ "system"="" .... .... »»»»» Misc files. .... »»»»» Checking for older varients. .... Search five digit cs, dm, kd, jb, other, files. The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection. Click browse, find the file then click submit. http://www.virustotal.com/flash/index_en.html Or http://virusscan.jotti.org/ »»»»» Other »»»»» Current runs [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\\Programme\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "RemoteControl"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "DVDTray"="C:\\Programme\\Ahead\\ODD Toolkit\\DVDTray.exe" "NVMixerTray"="\"C:\\Programme\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\"" "CTSysVol"="C:\\Programme\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r" "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe" "Iomega Startup Options"="C:\\Programme\\Iomega\\Common\\ImgStart.exe" "Iomega Drive Icons"="C:\\Programme\\Iomega\\DriveIcons\\ImgIcon.exe" "SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_10\\bin\\jusched.exe\"" @="" "Sony Ericsson PC Suite"="\"C:\\Programme\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions" "QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime" "ToADiMon.exe"="C:\\Programme\\T-Online\\T-Online_Software_6\\Basis-Software\\Basis1\\ToADiMon.exe -TOnlineAutodialStart" "avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min" "ALDI_NORD_FotoSuite_Download"="\"C:\\Programme\\ALDI Foto Service Nord\\ALDI_Foto_Service\\FotoSuite.exe\" /autorun" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" .... Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»» P.S.: Systemwiederherstellung ist deaktiviert seit dem ich den Verdacht hatte das hier was net stimmt. Dieser Beitrag wurde am 15.03.2007 um 10:53 Uhr von AgathoN editiert.
|
|
|
||
15.03.2007, 12:34
Ehrenmitglied
Beiträge: 29434 |
#12
es muesste wieder alles i.o. sein
du kannst noch mal mit panda oder ewido drueberbuegeln http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
15.03.2007, 20:30
Member
Themenstarter Beiträge: 12 |
#13
hmm ewido hat was gefunden, aber ich glaube das war nur das backup vom avenger....lasse gleich noch mal laufen
|
|
|
||
15.03.2007, 21:57
Ehrenmitglied
Beiträge: 29434 |
||
|
||
15.03.2007, 23:09
Member
Themenstarter Beiträge: 12 |
#15
jo werden nur cookies gefunden. ich danke dir vielmals, sabina
|
|
|
||
habe heute nach Hilferuf etc das erste mal nach 3 Monaten den PC von meinem Neffen wieder gesehen (hatte ich selbst zusammen gebaut :/). AUf jeden fall ist hier einiges faul. Das Hintergrundbild lässt sich nicht mehr ändern. Die Internetverbindung kriecht (dsl2k). Überall diese Malware-Leisten....
Ich versuche mich an einem anderen Thread zu halten und poste die logs. Bitte helft mir ich habe keine Lust das System einzustampfen...
Logfile of HijackThis v1.99.1
Scan saved at 11:42:32, on 13.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Ahead\ODD Toolkit\DVDTray.exe
C:\Programme\VVSN\VVSN.exe
C:\Programme\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programme\Iomega\DriveIcons\ImgIcon.exe
C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\FRITZ!\IWatch.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRA~1\T-Online\T-ONLI~2\Notifier\Notifier.exe
C:\Programme\Winamp\Winamp.exe
C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_6\BROWSER\BROWSER.EXE
C:\Dokumente und Einstellungen\!\Desktop\Neuer Ordner\HijackThis.exe
R3 - URLSearchHook: (no name) - {303CF927-07FB-3442-E53E-FEAB15862EC7} - ATLIEHELPER.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Programme\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [VVSN] C:\Programme\VVSN\VVSN.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Programme\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programme\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [systemdll] sound64.exe
O4 - HKLM\..\Run: [Dest068] WinInitDll.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ALDI_NORD_FotoSuite_Download] "C:\Programme\ALDI Foto Service Nord\ALDI_Foto_Service\FotoSuite.exe" /autorun
O4 - HKCU\..\Run: [KillAndClean] "C:\Programme\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [Uint32] sound64.exe
O4 - HKCU\..\Run: [abrek] TForm1.exe
O4 - HKCU\..\Run: [ATLIEHELPER] Bogobot.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Programme\FRITZ!\IWatch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.30 85.255.112.119
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F310C49-ADCC-4634-AE13-9488D6C153D2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.30 85.255.112.119
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.30 85.255.112.119
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe
Fixwareout kommt nach restart brb.
Nach restart 3 Trojanerwarnungen von Antivir...
Hier das Fixwareout-Log
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmqai"
HKLM\SOFTWARE\~\Winlogon\ "System"="csflf.exe"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\version\Run\ "dmqai"
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8312A87AEEC1-3A08-9244-5783-696CA22B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}55DB21A74FC7-2989-9A84-51F3-D309F29A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}63D12B4A49EA-C16A-03C4-C4C4-AF56BDFD{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}C9BF503276A2-89F9-AF24-4030-FF614BD2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}D21635C47084-AA6B-19F4-8BB3-6F8A706F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}E9430C708EC3-5B49-81C4-A408-E328BF0F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "8" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "9" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "10" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "11" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "12" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "13" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "14" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "15" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "16" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "17" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "18" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "19" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "20" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "21" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "22" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "24" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "25" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "26" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "27" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "28" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "29" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "30" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "31" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "33" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "34" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "35" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "36" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "37" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "38" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "39" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "40" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "41" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "42" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "iaqmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "43" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "swen" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "eno" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "owt" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "eerht" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ruof" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "evif" Deleted
HKLM\~\currentversion\run "dmqai.exe" Deleted
C:\WINDOWS\System32\csflf.exe Deleted
....
»»»»» Misc files.
C:\Dokumente und Einstellungen\!\Anwendungsdaten\Install.dat Deleted
C:\Dokumente und Einstellungen\!\Anwendungsdaten\kc.tmp Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Download Free Spyware Remover.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\NEW VIAGRA at Half Price!.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Online Chat With Nude Girls.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Order CIALIS online without leaving home..url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\PC protection in under 2 minutes!.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\SEX Dating - Real Girls For Real SEX.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Stop PopUps On Your Computer.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\VIAGRA at incredible low price. Bonus Pills!.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\View ADULT photos of REAL GIRLS!.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Download Free Spyware Remover.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\NEW VIAGRA at Half Price!.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Online Chat With Nude Girls.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Order CIALIS online without leaving home..url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\PC protection in under 2 minutes!.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\SEX Dating - Real Girls For Real SEX.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Stop PopUps On Your Computer.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\VIAGRA at incredible low price. Bonus Pills!.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\View ADULT photos of REAL GIRLS!.url Deleted
C:\WINDOWS\BALLOON.WAV Deleted
C:\WINDOWS\Help\SPAlert.chm Deleted
C:\WINDOWS\RDT.INI Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Sex and Dating Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Spyware Uninstall Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Online Pharmacy Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Sex and Dating Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Spyware Uninstall Deleted
C:\WINDOWS\system32\{2DB416FF-0304-42FA-9F98-2A672305FB9C}.exe Deleted
C:\WINDOWS\system32\{DFDB65FA-4C4C-4C30-A61C-AE94A4B21D36}.exe Deleted
C:\WINDOWS\system32\{F0FB823E-804A-4C18-94B5-3CE807C0349E}.exe Deleted
C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll Deleted
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Programme\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RemoteControl"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DVDTray"="C:\\Programme\\Ahead\\ODD Toolkit\\DVDTray.exe"
"VVSN"="C:\\Programme\\VVSN\\VVSN.exe"
"NVMixerTray"="\"C:\\Programme\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"CTSysVol"="C:\\Programme\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Iomega Startup Options"="C:\\Programme\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Programme\\Iomega\\DriveIcons\\ImgIcon.exe"
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
@=""
"Sony Ericsson PC Suite"="\"C:\\Programme\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"systemdll"="sound64.exe"
"Dest068"="WinInitDll.exe"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"ToADiMon.exe"="C:\\Programme\\T-Online\\T-Online_Software_6\\Basis-Software\\Basis1\\ToADiMon.exe -TOnlineAutodialStart"
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ALDI_NORD_FotoSuite_Download"="\"C:\\Programme\\ALDI Foto Service Nord\\ALDI_Foto_Service\\FotoSuite.exe\" /autorun"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uint32"="sound64.exe"
"abrek"="TForm1.exe"
"ATLIEHELPER"="Bogobot.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Blacklight-Log kommt als nächstes
- Blacklight konnte nichts finden. Hier dennoch das Log:
03/13/07 11:51:17 [Info]: BlackLight Engine 1.0.55 initialized
03/13/07 11:51:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/13/07 11:51:17 [Note]: 7019 4
03/13/07 11:51:17 [Note]: 7005 0
03/13/07 11:51:20 [Note]: 7006 0
03/13/07 11:51:20 [Note]: 7011 716
03/13/07 11:51:20 [Note]: 7026 0
03/13/07 11:51:20 [Note]: 7026 0
03/13/07 11:51:27 [Note]: FSRAW library version 1.7.1021
03/13/07 11:55:52 [Note]: 7007 0
Cleanup! - Log:
CleanUp! started on 03/13/07 11:59:42.
...
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\table-remove-row-hover.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\table-remove-row.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\ua.css - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\viewsource.css - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\wincharset.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\dtd\mathml.dtd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\dtd\xhtml11.dtd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\dtd\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\html40Latin1.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\html40Special.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\html40Symbols.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\htmlEntityVersions.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\mathml20.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\transliterate.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\fontEncoding.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\fontNameMap.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfont.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontCMEX10.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontCMSY10.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontMath1.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontMath2.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontMath4.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontMTExtra.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontPUA.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontSymbol.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-audio.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-binary.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-find.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-image.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-menu.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-movie.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-sound.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-telnet.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-text.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-unknown.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome.manifest - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\install.rdf - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\inspector.jar - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\icons\default\winInspectorMain.ico - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\icons\default\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\icons\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\components\inspector-cmdline.js - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\components\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\defaults\preferences\inspector.js - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\defaults\preferences\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\defaults\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\chrome.manifest - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\install.rdf - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\InstallDisabled - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\BrandRes.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\fullsoft.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\master.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\qfaservices.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\qfaservices.xpt - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\talkback-l10n.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\talkback.cnt - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\talkback.exe - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\talkback.hlp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\cs_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\da_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\de_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\es_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\fi_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\fr-fr_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\hu_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\nl_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\no_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\pl_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\pt-br_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\pt-pt_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\sv_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AVSETUP_45acea4b\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\bc_tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\CDM\{95A2A8E3-173A-406F-9FF0-EFE029EEB89B}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\CDM\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\F-Secure\BlackLight\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\F-Secure\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\js3250.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\nspr4.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\plc4.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\plds4.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\xpcom_compat.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\xpcom_core.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\components\jar50.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\components\xpinstal.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\components\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\fsg_tmp\accum\Trickler\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\fsg_tmp\accum\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\fsg_tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\hsperfdata_!\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ICD1.tmp\jinstall.exe - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ICD1.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\isp6.tmp\_Setup.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\isp6.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ispAF.tmp\_Setup.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ispAF.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ispC3.tmp\_Setup.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ispC3.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\iss2.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\iss6.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\iss7.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\iss9.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\issA.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\Jgl_Rt\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\mgxgroups\ALDI_NORD_FotoSuite_Download\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\mgxgroups\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\mgxlicense\ALDI_NORD_FotoSuite_Download\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\mgxlicense\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\01\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\02\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\03\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\04\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\05\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\06\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\components.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\InstallOptions.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\ioSpecial.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\modern-header.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\modern-wizard.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\options.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\shortcuts.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\System.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\pft8~tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\PPT10.0\ShockwaveFlashObjects.exd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\PPT10.0\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\VBE\MSForms.exd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\VBE\RefEdit.exd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\VBE\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER2.tmp.dir00\appcompat.txt - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER2.tmp.dir00\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3.tmp.dir00\appcompat.txt - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3.tmp.dir00\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3896.dir00\kernel.exe.hdmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3896.dir00\kernel.exe.mdmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3896.dir00\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\Word8.0\MSForms.exd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\Word8.0\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0404.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0406.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x040a.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x040b.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0410.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0411.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0413.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0414.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x041d.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0804.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0816.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is36\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0404.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0406.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x040a.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x040b.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0410.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0411.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0413.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0414.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x041d.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0804.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0816.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{06AC2E52-3F69-4BAE-8359-A57B9557FC12}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{06AC2E52-3F69-4BAE-8359-A57B9557FC12}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{06AC2E52-3F69-4BAE-8359-A57B9557FC12}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\CP_XP.reg - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{144194AF-CF3F-405C-B683-18D9CECA30DC}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{144194AF-CF3F-405C-B683-18D9CECA30DC}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{144194AF-CF3F-405C-B683-18D9CECA30DC}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{195F395B-ECC8-4B6C-99B3-711778B4366D}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{195F395B-ECC8-4B6C-99B3-711778B4366D}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{195F395B-ECC8-4B6C-99B3-711778B4366D}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{1EDCF6DC-D178-46DF-B1B4-0BC2998FB26B}\{2B653229-9854-4989-B780-D978F5F13EAB}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{1EDCF6DC-D178-46DF-B1B4-0BC2998FB26B}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{6099860D-C10B-4CE7-A41F-29E0FCB3BD2B}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{6099860D-C10B-4CE7-A41F-29E0FCB3BD2B}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{6099860D-C10B-4CE7-A41F-29E0FCB3BD2B}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{9527A496-5DF9-412A-ADC7-168BA5379CA6}\setup.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{9527A496-5DF9-412A-ADC7-168BA5379CA6}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{AC157741-3285-4D6A-B934-9174587A3493}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{AFB2CA42-E51B-49E2-B230-552908780F46}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{AFB2CA42-E51B-49E2-B230-552908780F46}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{AFB2CA42-E51B-49E2-B230-552908780F46}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{B8163ABB-B614-425E-890C-8FCD2415C340}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{BA00269C-E602-467A-BC8A-33AE2B31A056}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{BBC89AEF-1D8F-4852-9F5F-3E95F3298C5A}\{2B653229-9854-4989-B780-D978F5F13EAB}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{BBC89AEF-1D8F-4852-9F5F-3E95F3298C5A}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{E863B0FB-A92C-11D5-9FA6-000374890932}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\~nsu.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\Perflib_Perfdata_de8.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\002469_.tmp - deleted
C:\WINDOWS\SET3.tmp - deleted
C:\WINDOWS\SET7.tmp - deleted
C:\WINDOWS\temp\HP000000.IDX - deleted
C:\WINDOWS\temp\HP000001.PDL - deleted
C:\WINDOWS\temp\HP000002.PDL - deleted
C:\WINDOWS\temp\HP000003.PDL - deleted
C:\WINDOWS\temp\HP001000.IDX - deleted
C:\WINDOWS\temp\HP001001.PDL - deleted
C:\WINDOWS\temp\HP001002.PDL - deleted
C:\WINDOWS\temp\HP001003.PDL - deleted
C:\WINDOWS\temp\HP001004.PDL - deleted
C:\WINDOWS\temp\HP002000.IDX - deleted
C:\WINDOWS\temp\HP003000.IDX - deleted
C:\WINDOWS\temp\HP004000.IDX - deleted
C:\WINDOWS\temp\HP004001.PDL - deleted
C:\WINDOWS\temp\hpfpdi00.log - deleted
C:\WINDOWS\temp\hpzcon00.log - deleted
C:\WINDOWS\temp\hpzghoul00.log - deleted
C:\WINDOWS\temp\hpzglue00.log - deleted
C:\WINDOWS\temp\hpzpin00.log - deleted
C:\WINDOWS\temp\Win2000PPAHotfix.exe - deleted
C:\WINDOWS\temp\Cookies\index.dat - deleted
C:\WINDOWS\temp\Cookies\ - deleted
C:\WINDOWS\temp\CTZAPXX\Drivers\ - deleted
C:\WINDOWS\temp\CTZAPXX\ - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\01M3KT6N\061-2882.German[1].dist - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\CXUR0923\061-2802.German[1].dist - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\GXAR85QN\061-2832.German[1].dist - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\O9MRG9UF\AppleSoftwareUpdate[1].msi - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\O9MRG9UF\index-windows-1[1].sucatalog - deleted
C:\WINDOWS\temp\Verlauf\History.IE5\index.dat - deleted
C:\WINDOWS\temp\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\ - deleted
C:\WINDOWS\temp\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\ - deleted
C:\WINDOWS\temp\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\ - deleted
C:\WINDOWS\temp\{7201B853-5833-11D6-A285-00A0CC51B2FE}\ - deleted
C:\WINDOWS\temp\{734BB64A-5A3D-4624-867D-6358B7068496}\ - deleted
C:\WINDOWS\temp\{A1185190-514F-11D6-A285-00A0CC51B2FE}\ - deleted
C:\WINDOWS\temp\{AC157741-3285-4D6A-B934-9174587A3493}\ - deleted
C:\WINDOWS\temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\ - deleted
C:\WINDOWS\temp\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\ - deleted
C:\WINDOWS\temp\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\ - deleted
C:\WINDOWS\temp\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\ - deleted
C:\WINDOWS\temp\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\ - deleted
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Default User\Cookies\index.dat - deleted
C:\Dokumente und Einstellungen\Administrator\Cookies\index.dat - deleted
C:\Dokumente und Einstellungen\!\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\!\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Prefetch\ACRORD32.EXE-0EC716D9.pf - deleted
C:\WINDOWS\Prefetch\ADDONINSTALL.EXE-034ECA9A.pf - deleted
C:\WINDOWS\Prefetch\ALDI_FOTOSERVICE.EXE-0B540668.pf - deleted
C:\WINDOWS\Prefetch\ALDI_FOTO_BUCH_NORD_D.EXE-0C5532BD.pf - deleted
C:\WINDOWS\Prefetch\ANTIVIR_WORKSTATION_WIN7U_DE_-07180358.pf - deleted
C:\WINDOWS\Prefetch\AUTODL%3FBUNDLEID=10878_B1978-0494013E.pf - deleted
C:\WINDOWS\Prefetch\AUTORUN.EXE-08A9DED1.pf - deleted
C:\WINDOWS\Prefetch\AUTORUN.EXE-2CA35178.pf - deleted
C:\WINDOWS\Prefetch\AUTORUN.EXE-3684E09A.pf - deleted
C:\WINDOWS\Prefetch\AU_.EXE-36C1EF4C.pf - deleted
C:\WINDOWS\Prefetch\AVCENTER.EXE-37584419.pf - deleted
C:\WINDOWS\Prefetch\AVGNT.EXE-36CA4640.pf - deleted
C:\WINDOWS\Prefetch\AVGUARD.EXE-3490B18B.pf - deleted
C:\WINDOWS\Prefetch\AVNOTIFY.EXE-22AE9451.pf - deleted
C:\WINDOWS\Prefetch\AVSCAN.EXE-05AECC0E.pf - deleted
C:\WINDOWS\Prefetch\BITCOMET.EXE-05D63A92.pf - deleted
C:\WINDOWS\Prefetch\BITCOMET_SETUP84.EXE-13C2DB7A.pf - deleted
C:\WINDOWS\Prefetch\BROWSER.EXE-177354FB.pf - deleted
C:\WINDOWS\Prefetch\BROWSER.EXE-2ED051C5.pf - deleted
C:\WINDOWS\Prefetch\CONFIG.EXE-2E5DF16F.pf - deleted
C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf - deleted
C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf - deleted
C:\WINDOWS\Prefetch\DLMAN.EXE-0885EA3E.pf - deleted
C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf - deleted
C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf - deleted
C:\WINDOWS\Prefetch\DVDCHECK.EXE-20FEB218.pf - deleted
C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf - deleted
C:\WINDOWS\Prefetch\EARTH.SCR-2696F54A.pf - deleted
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX SETUP 2.0.0.2.EXE-04E522F1.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX SETUP 2.0.EXE-0D0B05D6.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX.EXE-1D57670A.pf - deleted
C:\WINDOWS\Prefetch\FOTOBUCHDS.EXE-077B5B06.pf - deleted
C:\WINDOWS\Prefetch\FOTOSUITE.EXE-2C264C32.pf - deleted
C:\WINDOWS\Prefetch\GTA_SA.EXE-02685B64.pf - deleted
C:\WINDOWS\Prefetch\GUARDGUI.EXE-1BD45C30.pf - deleted
C:\WINDOWS\Prefetch\HELPER.EXE-244ABC1F.pf - deleted
C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-159CF2B3.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-2B45A529.pf - deleted
C:\WINDOWS\Prefetch\HOTLINE_INFO.EXE-0A981445.pf - deleted
C:\WINDOWS\Prefetch\HPZENG04.EXE-129A6FF3.pf - deleted
C:\WINDOWS\Prefetch\HPZSTC04.EXE-1001DF4D.pf - deleted
C:\WINDOWS\Prefetch\IEXPLORE.EXE-2CA9778D.pf - deleted
C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf - deleted
C:\WINDOWS\Prefetch\IPODSERVICE.EXE-233792DA.pf - deleted
C:\WINDOWS\Prefetch\IS-0MBKU.TMP-19549CE5.pf - deleted
C:\WINDOWS\Prefetch\ITUNES.EXE-15E88941.pf - deleted
C:\WINDOWS\Prefetch\IWATCH.EXE-1521B441.pf - deleted
C:\WINDOWS\Prefetch\JAVA.EXE-1586CEFA.pf - deleted
C:\WINDOWS\Prefetch\JAVA.EXE-1AA95189.pf - deleted
C:\WINDOWS\Prefetch\JAVAW.EXE-1DA9F6E6.pf - deleted
C:\WINDOWS\Prefetch\JAVAW.EXE-376854F9.pf - deleted
C:\WINDOWS\Prefetch\JUCHECK.EXE-03FBF417.pf - deleted
C:\WINDOWS\Prefetch\KERNEL.EXE-02A660F3.pf - deleted
C:\WINDOWS\Prefetch\LAUNCHER.EXE-20B782FF.pf - deleted
C:\WINDOWS\Prefetch\Layout.ini - deleted
C:\WINDOWS\Prefetch\LOADER.EXE-3627BA64.pf - deleted
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf - deleted
C:\WINDOWS\Prefetch\MAIL.EXE-30A22E9A.pf - deleted
C:\WINDOWS\Prefetch\MGXFONTS.EXE-2882DCE2.pf - deleted
C:\WINDOWS\Prefetch\MINFRAIS.EXE-37DF0DB7.pf - deleted
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf - deleted
C:\WINDOWS\Prefetch\MSMSGS.EXE-32066BA5.pf - deleted
C:\WINDOWS\Prefetch\N6233.EXE-05361858.pf - deleted
C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf - deleted
C:\WINDOWS\Prefetch\NOTIFIER.EXE-326A898B.pf - deleted
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf - deleted
C:\WINDOWS\Prefetch\OPD_JP2.EXE-1478F9FE.pf - deleted
C:\WINDOWS\Prefetch\OSA.EXE-0082CBE3.pf - deleted
C:\WINDOWS\Prefetch\OUTLOOK.EXE-27D5965C.pf - deleted
C:\WINDOWS\Prefetch\PATCHJRE.EXE-1A531802.pf - deleted
C:\WINDOWS\Prefetch\PATHDETECT.EXE-35E81D15.pf - deleted
C:\WINDOWS\Prefetch\PDFDETECT.EXE-1AD00808.pf - deleted
C:\WINDOWS\Prefetch\PREUPD.EXE-358AA1C1.pf - deleted
C:\WINDOWS\Prefetch\PROFILEMGR.EXE-20F082B4.pf - deleted
C:\WINDOWS\Prefetch\PROFIL~1.EXE-047D5C8D.pf - deleted
C:\WINDOWS\Prefetch\READER_SL.EXE-36135169.pf - deleted
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf - deleted
C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-13404D23.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2BBDCFD7.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-35C77CE3.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3BB3F2CE.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-435D7B86.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-44A0B4BC.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf - deleted
C:\WINDOWS\Prefetch\SCHED.EXE-236A886F.pf - deleted
C:\WINDOWS\Prefetch\SC_WATCH.EXE-0A4BDE44.pf - deleted
C:\WINDOWS\Prefetch\SC_WATCH.EXE-105B9A9E.pf - deleted
C:\WINDOWS\Prefetch\SET16.TMP-321C1E46.pf - deleted
C:\WINDOWS\Prefetch\SET6.TMP-0FD92486.pf - deleted
C:\WINDOWS\Prefetch\SET9.TMP-34716354.pf - deleted
C:\WINDOWS\Prefetch\SETFOLDERACCESSRIGHTS.EXE-291A8BF8.pf - deleted
C:\WINDOWS\Prefetch\SETUP.EXE-0F40F254.pf - deleted
C:\WINDOWS\Prefetch\SETUP.EXE-2A440DFE.pf - deleted
C:\WINDOWS\Prefetch\SETUP.EXE-39C497E7.pf - deleted
C:\WINDOWS\Prefetch\SPEED.EXE-2CFDD585.pf - deleted
C:\WINDOWS\Prefetch\SPUPDSVC.EXE-21B36524.pf - deleted
C:\WINDOWS\Prefetch\SRS.EXE-0637ACD1.pf - deleted
C:\WINDOWS\Prefetch\SSMYPICS.SCR-01C62024.pf - deleted
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf - deleted
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf - deleted
C:\WINDOWS\Prefetch\TOADINST.EXE-340FDF93.pf - deleted
C:\WINDOWS\Prefetch\TOCONNKI.EXE-1883B2A7.pf - deleted
C:\WINDOWS\Prefetch\TONAUDI.EXE-1ED630F8.pf - deleted
C:\WINDOWS\Prefetch\UNINST.EXE-35C47683.pf - deleted
C:\WINDOWS\Prefetch\UNINSTALLER.EXE-2294980C.pf - deleted
C:\WINDOWS\Prefetch\UNPACK200.EXE-0DC8B0A3.pf - deleted
C:\WINDOWS\Prefetch\UNSECAPP.EXE-1A95A33B.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-0DA607AC.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-116E2BE8.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-13D57D76.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-19A66289.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-278456E6.pf - deleted
C:\WINDOWS\Prefetch\UPNP.EXE-016C0AB0.pf - deleted
C:\WINDOWS\Prefetch\UPSCR.SCR-04143FB3.pf - deleted
C:\WINDOWS\Prefetch\WINAMP.EXE-08C38ED9.pf - deleted
C:\WINDOWS\Prefetch\WINRAR.EXE-3588DFE8.pf - deleted
C:\WINDOWS\Prefetch\WINWORD.EXE-259486DA.pf - deleted
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-0996933A.pf - deleted
C:\WINDOWS\Prefetch\WSUSRMGR.EXE-1AD5C411.pf - deleted
C:\WINDOWS\Prefetch\WSUSRMGR.EXE-28188A17.pf - deleted
C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf - deleted
C:\WINDOWS\Prefetch\WUPDMGR.EXE-2F30BEAB.pf - deleted
C:\WINDOWS\Prefetch\ZIPPER.EXE-07D7DB72.pf - deleted
C:\WINDOWS\Prefetch\~E5.0001-20D53231.pf - deleted
Emptied Recycle Bin on drive C:
'Run MRU' list - removed from the registry.
Search Assistant MRU list - removed from the registry.
Explorer Open/Save MRU list - removed from the registry.
Explorer Last Visited MRU list - removed from the registry.
Paint Recent File List - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.5.2 recovered 132.4 MB of disk space from 1421 files.
CleanUp! finished on 03/13/07 11:59:48.
datfind.bat
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E
Verzeichnis von C:\WINDOWS\system32
07.12.2082 12:27 2.422 wpa.bak
13.03.2007 12:02 2.422 wpa.dbl
12.03.2007 23:56 2.560 BitCometRes.dll
12.03.2007 21:07 9.132 jupdate-1.5.0_10-b03.log
18.02.2007 17:47 169.096 FNTCACHE.DAT
01.12.2006 15:05 132.897 NULL
01.12.2006 15:05 16.832 amcompat.tlb
01.12.2006 15:05 23.392 nscompat.tlb
01.12.2006 15:03 52.764 perfc009.dat
01.12.2006 15:03 391.000 perfh007.dat
01.12.2006 15:03 63.580 perfc007.dat
01.12.2006 15:03 380.350 perfh009.dat
01.12.2006 15:03 872.024 PerfStringBackup.INI
09.11.2006 15:07 127.078 javaws.exe
09.11.2006 15:07 49.265 jpicpl32.cpl
09.11.2006 13:28 53.346 javaw.exe
09.11.2006 13:28 49.248 java.exe
10.10.2006 17:08 32.768 six.exe
24.09.2006 02:42 65.536 QuickTimeVR.qtx
24.09.2006 02:42 49.152 QuickTime.qts
13.09.2006 13:44 643.072 mgxoschk.dll
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E
Verzeichnis von C:\DOKUME~1\!\LOKALE~1\Temp
13.03.2007 12:07 171 jusched.log
1 Datei(en) 171 Bytes
0 Verzeichnis(se), 25.147.596.800 Bytes frei
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E
Verzeichnis von C:\WINDOWS
13.03.2007 11:54 182.380 setupact.log
13.03.2007 11:47 1.532.267 WindowsUpdate.log
13.03.2007 11:46 0 0.log
13.03.2007 11:46 159 wiadebug.log
13.03.2007 11:46 0 wiaservc.log
13.03.2007 11:45 2.048 bootstat.dat
13.03.2007 11:45 32.544 SchedLgU.Txt
13.03.2007 11:45 192 winamp.ini
13.03.2007 11:20 372.837 setupapi.log
12.03.2007 21:14 229.254 ntbtlog.txt
12.03.2007 20:46 8.224 WGA.log
12.03.2007 20:46 1.276 avmcoins.log
14.02.2007 18:24 6.537 mgxoschk.ini
16.12.2006 20:55 365.070 DirectX.log
14.12.2006 19:34 69 NeroDigital.ini
01.12.2006 17:30 41.524 wmsetup.log
01.12.2006 16:39 379 wmsetup10.log
01.12.2006 16:36 211 uno.ini
01.12.2006 16:36 691 win.ini
01.12.2006 15:11 1.454 COM+.log
01.12.2006 15:04 316.640 WMSysPr9.prx
22.10.2006 15:56 649 GEARInstall.log
05.07.2006 11:07 2.896 mozver.dat
02.06.2006 08:20 193 control.ini
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E
Verzeichnis von C:\WINDOWS\Temp
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E
Verzeichnis von C:\WINDOWS\Downloaded Program Files
27.08.2005 13:30 5.065 swflash.inf
02.01.2004 04:21 65 desktop.ini
2 Datei(en) 5.130 Bytes
0 Verzeichnis(se), 25.147.420.672 Bytes frei
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E
Verzeichnis von C:\
13.03.2007 12:13 0 sys.txt
13.03.2007 12:13 345 down.txt
13.03.2007 12:13 117 tmp.txt
13.03.2007 12:12 10.322 system.txt
13.03.2007 12:12 288 systemtemp.txt
13.03.2007 12:12 105.598 system32.txt
13.03.2007 11:45 1.610.612.736 pagefile.sys
16.12.2006 18:16 2.785 LGSInst.Log
01.12.2006 15:17 156 TO_InstallLog.txt
01.12.2006 15:01 0 ToCaclLE.txt
01.12.2006 15:01 309 ToCaclLD.txt
Combofix
Start Time= 13.03.2007 12:15:38,60
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2082-12-07 12:30:44 ( .D... ) "C:\Programme\NVIDIA Corporation"
2082-12-07 12:30:44 ( .D... ) "C:\Programme\Gemeinsame Dateien\NVIDIA Shared"
2082-12-07 12:28:06 ( .D... ) "C:\Programme\VVSN"
2007-03-13 11:58:28 ( .D... ) "C:\Programme\CleanUp!"
2007-03-12 23:56:22 2560 ( A.... ) "C:\WINDOWS\system32\BitCometRes.dll"
2007-03-12 23:55:42 ( .D... ) "C:\Programme\BitComet"
2007-02-14 18:24:42 ( .D... ) "C:\Programme\ALDI Nord Foto Service"
2007-02-14 18:24:34 ( .D... ) "C:\Programme\ALDI Foto Service Nord"
2007-01-16 16:08:18 ( .D... ) "C:\Programme\AntiVir PersonalEdition Classic"
((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Programme\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RemoteControl"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DVDTray"="C:\\Programme\\Ahead\\ODD Toolkit\\DVDTray.exe"
"VVSN"="C:\\Programme\\VVSN\\VVSN.exe"
"NVMixerTray"="\"C:\\Programme\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"CTSysVol"="C:\\Programme\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Iomega Startup Options"="C:\\Programme\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Programme\\Iomega\\DriveIcons\\ImgIcon.exe"
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
@=""
"Sony Ericsson PC Suite"="\"C:\\Programme\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"systemdll"="sound64.exe"
"Dest068"="WinInitDll.exe"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"ToADiMon.exe"="C:\\Programme\\T-Online\\T-Online_Software_6\\Basis-Software\\Basis1\\ToADiMon.exe -TOnlineAutodialStart"
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ALDI_NORD_FotoSuite_Download"="\"C:\\Programme\\ALDI Foto Service Nord\\ALDI_Foto_Service\\FotoSuite.exe\" /autorun"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Uint32"="sound64.exe"
"abrek"="TForm1.exe"
"ATLIEHELPER"="Bogobot.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"InfoCockpit"="C:\\Programme\\T-Online\\T-Online_Software_6\\Info-Cockpit\\IC_START.EXE /nosplash"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"InfoCockpit"="C:\\Programme\\T-Online\\T-Online_Software_6\\Info-Cockpit\\IC_START.EXE /nosplash"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
Completion time: 13.03.2007 12:16:10,56
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt