Rogue Antispyware ! - KillAndClean - SpyMarshal

Thema ist geschlossen!
Thema ist geschlossen!
#0
13.03.2007, 11:43
Member

Beiträge: 12
#1 Hallo,
habe heute nach Hilferuf etc das erste mal nach 3 Monaten den PC von meinem Neffen wieder gesehen (hatte ich selbst zusammen gebaut :/). AUf jeden fall ist hier einiges faul. Das Hintergrundbild lässt sich nicht mehr ändern. Die Internetverbindung kriecht (dsl2k). Überall diese Malware-Leisten....
Ich versuche mich an einem anderen Thread zu halten und poste die logs. Bitte helft mir ;) ich habe keine Lust das System einzustampfen...

Logfile of HijackThis v1.99.1
Scan saved at 11:42:32, on 13.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Ahead\ODD Toolkit\DVDTray.exe
C:\Programme\VVSN\VVSN.exe
C:\Programme\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programme\Iomega\DriveIcons\ImgIcon.exe
C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\FRITZ!\IWatch.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRA~1\T-Online\T-ONLI~2\Notifier\Notifier.exe
C:\Programme\Winamp\Winamp.exe
C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_6\BROWSER\BROWSER.EXE
C:\Dokumente und Einstellungen\!\Desktop\Neuer Ordner\HijackThis.exe

R3 - URLSearchHook: (no name) - {303CF927-07FB-3442-E53E-FEAB15862EC7} - ATLIEHELPER.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Programme\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [VVSN] C:\Programme\VVSN\VVSN.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Programme\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programme\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [systemdll] sound64.exe
O4 - HKLM\..\Run: [Dest068] WinInitDll.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ALDI_NORD_FotoSuite_Download] "C:\Programme\ALDI Foto Service Nord\ALDI_Foto_Service\FotoSuite.exe" /autorun
O4 - HKCU\..\Run: [KillAndClean] "C:\Programme\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [Uint32] sound64.exe
O4 - HKCU\..\Run: [abrek] TForm1.exe
O4 - HKCU\..\Run: [ATLIEHELPER] Bogobot.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Programme\FRITZ!\IWatch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.30 85.255.112.119
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F310C49-ADCC-4634-AE13-9488D6C153D2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.30 85.255.112.119
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.30 85.255.112.119
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


Fixwareout kommt nach restart brb.



Nach restart 3 Trojanerwarnungen von Antivir... ;)
Hier das Fixwareout-Log


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmqai"
HKLM\SOFTWARE\~\Winlogon\ "System"="csflf.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\version\Run\ "dmqai"
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}8312A87AEEC1-3A08-9244-5783-696CA22B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}55DB21A74FC7-2989-9A84-51F3-D309F29A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}63D12B4A49EA-C16A-03C4-C4C4-AF56BDFD{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}C9BF503276A2-89F9-AF24-4030-FF614BD2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}D21635C47084-AA6B-19F4-8BB3-6F8A706F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}E9430C708EC3-5B49-81C4-A408-E328BF0F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "8" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "9" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "10" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "11" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "12" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "13" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "14" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "15" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "16" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "17" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "18" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "19" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "20" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "21" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "22" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "24" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "25" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "26" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "27" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "28" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "29" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "30" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "31" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "33" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "34" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "35" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "36" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "37" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "38" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "39" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "40" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "41" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "42" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "iaqmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "43" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "swen" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "eno" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "owt" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "eerht" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ruof" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "evif" Deleted
HKLM\~\currentversion\run "dmqai.exe" Deleted
C:\WINDOWS\System32\csflf.exe Deleted
....
»»»»» Misc files.
C:\Dokumente und Einstellungen\!\Anwendungsdaten\Install.dat Deleted
C:\Dokumente und Einstellungen\!\Anwendungsdaten\kc.tmp Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Download Free Spyware Remover.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\NEW VIAGRA at Half Price!.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Online Chat With Nude Girls.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Order CIALIS online without leaving home..url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\PC protection in under 2 minutes!.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\SEX Dating - Real Girls For Real SEX.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Stop PopUps On Your Computer.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\VIAGRA at incredible low price. Bonus Pills!.url Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\View ADULT photos of REAL GIRLS!.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Download Free Spyware Remover.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\NEW VIAGRA at Half Price!.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Online Chat With Nude Girls.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Order CIALIS online without leaving home..url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\PC protection in under 2 minutes!.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\SEX Dating - Real Girls For Real SEX.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Stop PopUps On Your Computer.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\VIAGRA at incredible low price. Bonus Pills!.url Deleted
C:\Dokumente und Einstellungen\!\Favoriten\View ADULT photos of REAL GIRLS!.url Deleted
C:\WINDOWS\BALLOON.WAV Deleted
C:\WINDOWS\Help\SPAlert.chm Deleted
C:\WINDOWS\RDT.INI Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Sex and Dating Deleted
C:\Dokumente und Einstellungen\All Users\Favoriten\Spyware Uninstall Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Online Pharmacy Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Sex and Dating Deleted
C:\Dokumente und Einstellungen\!\Favoriten\Spyware Uninstall Deleted
C:\WINDOWS\system32\{2DB416FF-0304-42FA-9F98-2A672305FB9C}.exe Deleted
C:\WINDOWS\system32\{DFDB65FA-4C4C-4C30-A61C-AE94A4B21D36}.exe Deleted
C:\WINDOWS\system32\{F0FB823E-804A-4C18-94B5-3CE807C0349E}.exe Deleted
C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Programme\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RemoteControl"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DVDTray"="C:\\Programme\\Ahead\\ODD Toolkit\\DVDTray.exe"
"VVSN"="C:\\Programme\\VVSN\\VVSN.exe"
"NVMixerTray"="\"C:\\Programme\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"CTSysVol"="C:\\Programme\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Iomega Startup Options"="C:\\Programme\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Programme\\Iomega\\DriveIcons\\ImgIcon.exe"
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
@=""
"Sony Ericsson PC Suite"="\"C:\\Programme\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"systemdll"="sound64.exe"
"Dest068"="WinInitDll.exe"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"ToADiMon.exe"="C:\\Programme\\T-Online\\T-Online_Software_6\\Basis-Software\\Basis1\\ToADiMon.exe -TOnlineAutodialStart"
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ALDI_NORD_FotoSuite_Download"="\"C:\\Programme\\ALDI Foto Service Nord\\ALDI_Foto_Service\\FotoSuite.exe\" /autorun"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uint32"="sound64.exe"
"abrek"="TForm1.exe"
"ATLIEHELPER"="Bogobot.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Blacklight-Log kommt als nächstes
- Blacklight konnte nichts finden. Hier dennoch das Log:

03/13/07 11:51:17 [Info]: BlackLight Engine 1.0.55 initialized
03/13/07 11:51:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/13/07 11:51:17 [Note]: 7019 4
03/13/07 11:51:17 [Note]: 7005 0
03/13/07 11:51:20 [Note]: 7006 0
03/13/07 11:51:20 [Note]: 7011 716
03/13/07 11:51:20 [Note]: 7026 0
03/13/07 11:51:20 [Note]: 7026 0
03/13/07 11:51:27 [Note]: FSRAW library version 1.7.1021
03/13/07 11:55:52 [Note]: 7007 0

Cleanup! - Log:

CleanUp! started on 03/13/07 11:59:42.
...
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\table-remove-row-hover.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\table-remove-row.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\ua.css - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\viewsource.css - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\wincharset.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\dtd\mathml.dtd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\dtd\xhtml11.dtd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\dtd\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\html40Latin1.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\html40Special.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\html40Symbols.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\htmlEntityVersions.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\mathml20.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\transliterate.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\entityTables\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\fontEncoding.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\fontNameMap.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfont.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontCMEX10.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontCMSY10.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontMath1.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontMath2.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontMath4.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontMTExtra.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontPUA.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\mathfontSymbol.properties - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\fonts\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-audio.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-binary.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-find.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-image.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-menu.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-movie.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-sound.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-telnet.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-text.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\gopher-unknown.gif - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\html\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\res\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\nonlocalized\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome.manifest - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\install.rdf - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\inspector.jar - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\icons\default\winInspectorMain.ico - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\icons\default\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\icons\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\chrome\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\components\inspector-cmdline.js - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\components\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\defaults\preferences\inspector.js - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\defaults\preferences\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\defaults\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\inspector@mozilla.org\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\chrome.manifest - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\install.rdf - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\InstallDisabled - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\BrandRes.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\fullsoft.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\master.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\qfaservices.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\qfaservices.xpt - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\talkback-l10n.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\talkback.cnt - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\talkback.exe - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\talkback.hlp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\components\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\talkback@mozilla.org\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\extensions\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\optional\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\7zS2F.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\cs_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\da_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\de_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\es_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\fi_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\fr-fr_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\hu_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\nl_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\no_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\pl_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\pt-br_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\pt-pt_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\sv_AutoRun.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AutoRun\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\AVSETUP_45acea4b\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\bc_tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\CDM\{95A2A8E3-173A-406F-9FF0-EFE029EEB89B}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\CDM\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\F-Secure\BlackLight\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\F-Secure\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\js3250.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\nspr4.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\plc4.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\plds4.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\xpcom_compat.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\xpcom_core.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\components\jar50.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\components\xpinstal.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\components\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\xpcom.ns\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ff_temp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\fsg_tmp\accum\Trickler\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\fsg_tmp\accum\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\fsg_tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\hsperfdata_!\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ICD1.tmp\jinstall.exe - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ICD1.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\isp6.tmp\_Setup.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\isp6.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ispAF.tmp\_Setup.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ispAF.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ispC3.tmp\_Setup.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\ispC3.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\iss2.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\iss6.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\iss7.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\iss9.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\issA.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\Jgl_Rt\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\mgxgroups\ALDI_NORD_FotoSuite_Download\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\mgxgroups\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\mgxlicense\ALDI_NORD_FotoSuite_Download\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\mgxlicense\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\01\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\02\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\03\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\04\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\05\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\06\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\msohtml1\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\components.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\InstallOptions.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\ioSpecial.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\modern-header.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\modern-wizard.bmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\options.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\shortcuts.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\System.dll - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\nsk31.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\pft8~tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\PPT10.0\ShockwaveFlashObjects.exd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\PPT10.0\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\VBE\MSForms.exd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\VBE\RefEdit.exd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\VBE\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER2.tmp.dir00\appcompat.txt - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER2.tmp.dir00\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3.tmp.dir00\appcompat.txt - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3.tmp.dir00\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3896.dir00\kernel.exe.hdmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3896.dir00\kernel.exe.mdmp - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\WER3896.dir00\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\Word8.0\MSForms.exd - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\Word8.0\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is1B\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is2\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0404.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0406.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x040a.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x040b.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0410.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0411.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0413.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0414.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x041d.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0804.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\0x0816.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is3\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is33\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is36\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0404.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0406.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0407.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0409.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x040a.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x040b.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x040c.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0410.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0411.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0413.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0414.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x041d.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0804.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\0x0816.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\Setup.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\_ISMSIDEL.INI - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\_is7\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{06AC2E52-3F69-4BAE-8359-A57B9557FC12}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{06AC2E52-3F69-4BAE-8359-A57B9557FC12}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{06AC2E52-3F69-4BAE-8359-A57B9557FC12}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\CP_XP.reg - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{0bedbd4e-2d34-47b5-9973-57e62b29307c}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{144194AF-CF3F-405C-B683-18D9CECA30DC}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{144194AF-CF3F-405C-B683-18D9CECA30DC}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{144194AF-CF3F-405C-B683-18D9CECA30DC}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{195F395B-ECC8-4B6C-99B3-711778B4366D}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{195F395B-ECC8-4B6C-99B3-711778B4366D}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{195F395B-ECC8-4B6C-99B3-711778B4366D}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{1EDCF6DC-D178-46DF-B1B4-0BC2998FB26B}\{2B653229-9854-4989-B780-D978F5F13EAB}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{1EDCF6DC-D178-46DF-B1B4-0BC2998FB26B}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{6099860D-C10B-4CE7-A41F-29E0FCB3BD2B}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{6099860D-C10B-4CE7-A41F-29E0FCB3BD2B}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{6099860D-C10B-4CE7-A41F-29E0FCB3BD2B}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{9527A496-5DF9-412A-ADC7-168BA5379CA6}\setup.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{9527A496-5DF9-412A-ADC7-168BA5379CA6}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{AC157741-3285-4D6A-B934-9174587A3493}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{AFB2CA42-E51B-49E2-B230-552908780F46}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\info.ini - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{AFB2CA42-E51B-49E2-B230-552908780F46}\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{AFB2CA42-E51B-49E2-B230-552908780F46}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{B8163ABB-B614-425E-890C-8FCD2415C340}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{BA00269C-E602-467A-BC8A-33AE2B31A056}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{BBC89AEF-1D8F-4852-9F5F-3E95F3298C5A}\{2B653229-9854-4989-B780-D978F5F13EAB}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{BBC89AEF-1D8F-4852-9F5F-3E95F3298C5A}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\{E863B0FB-A92C-11D5-9FA6-000374890932}\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\~nsu.tmp\ - deleted
C:\DOKUME~1\!\LOKALE~1\Temp\Perflib_Perfdata_de8.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\002469_.tmp - deleted
C:\WINDOWS\SET3.tmp - deleted
C:\WINDOWS\SET7.tmp - deleted
C:\WINDOWS\temp\HP000000.IDX - deleted
C:\WINDOWS\temp\HP000001.PDL - deleted
C:\WINDOWS\temp\HP000002.PDL - deleted
C:\WINDOWS\temp\HP000003.PDL - deleted
C:\WINDOWS\temp\HP001000.IDX - deleted
C:\WINDOWS\temp\HP001001.PDL - deleted
C:\WINDOWS\temp\HP001002.PDL - deleted
C:\WINDOWS\temp\HP001003.PDL - deleted
C:\WINDOWS\temp\HP001004.PDL - deleted
C:\WINDOWS\temp\HP002000.IDX - deleted
C:\WINDOWS\temp\HP003000.IDX - deleted
C:\WINDOWS\temp\HP004000.IDX - deleted
C:\WINDOWS\temp\HP004001.PDL - deleted
C:\WINDOWS\temp\hpfpdi00.log - deleted
C:\WINDOWS\temp\hpzcon00.log - deleted
C:\WINDOWS\temp\hpzghoul00.log - deleted
C:\WINDOWS\temp\hpzglue00.log - deleted
C:\WINDOWS\temp\hpzpin00.log - deleted
C:\WINDOWS\temp\Win2000PPAHotfix.exe - deleted
C:\WINDOWS\temp\Cookies\index.dat - deleted
C:\WINDOWS\temp\Cookies\ - deleted
C:\WINDOWS\temp\CTZAPXX\Drivers\ - deleted
C:\WINDOWS\temp\CTZAPXX\ - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\01M3KT6N\061-2882.German[1].dist - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\CXUR0923\061-2802.German[1].dist - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\GXAR85QN\061-2832.German[1].dist - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\O9MRG9UF\AppleSoftwareUpdate[1].msi - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\O9MRG9UF\index-windows-1[1].sucatalog - deleted
C:\WINDOWS\temp\Verlauf\History.IE5\index.dat - deleted
C:\WINDOWS\temp\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\ - deleted
C:\WINDOWS\temp\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\ - deleted
C:\WINDOWS\temp\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\ - deleted
C:\WINDOWS\temp\{7201B853-5833-11D6-A285-00A0CC51B2FE}\ - deleted
C:\WINDOWS\temp\{734BB64A-5A3D-4624-867D-6358B7068496}\ - deleted
C:\WINDOWS\temp\{A1185190-514F-11D6-A285-00A0CC51B2FE}\ - deleted
C:\WINDOWS\temp\{AC157741-3285-4D6A-B934-9174587A3493}\ - deleted
C:\WINDOWS\temp\{DABD554A-7DA6-4763-BF17-D3CAFB55E5A6}\ - deleted
C:\WINDOWS\temp\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\ - deleted
C:\WINDOWS\temp\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\ - deleted
C:\WINDOWS\temp\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\ - deleted
C:\WINDOWS\temp\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\ - deleted
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Default User\Cookies\index.dat - deleted
C:\Dokumente und Einstellungen\Administrator\Cookies\index.dat - deleted
C:\Dokumente und Einstellungen\!\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\!\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Prefetch\ACRORD32.EXE-0EC716D9.pf - deleted
C:\WINDOWS\Prefetch\ADDONINSTALL.EXE-034ECA9A.pf - deleted
C:\WINDOWS\Prefetch\ALDI_FOTOSERVICE.EXE-0B540668.pf - deleted
C:\WINDOWS\Prefetch\ALDI_FOTO_BUCH_NORD_D.EXE-0C5532BD.pf - deleted
C:\WINDOWS\Prefetch\ANTIVIR_WORKSTATION_WIN7U_DE_-07180358.pf - deleted
C:\WINDOWS\Prefetch\AUTODL%3FBUNDLEID=10878_B1978-0494013E.pf - deleted
C:\WINDOWS\Prefetch\AUTORUN.EXE-08A9DED1.pf - deleted
C:\WINDOWS\Prefetch\AUTORUN.EXE-2CA35178.pf - deleted
C:\WINDOWS\Prefetch\AUTORUN.EXE-3684E09A.pf - deleted
C:\WINDOWS\Prefetch\AU_.EXE-36C1EF4C.pf - deleted
C:\WINDOWS\Prefetch\AVCENTER.EXE-37584419.pf - deleted
C:\WINDOWS\Prefetch\AVGNT.EXE-36CA4640.pf - deleted
C:\WINDOWS\Prefetch\AVGUARD.EXE-3490B18B.pf - deleted
C:\WINDOWS\Prefetch\AVNOTIFY.EXE-22AE9451.pf - deleted
C:\WINDOWS\Prefetch\AVSCAN.EXE-05AECC0E.pf - deleted
C:\WINDOWS\Prefetch\BITCOMET.EXE-05D63A92.pf - deleted
C:\WINDOWS\Prefetch\BITCOMET_SETUP84.EXE-13C2DB7A.pf - deleted
C:\WINDOWS\Prefetch\BROWSER.EXE-177354FB.pf - deleted
C:\WINDOWS\Prefetch\BROWSER.EXE-2ED051C5.pf - deleted
C:\WINDOWS\Prefetch\CONFIG.EXE-2E5DF16F.pf - deleted
C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf - deleted
C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf - deleted
C:\WINDOWS\Prefetch\DLMAN.EXE-0885EA3E.pf - deleted
C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf - deleted
C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf - deleted
C:\WINDOWS\Prefetch\DVDCHECK.EXE-20FEB218.pf - deleted
C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf - deleted
C:\WINDOWS\Prefetch\EARTH.SCR-2696F54A.pf - deleted
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX SETUP 2.0.0.2.EXE-04E522F1.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX SETUP 2.0.EXE-0D0B05D6.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX.EXE-1D57670A.pf - deleted
C:\WINDOWS\Prefetch\FOTOBUCHDS.EXE-077B5B06.pf - deleted
C:\WINDOWS\Prefetch\FOTOSUITE.EXE-2C264C32.pf - deleted
C:\WINDOWS\Prefetch\GTA_SA.EXE-02685B64.pf - deleted
C:\WINDOWS\Prefetch\GUARDGUI.EXE-1BD45C30.pf - deleted
C:\WINDOWS\Prefetch\HELPER.EXE-244ABC1F.pf - deleted
C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-159CF2B3.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-2B45A529.pf - deleted
C:\WINDOWS\Prefetch\HOTLINE_INFO.EXE-0A981445.pf - deleted
C:\WINDOWS\Prefetch\HPZENG04.EXE-129A6FF3.pf - deleted
C:\WINDOWS\Prefetch\HPZSTC04.EXE-1001DF4D.pf - deleted
C:\WINDOWS\Prefetch\IEXPLORE.EXE-2CA9778D.pf - deleted
C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf - deleted
C:\WINDOWS\Prefetch\IPODSERVICE.EXE-233792DA.pf - deleted
C:\WINDOWS\Prefetch\IS-0MBKU.TMP-19549CE5.pf - deleted
C:\WINDOWS\Prefetch\ITUNES.EXE-15E88941.pf - deleted
C:\WINDOWS\Prefetch\IWATCH.EXE-1521B441.pf - deleted
C:\WINDOWS\Prefetch\JAVA.EXE-1586CEFA.pf - deleted
C:\WINDOWS\Prefetch\JAVA.EXE-1AA95189.pf - deleted
C:\WINDOWS\Prefetch\JAVAW.EXE-1DA9F6E6.pf - deleted
C:\WINDOWS\Prefetch\JAVAW.EXE-376854F9.pf - deleted
C:\WINDOWS\Prefetch\JUCHECK.EXE-03FBF417.pf - deleted
C:\WINDOWS\Prefetch\KERNEL.EXE-02A660F3.pf - deleted
C:\WINDOWS\Prefetch\LAUNCHER.EXE-20B782FF.pf - deleted
C:\WINDOWS\Prefetch\Layout.ini - deleted
C:\WINDOWS\Prefetch\LOADER.EXE-3627BA64.pf - deleted
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf - deleted
C:\WINDOWS\Prefetch\MAIL.EXE-30A22E9A.pf - deleted
C:\WINDOWS\Prefetch\MGXFONTS.EXE-2882DCE2.pf - deleted
C:\WINDOWS\Prefetch\MINFRAIS.EXE-37DF0DB7.pf - deleted
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf - deleted
C:\WINDOWS\Prefetch\MSMSGS.EXE-32066BA5.pf - deleted
C:\WINDOWS\Prefetch\N6233.EXE-05361858.pf - deleted
C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf - deleted
C:\WINDOWS\Prefetch\NOTIFIER.EXE-326A898B.pf - deleted
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf - deleted
C:\WINDOWS\Prefetch\OPD_JP2.EXE-1478F9FE.pf - deleted
C:\WINDOWS\Prefetch\OSA.EXE-0082CBE3.pf - deleted
C:\WINDOWS\Prefetch\OUTLOOK.EXE-27D5965C.pf - deleted
C:\WINDOWS\Prefetch\PATCHJRE.EXE-1A531802.pf - deleted
C:\WINDOWS\Prefetch\PATHDETECT.EXE-35E81D15.pf - deleted
C:\WINDOWS\Prefetch\PDFDETECT.EXE-1AD00808.pf - deleted
C:\WINDOWS\Prefetch\PREUPD.EXE-358AA1C1.pf - deleted
C:\WINDOWS\Prefetch\PROFILEMGR.EXE-20F082B4.pf - deleted
C:\WINDOWS\Prefetch\PROFIL~1.EXE-047D5C8D.pf - deleted
C:\WINDOWS\Prefetch\READER_SL.EXE-36135169.pf - deleted
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf - deleted
C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-13404D23.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2BBDCFD7.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-35C77CE3.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3BB3F2CE.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-435D7B86.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-44A0B4BC.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf - deleted
C:\WINDOWS\Prefetch\SCHED.EXE-236A886F.pf - deleted
C:\WINDOWS\Prefetch\SC_WATCH.EXE-0A4BDE44.pf - deleted
C:\WINDOWS\Prefetch\SC_WATCH.EXE-105B9A9E.pf - deleted
C:\WINDOWS\Prefetch\SET16.TMP-321C1E46.pf - deleted
C:\WINDOWS\Prefetch\SET6.TMP-0FD92486.pf - deleted
C:\WINDOWS\Prefetch\SET9.TMP-34716354.pf - deleted
C:\WINDOWS\Prefetch\SETFOLDERACCESSRIGHTS.EXE-291A8BF8.pf - deleted
C:\WINDOWS\Prefetch\SETUP.EXE-0F40F254.pf - deleted
C:\WINDOWS\Prefetch\SETUP.EXE-2A440DFE.pf - deleted
C:\WINDOWS\Prefetch\SETUP.EXE-39C497E7.pf - deleted
C:\WINDOWS\Prefetch\SPEED.EXE-2CFDD585.pf - deleted
C:\WINDOWS\Prefetch\SPUPDSVC.EXE-21B36524.pf - deleted
C:\WINDOWS\Prefetch\SRS.EXE-0637ACD1.pf - deleted
C:\WINDOWS\Prefetch\SSMYPICS.SCR-01C62024.pf - deleted
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf - deleted
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf - deleted
C:\WINDOWS\Prefetch\TOADINST.EXE-340FDF93.pf - deleted
C:\WINDOWS\Prefetch\TOCONNKI.EXE-1883B2A7.pf - deleted
C:\WINDOWS\Prefetch\TONAUDI.EXE-1ED630F8.pf - deleted
C:\WINDOWS\Prefetch\UNINST.EXE-35C47683.pf - deleted
C:\WINDOWS\Prefetch\UNINSTALLER.EXE-2294980C.pf - deleted
C:\WINDOWS\Prefetch\UNPACK200.EXE-0DC8B0A3.pf - deleted
C:\WINDOWS\Prefetch\UNSECAPP.EXE-1A95A33B.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-0DA607AC.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-116E2BE8.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-13D57D76.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-19A66289.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-278456E6.pf - deleted
C:\WINDOWS\Prefetch\UPNP.EXE-016C0AB0.pf - deleted
C:\WINDOWS\Prefetch\UPSCR.SCR-04143FB3.pf - deleted
C:\WINDOWS\Prefetch\WINAMP.EXE-08C38ED9.pf - deleted
C:\WINDOWS\Prefetch\WINRAR.EXE-3588DFE8.pf - deleted
C:\WINDOWS\Prefetch\WINWORD.EXE-259486DA.pf - deleted
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-0996933A.pf - deleted
C:\WINDOWS\Prefetch\WSUSRMGR.EXE-1AD5C411.pf - deleted
C:\WINDOWS\Prefetch\WSUSRMGR.EXE-28188A17.pf - deleted
C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf - deleted
C:\WINDOWS\Prefetch\WUPDMGR.EXE-2F30BEAB.pf - deleted
C:\WINDOWS\Prefetch\ZIPPER.EXE-07D7DB72.pf - deleted
C:\WINDOWS\Prefetch\~E5.0001-20D53231.pf - deleted
Emptied Recycle Bin on drive C:
'Run MRU' list - removed from the registry.
Search Assistant MRU list - removed from the registry.
Explorer Open/Save MRU list - removed from the registry.
Explorer Last Visited MRU list - removed from the registry.
Paint Recent File List - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.5.2 recovered 132.4 MB of disk space from 1421 files.
CleanUp! finished on 03/13/07 11:59:48.

datfind.bat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E

Verzeichnis von C:\WINDOWS\system32

07.12.2082 12:27 2.422 wpa.bak
13.03.2007 12:02 2.422 wpa.dbl
12.03.2007 23:56 2.560 BitCometRes.dll
12.03.2007 21:07 9.132 jupdate-1.5.0_10-b03.log
18.02.2007 17:47 169.096 FNTCACHE.DAT
01.12.2006 15:05 132.897 NULL
01.12.2006 15:05 16.832 amcompat.tlb
01.12.2006 15:05 23.392 nscompat.tlb
01.12.2006 15:03 52.764 perfc009.dat
01.12.2006 15:03 391.000 perfh007.dat
01.12.2006 15:03 63.580 perfc007.dat
01.12.2006 15:03 380.350 perfh009.dat
01.12.2006 15:03 872.024 PerfStringBackup.INI
09.11.2006 15:07 127.078 javaws.exe
09.11.2006 15:07 49.265 jpicpl32.cpl
09.11.2006 13:28 53.346 javaw.exe
09.11.2006 13:28 49.248 java.exe
10.10.2006 17:08 32.768 six.exe
24.09.2006 02:42 65.536 QuickTimeVR.qtx
24.09.2006 02:42 49.152 QuickTime.qts
13.09.2006 13:44 643.072 mgxoschk.dll

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E

Verzeichnis von C:\DOKUME~1\!\LOKALE~1\Temp

13.03.2007 12:07 171 jusched.log
1 Datei(en) 171 Bytes
0 Verzeichnis(se), 25.147.596.800 Bytes frei

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E

Verzeichnis von C:\WINDOWS

13.03.2007 11:54 182.380 setupact.log
13.03.2007 11:47 1.532.267 WindowsUpdate.log
13.03.2007 11:46 0 0.log
13.03.2007 11:46 159 wiadebug.log
13.03.2007 11:46 0 wiaservc.log
13.03.2007 11:45 2.048 bootstat.dat
13.03.2007 11:45 32.544 SchedLgU.Txt
13.03.2007 11:45 192 winamp.ini
13.03.2007 11:20 372.837 setupapi.log
12.03.2007 21:14 229.254 ntbtlog.txt
12.03.2007 20:46 8.224 WGA.log
12.03.2007 20:46 1.276 avmcoins.log
14.02.2007 18:24 6.537 mgxoschk.ini
16.12.2006 20:55 365.070 DirectX.log
14.12.2006 19:34 69 NeroDigital.ini
01.12.2006 17:30 41.524 wmsetup.log
01.12.2006 16:39 379 wmsetup10.log
01.12.2006 16:36 211 uno.ini
01.12.2006 16:36 691 win.ini
01.12.2006 15:11 1.454 COM+.log
01.12.2006 15:04 316.640 WMSysPr9.prx
22.10.2006 15:56 649 GEARInstall.log
05.07.2006 11:07 2.896 mozver.dat
02.06.2006 08:20 193 control.ini


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E

Verzeichnis von C:\WINDOWS\Temp


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E

Verzeichnis von C:\WINDOWS\Downloaded Program Files

27.08.2005 13:30 5.065 swflash.inf
02.01.2004 04:21 65 desktop.ini
2 Datei(en) 5.130 Bytes
0 Verzeichnis(se), 25.147.420.672 Bytes frei


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4015-A18E

Verzeichnis von C:\

13.03.2007 12:13 0 sys.txt
13.03.2007 12:13 345 down.txt
13.03.2007 12:13 117 tmp.txt
13.03.2007 12:12 10.322 system.txt
13.03.2007 12:12 288 systemtemp.txt
13.03.2007 12:12 105.598 system32.txt
13.03.2007 11:45 1.610.612.736 pagefile.sys
16.12.2006 18:16 2.785 LGSInst.Log
01.12.2006 15:17 156 TO_InstallLog.txt
01.12.2006 15:01 0 ToCaclLE.txt
01.12.2006 15:01 309 ToCaclLD.txt


Combofix

Start Time= 13.03.2007 12:15:38,60

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2082-12-07 12:30:44 ( .D... ) "C:\Programme\NVIDIA Corporation"
2082-12-07 12:30:44 ( .D... ) "C:\Programme\Gemeinsame Dateien\NVIDIA Shared"
2082-12-07 12:28:06 ( .D... ) "C:\Programme\VVSN"
2007-03-13 11:58:28 ( .D... ) "C:\Programme\CleanUp!"
2007-03-12 23:56:22 2560 ( A.... ) "C:\WINDOWS\system32\BitCometRes.dll"
2007-03-12 23:55:42 ( .D... ) "C:\Programme\BitComet"
2007-02-14 18:24:42 ( .D... ) "C:\Programme\ALDI Nord Foto Service"
2007-02-14 18:24:34 ( .D... ) "C:\Programme\ALDI Foto Service Nord"
2007-01-16 16:08:18 ( .D... ) "C:\Programme\AntiVir PersonalEdition Classic"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Programme\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RemoteControl"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DVDTray"="C:\\Programme\\Ahead\\ODD Toolkit\\DVDTray.exe"
"VVSN"="C:\\Programme\\VVSN\\VVSN.exe"
"NVMixerTray"="\"C:\\Programme\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"CTSysVol"="C:\\Programme\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Iomega Startup Options"="C:\\Programme\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Programme\\Iomega\\DriveIcons\\ImgIcon.exe"
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
@=""
"Sony Ericsson PC Suite"="\"C:\\Programme\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"systemdll"="sound64.exe"
"Dest068"="WinInitDll.exe"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"ToADiMon.exe"="C:\\Programme\\T-Online\\T-Online_Software_6\\Basis-Software\\Basis1\\ToADiMon.exe -TOnlineAutodialStart"
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ALDI_NORD_FotoSuite_Download"="\"C:\\Programme\\ALDI Foto Service Nord\\ALDI_Foto_Service\\FotoSuite.exe\" /autorun"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Uint32"="sound64.exe"
"abrek"="TForm1.exe"
"ATLIEHELPER"="Bogobot.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"InfoCockpit"="C:\\Programme\\T-Online\\T-Online_Software_6\\Info-Cockpit\\IC_START.EXE /nosplash"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"InfoCockpit"="C:\\Programme\\T-Online\\T-Online_Software_6\\Info-Cockpit\\IC_START.EXE /nosplash"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 13.03.2007 12:16:10,56
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
Dieser Beitrag wurde am 13.03.2007 um 12:16 Uhr von AgathoN editiert.
Seitenanfang Seitenende
13.03.2007, 11:56
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 AgathoN

««
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

««
Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

««
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.03.2007, 12:18
Member

Themenstarter

Beiträge: 12
#3 done! *händereib*
Echt gruselig hihihi
Seitenanfang Seitenende
13.03.2007, 12:25
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 ««
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

{303CF927-07FB-3442-E53E-FEAB15862EC7}

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

{08BEC6AA-49FC-4379-3587-4B21E286C19E}


in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

KillAndClean

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.03.2007, 12:47
Member

Themenstarter

Beiträge: 12
#5 Entschuldige bitte, das es etwas dauert, aber der PC ist sehr langsam, da ich nebenbei noch fehlende Windowsupdates lade oO

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 13.03.2007 12:39:19 for strings:
; '{303cf927-07fb-3442-e53e-feab15862ec7}'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7}\InprocServer32]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{303CF927-07FB-3442-E53E-FEAB15862EC7}"="clamav"

; End Of The Log...



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 13.03.2007 12:44:37 for strings:
; '{08bec6aa-49fc-4379-3587-4b21e286c19e}'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08BEC6AA-49FC-4379-3587-4B21E286C19E}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08BEC6AA-49FC-4379-3587-4B21E286C19E}\iexplore]

; End Of The Log...

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 13.03.2007 12:46:17 for strings:
; 'killandclean
killandclean
killandclean
killandclean
killandclean'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
Seitenanfang Seitenende
13.03.2007, 13:13
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 AgathoN

öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked"

Zitat

R3 - URLSearchHook: (no name) - {303CF927-07FB-3442-E53E-FEAB15862EC7} - ATLIEHELPER.dll (file missing)

O1 - Hosts: localhost 127.0.0.1

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.1.2.7.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll

O4 - HKLM\..\Run: [VVSN] C:\Programme\VVSN\VVSN.exe

O4 - HKLM\..\Run: [systemdll] sound64.exe

O4 - HKLM\..\Run: [Dest068] WinInitDll.exe

O4 - HKCU\..\Run: [KillAndClean] "C:\Programme\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [Uint32] sound64.exe
O4 - HKCU\..\Run: [abrek] TForm1.exe
O4 - HKCU\..\Run: [ATLIEHELPER] Bogobot.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.30 85.255.112.119
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F310C49-ADCC-4634-AE13-9488D6C153D2}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.30 85.255.112.119
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.30 85.255.112.119
««
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

Zitat

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Uint32"=-
"abrek"=-
"ATLIEHELPER"=-
"Windows update loader"=-
"KillAndClean"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"systemdll"=-
"Dest068"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{303CF927-07FB-3442-E53E-FEAB15862EC7}"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08BEC6AA-49FC-4379-3587-4B21E286C19E}]
--------------------------------

Avenger
http://virus-protect.org/artikel/tools/avenger.html
Input script manually (anhaken)
kopiere in: View/edit script

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7}

Files to delete:
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll

Folders to delete:
C:\Programme\BitComet
C:\Programme\VVSN
C:\Programme\KillAndClean

Klicke die grüne Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

---------------------

««
http://www.funkytoad.com/download/HostsXpert.zip
Press 'Restore Microstoft's Hosts File' and press 'OK'
Exit Program.

««
Arbeitsplatz - Systemsteuerung - Netzwerk
Eigenschaften von TCP/IP, Register Allgemein, Option: IP-Adresse automatisch + DNS-Server-Adresse automatisch beziehen - anhaken

««
Um die Diensteverwaltung explizit aufzurufen, eingeben unter: Start - Ausführen : services.msc

TCP/IP-NetBIOS-Hilfsprogramm - DEAKTIVIEREN
Ermöglicht die Unterstützung vom NetBIOS-über-TCP/IP-Dienst

---------

poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.03.2007, 20:55
Member

Themenstarter

Beiträge: 12
#7 Hallo Sabina :)
Sorry für die Verzögerung aber ich musste leider arbeiten :/


Avenger

*******************

Beginning to process script file:



File C:\Windows\xpupdate.exe not found!
Deletion of file C:\Windows\xpupdate.exe failed!

Could not process line:
C:\Windows\xpupdate.exe
Status: 0xc0000034



File C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll not found!
Deletion of file C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll failed!

Could not process line:
C:\WINDOWS\system32\{4F516748-8DA5-4163-A422-33AA2C4C2504}.dll
Status: 0xc0000034

Folder C:\Programme\BitComet deleted successfully.
Folder C:\Programme\VVSN deleted successfully.


Folder C:\Programme\KillAndClean not found!
Deletion of folder C:\Programme\KillAndClean failed!

Could not process line:
C:\Programme\KillAndClean
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{303CF927-07FB-3442-E53E-FEAB15862EC7} failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.



««
http://www.funkytoad.com/download/HostsXpert.zip
Press 'Restore Microstoft's Hosts File' and press 'OK'
Exit Program.

Erledigt.


««
Um die Diensteverwaltung explizit aufzurufen, eingeben unter: Start - Ausführen : services.msc

TCP/IP-NetBIOS-Hilfsprogramm - DEAKTIVIEREN
Ermöglicht die Unterstützung vom NetBIOS-über-TCP/IP-Dienst

erledigt.



Neues Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 20:55:31, on 13.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Ahead\ODD Toolkit\DVDTray.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Iomega\DriveIcons\ImgIcon.exe
C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\FRITZ!\IWatch.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\PROFIL~1.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\T-Online\T-ONLI~2\Notifier\Notifier.exe
C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_6\BROWSER\BROWSER.EXE
C:\Dokumente und Einstellungen\!\Desktop\Neuer Ordner\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Programme\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Programme\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programme\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ALDI_NORD_FotoSuite_Download] "C:\Programme\ALDI Foto Service Nord\ALDI_Foto_Service\FotoSuite.exe" /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Programme\FRITZ!\IWatch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all links using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


Kann ich nun davon ausgehen, das der Rechner auch Trojanerfrei ist? (Antivir findet nichts.....jedoch halte ich nicht besonders viel von dem Programm)

Edit: Er gibt 4 Warnungen:

Beginne mit der Suche in 'C:\'
C:\pagefile.sys
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\drivers\dtscsi.sys
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\WINDOWS\system32\drivers\sptd5549.sys
[WARNUNG] Die Datei konnte nicht geöffnet werden!

Sagt dir das was?
Dieser Beitrag wurde am 13.03.2007 um 22:36 Uhr von AgathoN editiert.
Seitenanfang Seitenende
13.03.2007, 23:23
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml

1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere den Scanreport
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
14.03.2007, 00:54
Member

Themenstarter

Beiträge: 12
#9 ich finde den link für show report net. ;)
Er hat 2 Virus + 8 Spyware


not-virus:Hoax.Win32.Renos.ff (C:\WINDOWS\SYSTEM32\SIX.EXE)
NoneDisinfectRenameDelete
W32/Spywad.DBR (C:\PROGRAM FILES\SPYMARSHAL\UNINSTAL...)
NoneDisinfectRenameDelete
Tracking Cookie
NoneDisinfect
Tracking Cookie
NoneDisinfect
Tracking Cookie
NoneDisinfect
Tracking Cookie
NoneDisinfect
Tracking Cookie
NoneDisinfect
Tracking Cookie

und GAIN, das mistige Adware-Teil vom DivX Codec


Nach dem Bereinigen konnte ich doch Show Report klicken:


Scanning Report
Tuesday, March 13, 2007 23:47:34 - 00:56:19
Computer name: J616BUIIQXCOOQK
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 10 malware found
Adware.GAIN.Dashbar (spyware)
System (Disinfected)
GAIN (spyware)
System
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
W32/Spywad.DBR (virus)
C:\PROGRAM FILES\SPYMARSHAL\UNINSTALL.EXE (Submitted)
not-virus:Hoax.Win32.Renos.ff (virus)
C:\WINDOWS\SYSTEM32\SIX.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 34459
System: 4442
Not scanned: 6
Actions:
Disinfected: 2
Renamed: 0
Deleted: 0
None: 8
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{47A31A4A-534F-4600-BBAC-9B54C3159645}.BIN
C:\DOKUMENTE UND EINSTELLUNGEN\!\LOKALE EINSTELLUNGEN\TEMP\HSPERFDATA_!\1460
Seitenanfang Seitenende
15.03.2007, 09:46
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 AgathoN

Info:SpyMarshal
http://virus-protect.org/artikel/spyware/spymarshal_remove.html

----------------

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Die Datei "fix.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

Zitat

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\SpyMarshal]

[-HKEY_CURRENT_USER\Software\Install]

[-HKEY_CURRENT_USER\Software\SpyMarshal]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyMarshal]
Avenger
http://virus-protect.org/artikel/tools/avenger.html
Input script manually (anhaken)
kopiere in: View/edit script

Zitat

Files to delete:
C:\WINDOWS\SYSTEM32\SIX.EXE
C:\Dokumente und Einstellungen\%Username%\Anwendungsdaten\Install.dat

Folders to delete:
C:\PROGRAM FILES\SPYMARSHAL
C:\Dokumente und Einstellungen\%Username%\Startmenü\Programme\SpyMarshal

»»
scanne mit option 1 und 2 und poste beide reporte
http://virus-protect.org/artikel/tools/smitfrautfix.html

--------
««
Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung --> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

»»
noch mal:
fixwareout
http://virus-protect.org/artikel/tools/fixwareout.html
poste den report
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
15.03.2007, 10:29
Member

Themenstarter

Beiträge: 12
#11 Hm, kann es sein das das F-Dingens das schon gefixt hatte? Zumindest gibt es keinen Program Files Ordner mehr etc.
Nevertheless:


Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\SIX.EXE deleted successfully.


File C:\Dokumente und Einstellungen\!\Anwendungsdaten\Install.dat not found!
Deletion of file C:\Dokumente und Einstellungen\!\Anwendungsdaten\Install.dat failed!

Could not process line:
C:\Dokumente und Einstellungen\!\Anwendungsdaten\Install.dat
Status: 0xc0000034

File C:\Dokumente und Einstellungen\!\Desktop\bitcomet_setup84.exe deleted successfully.
lies sich net anders löschen -.-

Could not open folder C:\PROGRAM FILES\SPYMARSHAL for deletion
Deletion of folder C:\PROGRAM FILES\SPYMARSHAL failed!

Could not process line:
C:\PROGRAM FILES\SPYMARSHAL
Status: 0xc000003a



Folder C:\Dokumente und Einstellungen\!\Startmenü\Programme\SpyMarshal not found!
Deletion of folder C:\Dokumente und Einstellungen\!\Startmenü\Programme\SpyMarshal failed!

Could not process line:
C:\Dokumente und Einstellungen\!\Startmenü\Programme\SpyMarshal
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.




»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\!\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Nr.2 im abgesicherten Modus_:

SmitFraudFix v2.148

Scan done at 10:35:31,28, 15.03.2007
Run from C:\Dokumente und Einstellungen\!\Desktop\Neuer Ordner\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


-------------------------------------------------------------------------

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Programme\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RemoteControl"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DVDTray"="C:\\Programme\\Ahead\\ODD Toolkit\\DVDTray.exe"
"NVMixerTray"="\"C:\\Programme\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"CTSysVol"="C:\\Programme\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Iomega Startup Options"="C:\\Programme\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Programme\\Iomega\\DriveIcons\\ImgIcon.exe"
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
@=""
"Sony Ericsson PC Suite"="\"C:\\Programme\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"ToADiMon.exe"="C:\\Programme\\T-Online\\T-Online_Software_6\\Basis-Software\\Basis1\\ToADiMon.exe -TOnlineAutodialStart"
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ALDI_NORD_FotoSuite_Download"="\"C:\\Programme\\ALDI Foto Service Nord\\ALDI_Foto_Service\\FotoSuite.exe\" /autorun"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


P.S.: Systemwiederherstellung ist deaktiviert seit dem ich den Verdacht hatte das hier was net stimmt.
Dieser Beitrag wurde am 15.03.2007 um 10:53 Uhr von AgathoN editiert.
Seitenanfang Seitenende
15.03.2007, 12:34
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 es muesste wieder alles i.o. sein

du kannst noch mal mit panda oder ewido drueberbuegeln
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
15.03.2007, 20:30
Member

Themenstarter

Beiträge: 12
#13 hmm ewido hat was gefunden, aber ich glaube das war nur das backup vom avenger....lasse gleich noch mal laufen ;)
Seitenanfang Seitenende
15.03.2007, 21:57
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 das backup kannst du ja inzwischen loeschen ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
15.03.2007, 23:09
Member

Themenstarter

Beiträge: 12
#15 jo werden nur cookies gefunden. ich danke dir vielmals, sabina ;)
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: