Malware (Privacy Protector, Spyware&Malware Protection)

#16 Soo, hab CounterSpy laufen lassen, wie soll ich das denn entfernen, hab unter CounterSpy keine Option zum Löschen gefunden. Das ist jetzt der Report nach dem Scan con CounterSpy.

Gruß Flo
-------


Scan History Details
Start Date: 31.01.2008 10:15:25
End Date: 31.01.2008 11:03:15
Total Time: 47 Min 50 Sec
Detected security risks

SearchMiracle.EliteBar Browser Plug-in more information...
Details: Adds a search hijacker toolbar to Internet Explorer called Elite Bar.
Status: Ignored

Files detected
C:\WINDOWS\etb\etb.ini
C:\WINDOWS\etb\xml\adult.tbr
C:\WINDOWS\etb\xml\default.tbr
C:\WINDOWS\etb\xml\images\50kwincash2.bmp
C:\WINDOWS\etb\xml\images\casino.bmp
C:\WINDOWS\etb\xml\images\dating.bmp
C:\WINDOWS\etb\xml\images\findemails.bmp
C:\WINDOWS\etb\xml\images\ringtones.bmp
C:\WINDOWS\etb\xml\images\searchpeople.bmp
C:\WINDOWS\etb\xml\images\virus.bmp
C:\WINDOWS\etb\xml\search.mnu
C:\WINDOWS\ETB
C:\WINDOWS\ETB\XML
C:\WINDOWS\ETB\XML\CATEGORIES
C:\WINDOWS\ETB\XML\IMAGES

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT\POST PLATFORM


Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Ignored

Registry entries detected
HKEY_USERS\.DEFAULT\SOFTWARE\WGET
HKEY_USERS\S-1-5-18\SOFTWARE\WGET
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\WGET


Trojan.FakeAlert Trojan more information...
Details: Trojan.FakeAlert consists of files that cause false warnings of spyware on the computer. Usually the alerts are displayed in a balloon type pop-up from an icon in the system tray.
Status: Ignored

Registry entries detected
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}\iexplore
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}\iexplore
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}\iexplore
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}\iexplore


CoolOnlineOffers.ScreenSaver Adware Bundler more information...
Details: CoolOnlineOffers.ScreenSaver is a program which delivers advertisiment on you computer depending on your surfing behaviour.
Status: Ignored

Files detected
C:\WINDOWS\MINI Verfolgung dir\expire.scf


Dialer.Creazione Porn Dialer more information...
Status: Ignored

Files detected
C:\Hijackthis\backups\backup-20080129-082143-454.inf

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\PROGETTO1.INT_VER32
HKEY_LOCAL_MACHINE\Software\Classes\PROGETTO1.INT_VER32
HKEY_LOCAL_MACHINE\Software\Classes\PROGETTO1.INT_VER32\Clsid
HKEY_LOCAL_MACHINE\Software\Classes\PROGETTO1.INT_VER32\Clsid
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\HELPDIR


Trojan-Downloader.Agent Trojan Downloader more information...
Status: Ignored

Files detected
C:\Programme\Gemeinsame Dateien\PCSecureSystem\bm.exe

#17 ««
erstelle eine neue cfscript.txt-Datei mit Combofix (Anderung der txt -Datei zulassen ! )
http://www.virus-protect.org/artikel/tools/combofix.html

reinkopieren:

Zitat

KILLALL::

Folder::
C:\Programme\Gemeinsame Dateien\PCSecureSystem
C:\WINDOWS\etb
C:\WINDOWS\MINI Verfolgung dir

Registry::
[-HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}]
[-HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}]

««

Counterspy
Wähle bei jeder einzelnen gefundenen Malware immer -> Remove.

Dann muss man noch auf den Button 'Take Action' klicken,
den du unten links im Bild siehst.
Wenn man das nicht macht, "weiss" CounterSpy nicht, dass es eine Handlung vornehmen soll.

««
dann wende smitfraudfix an - poste hier erstmal log nr.1
http://www.virus-protect.org/artikel/tools/smitfraudfix.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#18 Soo, also mit CounterSpy hab ich jetzt alle infizierten gelöscht, Bericht folgt; dann hab SmitFraudFix im normalen und auch nochmal im abgesicherten Modus abgefahren, der Bericht als zweiter Anhang.

CounterSpy Report

Scan History Details
Start Date: 31.01.2008 11:30:18
End Date: 31.01.2008 12:12:08
Total Time: 41 Min 50 Sec
Detected security risks

SearchMiracle.EliteBar Browser Plug-in more information...
Details: Adds a search hijacker toolbar to Internet Explorer called Elite Bar.
Status: Deleted

Files detected
C:\WINDOWS\etb\etb.ini
C:\WINDOWS\etb\xml\adult.tbr
C:\WINDOWS\etb\xml\default.tbr
C:\WINDOWS\etb\xml\images\50kwincash2.bmp
C:\WINDOWS\etb\xml\images\casino.bmp
C:\WINDOWS\etb\xml\images\dating.bmp
C:\WINDOWS\etb\xml\images\findemails.bmp
C:\WINDOWS\etb\xml\images\ringtones.bmp
C:\WINDOWS\etb\xml\images\searchpeople.bmp
C:\WINDOWS\etb\xml\images\virus.bmp
C:\WINDOWS\etb\xml\search.mnu
C:\WINDOWS\ETB
C:\WINDOWS\ETB\XML
C:\WINDOWS\ETB\XML\CATEGORIES
C:\WINDOWS\ETB\XML\IMAGES

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT\POST PLATFORM


Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\.DEFAULT\SOFTWARE\WGET
HKEY_USERS\S-1-5-18\SOFTWARE\WGET
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\WGET


Trojan.FakeAlert Trojan more information...
Details: Trojan.FakeAlert consists of files that cause false warnings of spyware on the computer. Usually the alerts are displayed in a balloon type pop-up from an icon in the system tray.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}\iexplore
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}\iexplore
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}\iexplore
HKEY_USERS\S-1-5-21-902675340-935953771-695345433-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{7A932ED2-1737-4AB8-B84D-C71779958551}\iexplore


CoolOnlineOffers.ScreenSaver Adware Bundler more information...
Details: CoolOnlineOffers.ScreenSaver is a program which delivers advertisiment on you computer depending on your surfing behaviour.
Status: Deleted

Files detected
C:\WINDOWS\MINI Verfolgung dir\expire.scf


Dialer.Creazione Porn Dialer more information...
Status: Deleted

Files detected
C:\Hijackthis\backups\backup-20080129-082143-454.inf

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{F353EFA5-FC6D-4A93-9EE6-28BD05E2282C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{FD3A5F2B-22F3-43F8-AC5F-2F89C711E4C6}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\PROGETTO1.INT_VER32
HKEY_LOCAL_MACHINE\Software\Classes\PROGETTO1.INT_VER32
HKEY_LOCAL_MACHINE\Software\Classes\PROGETTO1.INT_VER32\Clsid
HKEY_LOCAL_MACHINE\Software\Classes\PROGETTO1.INT_VER32\Clsid
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{391F0AC2-2CFC-4D56-A0E5-C7BEB14F26E6}\1.0\HELPDIR


Trojan-Downloader.Agent Trojan Downloader more information...
Status: Deleted

Files detected
C:\Programme\Gemeinsame Dateien\PCSecureSystem\bm.exe



SmitFraudFix v2.277

Scan done at 13:05:30,31, 31.01.2008
Run from C:\Not-OP Windrich\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4ECEB6D5-AEF1-4C71-AAD8-5D6E3F9CB8F8}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CCS\Services\Tcpip\..\{512A6F66-C511-4635-BF45-7789587AA1DD}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6275E732-0D4F-4346-98B6-2AABB88F6395}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D177A712-44F8-45A7-8883-559C5FEB4EEE}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4ECEB6D5-AEF1-4C71-AAD8-5D6E3F9CB8F8}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CS1\Services\Tcpip\..\{512A6F66-C511-4635-BF45-7789587AA1DD}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6275E732-0D4F-4346-98B6-2AABB88F6395}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D177A712-44F8-45A7-8883-559C5FEB4EEE}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4ECEB6D5-AEF1-4C71-AAD8-5D6E3F9CB8F8}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CS2\Services\Tcpip\..\{512A6F66-C511-4635-BF45-7789587AA1DD}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6275E732-0D4F-4346-98B6-2AABB88F6395}: DhcpNameServer=85.255.114.56,85.255.112.111
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D177A712-44F8-45A7-8883-559C5FEB4EEE}: DhcpNameServer=85.255.114.56,85.255.112.111


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#19 Erstellen eines Hijackthis-Logfiles
Als erstes mach ein neuen Ordner auf C:\ z.b. C:\HijackThis,download HijackThis.exe dahin
Download: HijackThis202
Doppelklick HijackThis.exe und installiere das Tool in C:\Programme
Am Ende steht auf dein Desktop eine verknüpfung
Starte Hijack This und klicke “Do a system scan and safe a logfile”
Save log --> hijackthis.log - Save - es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Argus

#20 So, wie gewünscht hier das HiJackLog
Gruß Flo



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:17:36, on 31.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\Programme\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Norman\Npm\bin\ZLH.EXE
C:\Programme\Lexmark 3100 Series\lxbrbmgr.exe
C:\Programme\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\AutoSizer\AutoSizer.exe
C:\Programme\NETGEAR\WG111v2\WG111v2.exe
C:\Programme\AutoSizer\AutoSizer.exe
C:\Programme\Lexmark 3100 Series\lxbrbmon.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Programme\Hijack This\hijackthis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Programme\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Programme\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AutoSizer] "C:\Programme\AutoSizer\AutoSizer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AutoSizer.lnk = C:\Programme\AutoSizer\AutoSizer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Programme\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.oem.de
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144915396429
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Programme\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5283 bytes

#21 Sieht ja schon viel besser aus

RVAXO
Download: RVAXO by Smeenk,zum Desktop
Danach doppelklicken
Öffne die Datei RVAXO und doppelklick “RVAXO.cmd”
Moeglich startet der Uninstaller von ein Roquescanner schliesse es nicht ab aber lass es seine Arbeit tun
Dein Rechner wird neu gestartet,wenn nicht
Rechner neu starten und nochmals “RVAXO.cmd” doppelklicken
Poste nachher den logfile C:\ RVAXO-results.log in dein folgender Bericht
__________
MfG Argus

#22 So da ist es!

Gruß Flo


---RVAXO.exe Updated: 2008-01-31---first run---
Files found:

Uninstallers:


Folders Found:

C:\Dokumente und Einstellungen\All Users.WINDOWS\Application Data\SalesMonitor

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------

Files found:

Folders Found:

C:\Dokumente und Einstellungen\All Users.WINDOWS\Application Data\SalesMonitor
--------------RVAXO.exe finished----------------

#23 es müsste wieder alles o.k. sein
kommen noch Popups ?
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#24 Hallo Pinguin, hallo Arnold,

bin jetzt zuhause und das Ding steht bei uns in der Firma.
Werde es morgen früh mal wieder testen! Aber vorhin kamen keine Pop-Ups mehr, die Hoffnung stirbt zuletzt.
Ich danke Euch beiden schon mal ganz ganz herzlich für die tolle und sehr schnelle Hilfe.
Melde mich morgen, ob es geklappt hat.

Einen schönen Abend noch

der Flo

#25 Oeffne die Datei RVAXO auf dein Desktop
Doppleklick Uninstall.cmd um alles von RVAXO zu entfernen

Wenn noch anwesend,entfernen
C:\Dokumente und Einstellungen\All Users.WINDOWS\Application Data\SalesMonitor
__________
MfG Argus

#26 Guten Morgen,
also er hat heut morgen keinerlei Zicken gemacht. SIeht verdammt gut aus!
Das einzige Problem, was es noch hat, aber wohl in ein anderes Forum gehört ist, dass es bei einem gewollten Neustart nach dem Speichern der Einstellungen mit schwarzem Bildschirm hängen bleibt. Festplatte macht dann auch nix mehr, Lüfter läuft zeitweilig an.
Nun ja, mein Kollege nimmt dad DIng heut wieder mit nach Hause und geht da wieder ans Netz. Mal schauen, ob ich ein ruhiges Wochenende habe.
Das wünsch ich Euch aber auf jeden Fall.

Liebe Grüße
der Flo

#27 «
ich sehe gerade, dass noch nicht alles i.o. ist, die Internetverbindung wird umgeleitet.. (es kann sein, dass smitfraudfix das schon zurechtgebogen hat...dennoch:
wenn du den Rechner wieder hast:

wende fixwareout an + poste den Report
http://www.virus-protect.org/artikel/tools/fixwareout.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#28 So, hier nun der Report von fixwareout!

Gruß Flo



Username "frank" - 01.02.2008 9:26:40 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4ECEB6D5-AEF1-4C71-AAD8-5D6E3F9CB8F8}
"DhcpNameServer"="85.255.114.56,85.255.112.111" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{512A6F66-C511-4635-BF45-7789587AA1DD}
"DhcpNameServer"="85.255.114.56,85.255.112.111" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6275E732-0D4F-4346-98B6-2AABB88F6395}
"DhcpNameServer"="85.255.114.56,85.255.112.111" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{D177A712-44F8-45A7-8883-559C5FEB4EEE}
"DhcpNameServer"="85.255.114.56,85.255.112.111" <Value cleared.

Der DNS-Auflösungscache wurde geleert.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Norman ZANDA"="C:\\Norman\\Npm\\bin\\ZLH.EXE /LOAD /SPLASH"
"Lexmark 3100 Series"="\"C:\\Programme\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"H/PC Connection Agent"="\"C:\\Programme\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Programme\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"AutoSizer"="\"C:\\Programme\\AutoSizer\\AutoSizer.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#29 jetzt scanne bitte noch mal mit smitfraudfix + poste den report
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#30 Hallo liebe Leute,

ich bin es mal wieder mit dem gleichen Problem. Heute morgen kam mein Kollege an und es waren wieder alle möglichen Probleme (wie in meinem ersten Beitrag auf der ersten Seite beschrieben) da. Habe mittlerweile alles durchgeführt, was ich beim letzten Mal auch nach Euren Anweisungen gemacht habe.

Ich setze Euch mal die ganzen Logs rein, bitte schaut mal drüber, Danke im voraus!

HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:16:30, on 12.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\Programme\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Programme\Lexmark 3100 Series\lxbrbmgr.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Programme\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Programme\Lexmark 3100 Series\lxbrbmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\AutoSizer\AutoSizer.exe
C:\Programme\NETGEAR\WG111v2\WG111v2.exe
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programme\Hijack This\hijackthis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: RDL Rolex - {329B2CDF-667B-4919-B6DF-5D264587E927} - C:\WINDOWS\dkxrstqkml.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Programme\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Programme\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AutoSizer] "C:\Programme\AutoSizer\AutoSizer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AutoSizer.lnk = C:\Programme\AutoSizer\AutoSizer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Programme\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.oem.de
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144915396429
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Programme\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5423 bytes



SmitFraudFix
SmitFraudFix v2.301

Scan done at 14:12:35,68, 12.03.2008
Run from C:\Dokumente und Einstellungen\frank\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\Programme\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Programme\Lexmark 3100 Series\lxbrbmgr.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Programme\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Programme\Lexmark 3100 Series\lxbrbmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\AutoSizer\AutoSizer.exe
C:\Programme\NETGEAR\WG111v2\WG111v2.exe
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\frank


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\frank\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\frank\EIGENE~1\EIGENE~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



ComboFix

ComboFix 08-03-10.1 - frank 2008-03-12 9:04:34.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.273 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\frank\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\frank\Desktop\cfscript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]

FILE ::
C:\Dokumente und Einstellungen\frank\Anwendungsdaten\install_en[1].exe
C:\WINDOWS\aswmklt.dll
C:\WINDOWS\bqxomdo.dll
C:\WINDOWS\elfwgps.dll
C:\WINDOWS\fvqkfsp.exe
.

((((((((((((((((((((((( Dateien erstellt von 2008-02-12 bis 2008-03-12 ))))))))))))))))))))))))))))))
.

2008-03-12 08:10 . 2008-03-09 01:15 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-09 19:26 . 2008-03-07 20:17 315,392 --a------ C:\WINDOWS\apdqnxp.dll
2008-03-09 19:26 . 2008-03-07 20:17 98,304 --a------ C:\WINDOWS\fqspogw.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 13:56 19,512 ----a-w C:\WINDOWS\system32\drivers\nvcw32mf.sys
2008-01-31 13:17 --------- d-----w C:\Programme\Hijack This
2008-01-31 09:14 --------- d-----w C:\Dokumente und Einstellungen\frank\Anwendungsdaten\Sunbelt Software
2008-01-30 09:14 --------- d-----w C:\Programme\ewido anti-malware
2008-01-30 07:32 --------- d-----w C:\Programme\AutoSizer
2008-01-29 08:40 --------- d-----w C:\Programme\ClearProg
2008-01-29 07:56 --------- d-----w C:\Programme\CCleaner
.

------- Sigcheck -------

2002-08-29 13:00 12800 adbb33d5893bcf08e75ea54bb5669205 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 08:58 14336 65a819b121eb6fdab4400ea42bdffe64 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 08:58 14336 65a819b121eb6fdab4400ea42bdffe64 C:\WINDOWS\system32\svchost.exe

2005-03-02 19:09 578560 3751d7cf0e0a113d84414992146bce6a C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll
2005-03-02 19:19 578560 4c90159a69a5fd3eb39c71411f28fcff C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 16:48 579584 78785eff8cb90cec1862a4ccfd9a3c3a C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2005-03-02 19:21 562688 def116925e1ea04691ec6362f197451e C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-04 08:57 578560 56785fd5236d7b22cf471a6da9db46d8 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2002-11-22 12:28 530432 db15b2fe24ecce331ea3a954f6f90448 C:\WINDOWS\$NtUninstallKB890859_0$\user32.dll
2005-03-02 19:09 578560 3751d7cf0e0a113d84414992146bce6a C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2002-08-29 13:00 561664 e3daffdb1c86c1aeac1b205f6cf67009 C:\WINDOWS\$NtUninstallQ328310$\user32.dll
2004-08-04 08:57 578560 56785fd5236d7b22cf471a6da9db46d8 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2007-03-08 16:36 579072 492e166cfd26a50fb9160db536ff7d2b C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 579072 492e166cfd26a50fb9160db536ff7d2b C:\WINDOWS\system32\dllcache\user32.dll

2006-05-19 13:13 70656 970bff731d667d72fe118514063ff7ae C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2002-08-29 13:00 75264 ae894c124feb008ad1876ef655967685 C:\WINDOWS\$NtUninstallKB914388_0$\ws2_32.dll
2004-08-04 08:57 82944 d569240a22421d5f670bb6fb6dd522b5 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 08:57 82944 d569240a22421d5f670bb6fb6dd522b5 C:\WINDOWS\system32\ws2_32.dll

2002-08-29 13:00 521728 616896b708286da98d6a099293f181d7 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 08:58 507392 2b6a0baf33a9918f09442d873848ff72 C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 08:58 507392 2b6a0baf33a9918f09442d873848ff72 C:\WINDOWS\system32\winlogon.exe

2002-08-29 13:00 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-04 07:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-04 07:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-02 19:06 2059136 bdff8ffa77ee7df9758ef8c1e0da8eff C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2005-03-02 19:11 2059264 ae8364004bbfd70461d2ef34888d3360 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 19:43 2061696 d3767e1a7e6674ce671a8a8254945c29 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 17:06 2061696 9b9ca27ad315c02b71510238574894b2 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2005-03-02 19:16 1958016 711cc10cc618dd6265379eeb037fe333 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2002-11-05 12:31 1950592 e88687ffb7d6eda437a1b48d4589e9d5 C:\WINDOWS\$NtUninstallKB885835_0$\ntkrnlpa.exe
2004-08-04 08:50 2059136 ce41fc4c06499a389d39b301879535fb C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2004-10-28 02:25 1958016 7f92cc955016dd28198ff7e5ffd614e2 C:\WINDOWS\$NtUninstallKB890859_0$\ntkrnlpa.exe
2005-03-02 19:06 2059136 bdff8ffa77ee7df9758ef8c1e0da8eff C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 19:21 2059904 949708e7258538bcee597aad521fe4f9 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2002-08-29 13:00 1950080 ad669b66162c858a22a2454a138ecb88 C:\WINDOWS\$NtUninstallQ330089$\ntkrnlpa.exe
2007-02-28 17:02 2059904 06effe1520c59641fcdb8baa94a8539f C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-04 08:50 2059136 ce41fc4c06499a389d39b301879535fb C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2007-02-28 17:02 2059904 06effe1520c59641fcdb8baa94a8539f C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 17:02 2059904 06effe1520c59641fcdb8baa94a8539f C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-02 19:06 2181632 7189a2391adc1f65c9ae87b0abe0f945 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2005-03-02 19:11 2181888 eb5538a452e0e99169e2b6cdb62ff9d2 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 19:43 2184320 00c476049fecf1d3a05c783015b9b518 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 17:06 2184448 e1de7a10d46959560c3b617227d95c19 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2005-03-02 19:16 2043008 a64548e903c68eedf5e2eee60cc7d36c C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2002-11-05 12:31 1926912 4ecaa167ee4f0fd41347f1f18ae1179a C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe
2004-08-04 08:50 2183296 dc888c9c4ca0eea7a3cb7e6b610f75c7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2004-10-28 02:25 2090624 786d67ef40228d34344d86e2b5474a5d C:\WINDOWS\$NtUninstallKB890859_0$\ntoskrnl.exe
2005-03-02 19:06 2181632 7189a2391adc1f65c9ae87b0abe0f945 C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 19:21 2182656 f11b21daff0af34c56b18500c47717d5 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2002-08-29 13:00 2044416 d27f8835923cf08c9cc2e277313c44e0 C:\WINDOWS\$NtUninstallQ330089$\ntoskrnl.exe
2007-02-28 17:02 2182656 2804b72eb675cd43df7994ae4685b894 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-04 08:50 2183296 dc888c9c4ca0eea7a3cb7e6b610f75c7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2007-02-28 17:02 2182656 2804b72eb675cd43df7994ae4685b894 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 17:02 2182656 2804b72eb675cd43df7994ae4685b894 C:\WINDOWS\system32\dllcache\ntoskrnl.exe

2007-06-13 14:21 1036288 64d320c0e301eedc5a4adbbdc5024f7f C:\WINDOWS\explorer.exe
2007-06-13 14:10 1036288 331ed93570baf3cfe30340298762cd56 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2002-08-29 13:00 1007104 22b0a56e6c5847292437078b484ec61b C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 08:57 1035264 22fe1be02eadde1632e478e4125639e0 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 08:57 1035264 22fe1be02eadde1632e478e4125639e0 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 14:21 1036288 64d320c0e301eedc5a4adbbdc5024f7f C:\WINDOWS\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{329B2CDF-667B-4919-B6DF-5D264587E927}]
C:\WINDOWS\dkxrstqkml.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" [2002-01-12 04:43 401496]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"swg"="C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 08:13 68856]
"AutoSizer"="C:\Programme\AutoSizer\AutoSizer.exe" [2008-01-29 13:58 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:39 183352]
"Lexmark 3100 Series"="C:\Programme\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 03:43 106496]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 15:57 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe"=

R1 ewido security suite driver;ewido security suite driver;C:\Programme\ewido anti-malware\guard.sys [2005-12-30 12:12]
R2 Ndiskio;Ndiskio;c:\norman\nse\bin\ndiskio.sys [2007-01-02 09:55]
R3 AVMBTSERIAL;AVM Bluetooth Serial Port;C:\WINDOWS\system32\DRIVERS\avmbtser.sys [2003-01-16 01:00]
R3 AVMWAN;NDIS WAN CAPI Treiber;C:\WINDOWS\system32\DRIVERS\avmwan.sys [2001-11-08 01:00]
R3 NETBFPAN;AVM Bluetooth PAN Adapter;C:\WINDOWS\system32\DRIVERS\netbfpan.sys [2003-01-16 01:00]
R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 14:56]
R3 nvcoas;Norman Virus Control on-access component;C:\NORMAN\Nvc\BIN\nvcoas.exe [2007-12-12 11:45]
R3 NVCScheduler;Norman Virus Control Scheduler;C:\NORMAN\Nvc\BIN\NVCSCHED.EXE [2007-05-23 12:23]
S2 Ca536av;DV 4100M(Video);C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 12:47]
S3 BFUBASE;BlueFRITZ! USB (WinXP/2000);C:\WINDOWS\system32\DRIVERS\bfubase.sys [2003-01-16 01:00]
S3 fxusbase;Teledat X120 (WinXP/2000);C:\WINDOWS\system32\DRIVERS\fxusbase.sys [2001-11-08 01:00]
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2004-08-12 08:30]
S3 NETFRITZ;AVM FRITZ!web PPP over ISDN;C:\WINDOWS\system32\DRIVERS\NETFRITZ.SYS []
S3 nvcfsr;nvcfsr;C:\NORMAN\Nvc\BIN\nvcfsr.sys [2007-01-09 14:25]
S3 nvcoafl51;nvcoafl51;C:\NORMAN\Nvc\BIN\nvcoafl51.sys [2007-01-09 14:25]
S3 nvcoaft51;nvcoaft51;C:\NORMAN\Nvc\BIN\nvcoaft51.sys [2007-01-09 14:25]
S3 nvcoarc51;nvcoarc51;C:\NORMAN\Nvc\BIN\nvcoarc51.sys [2007-01-09 14:25]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-27 17:53]
S3 USBCamera;DV 4100M(Still);C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]
S3 WLAN11;IEEE 802.11 Wireless LAN PC Card Win2K Driver;C:\WINDOWS\system32\DRIVERS\WLAN11k.sys [2001-05-16 14:43]

.
Inhalt des "geplante Tasks" Ordners
"2008-02-01 15:00:01 C:\WINDOWS\Tasks\{4A9DE7D2-9426-462C-9CFE-2BC6B5486AA9}_FRANK_frank.job"
- C:\WINDOWS\system32\mobsync.exe
"2008-02-01 15:00:01 C:\WINDOWS\Tasks\{4BCFE478-FA83-4D1A-9C31-AC84166C30EC}_FRANK_frank.job"
- C:\WINDOWS\system32\mobsync.exe
"2008-03-12 08:00:00 C:\WINDOWS\Tasks\{B1650126-AE6F-453E-9D20-CE1DCD22CB37}_FRANK_frank.job"
- C:\WINDOWS\system32\mobsync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 09:13:41
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Programme\AutoSizer\AutoSizer.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Norman\Nvc\BIN\NIP.EXE
C:\Programme\Lexmark 3100 Series\lxbrbmon.exe
C:\Programme\NETGEAR\WG111v2\WG111v2.exe
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\Norman\Npm\bin\NJEEVES.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-03-12 9:19:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 08:19:13
ComboFix2.txt 2008-03-12 07:51:33
ComboFix3.txt 2008-01-31 11:45:14
.
2008-02-15 18:06:27 --- E O F ---



FIxWareOut

Username "frank" - 12.03.2008 13:58:07 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Der DNS-Auflösungscache wurde geleert.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Norman ZANDA"="C:\\Norman\\Npm\\bin\\ZLH.EXE /LOAD /SPLASH"
"Lexmark 3100 Series"="\"C:\\Programme\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"LXBRKsk"="C:\\PROGRA~1\\LEXMAR~1\\LXBRKsk.exe"
"SBCSTray"="C:\\Programme\\Sunbelt Software\\CounterSpy\\SBCSTray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"H/PC Connection Agent"="\"C:\\Programme\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Programme\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"AutoSizer"="\"C:\\Programme\\AutoSizer\\AutoSizer.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


RVAXO

---RVAXO.exe Updated: 2008-03-11---first run---
Uninstallers:

Files found:
C:\WINDOWS\fqspogw.exe
C:\WINDOWS\apdqnxp.dll

Folders Found:

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------
Not deleted items:

--------------RVAXO.exe finished----------------