"Search for..." Startseite kommt immer wieder!

Thema ist geschlossen!
Thema ist geschlossen!
#0
05.05.2005, 15:52
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#421 Hallo@kneidi

ich verstehe nicht, was du meinst......fuehre bitte durch, was ich geschrieben habe.....und das korrekt und dann poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
05.05.2005, 17:16
...neu hier

Beiträge: 10
#422 Hi Sabina,
hab`s genau gemacht, wie du geschrieben hast. Leider hab ich halt den bootcom key nicht löschen können und beim rkfiles.bat hat es ewig gedauert, bis er fertig war. Leider hat er auch einiges nicht gefunden...

Hier der aktuelle HijackThis Log:

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 17:12:53, on 05.05.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\rpcss_pl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wwSecure.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Logitech\Video\LogiTray.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Webroot\Washer\wwDisp.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\System32\LVComS.exe
C:\Programme\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.at/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = myproxy.netpark.at:8080
O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Programme\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: Download with Go!Zilla - file://F:\Programme\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {E23DEDBC-B8FE-47BE-9881-0692758326B2} - (no file) (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe-->Scanned file: rpcss_pl.exe rpcss_pl.exe - infected by Trojan-Downloader.Win32.Zlob.f
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\GEMEIN~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

Und hier der log.txt:

Zitat

C:\Programme\Rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\ClrSchP012.dll: UPX!
C:\WINDOWS\system32\ClrSchP0121.dll: UPX!
C:\WINDOWS\system32\cm1.dll: UPX!
C:\WINDOWS\system32\ctbv2.dll: UPX!
C:\WINDOWS\system32\exactsetup.dll: UPX!
C:\WINDOWS\system32\ezStubi.dll: UPX!
C:\WINDOWS\system32\fly.dll: UPX!
C:\WINDOWS\system32\idr_17b.exe: UPX!
C:\WINDOWS\system32\ignet.dll: UPX!
C:\WINDOWS\system32\ignet2.dll: UPX!
C:\WINDOWS\system32\in10b6.dll: UPX!
C:\WINDOWS\system32\installer_im.dll: UPX!
C:\WINDOWS\system32\lame_enc.dll: UPX!
C:\WINDOWS\system32\msasmsn7.dll: UPX!
C:\WINDOWS\system32\ncase.dll: UPX!
C:\WINDOWS\system32\ncase2.dll: UPX!
C:\WINDOWS\system32\NLNP13.dll: UPX!
C:\WINDOWS\system32\nostalgia.dll: UPX!
C:\WINDOWS\system32\perfcl.exe: UPX!
C:\WINDOWS\system32\pr1ze5.dll: UPX!
C:\WINDOWS\system32\SHAgent.dll: UPX!
C:\WINDOWS\system32\SHAgent1007.dll: UPX!
C:\WINDOWS\system32\sstep026.dll: UPX!
C:\WINDOWS\system32\taskschd.exe: UPX!
C:\WINDOWS\system32\UninstXviDDec.exe: UPX!
C:\WINDOWS\system32\wauctl9x.exe: UPX!
C:\WINDOWS\system32\wds19us.exe: UPX!
C:\WINDOWS\system32\wuactl2.exe: UPX!
C:\WINDOWS\system32\Xcite.dll: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
C:\WINDOWS\system32\ClrSchP012.dll: UPX!
C:\WINDOWS\system32\ClrSchP0121.dll: UPX!
C:\WINDOWS\system32\cm1.dll: UPX!
C:\WINDOWS\system32\ctbv2.dll: UPX!
C:\WINDOWS\system32\exactsetup.dll: UPX!
C:\WINDOWS\system32\ezStubi.dll: UPX!
C:\WINDOWS\system32\fly.dll: UPX!
C:\WINDOWS\system32\idr_17b.exe: UPX!
C:\WINDOWS\system32\ignet.dll: UPX!
C:\WINDOWS\system32\ignet2.dll: UPX!
C:\WINDOWS\system32\in10b6.dll: UPX!
C:\WINDOWS\system32\installer_im.dll: UPX!
C:\WINDOWS\system32\lame_enc.dll: UPX!
C:\WINDOWS\system32\msasmsn7.dll: UPX!
C:\WINDOWS\system32\ncase.dll: UPX!
C:\WINDOWS\system32\ncase2.dll: UPX!
C:\WINDOWS\system32\NLNP13.dll: UPX!
C:\WINDOWS\system32\nostalgia.dll: UPX!
C:\WINDOWS\system32\perfcl.exe: UPX!
C:\WINDOWS\system32\pr1ze5.dll: UPX!
C:\WINDOWS\system32\SHAgent.dll: UPX!
C:\WINDOWS\system32\SHAgent1007.dll: UPX!
C:\WINDOWS\system32\sstep026.dll: UPX!
C:\WINDOWS\system32\taskschd.exe: UPX!
C:\WINDOWS\system32\UninstXviDDec.exe: UPX!
C:\WINDOWS\system32\wauctl9x.exe: UPX!
C:\WINDOWS\system32\wds19us.exe: UPX!
C:\WINDOWS\system32\wuactl2.exe: UPX!
C:\WINDOWS\system32\Xcite.dll: UPX!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\Unwash6.exe: UPX!
Finished
bye
was kommt jetzt?
thx im vorraus! kneidi
Seitenanfang Seitenende
05.05.2005, 17:43
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#423 Hallo@kneid

KILLBOX:
http://www.bleepingcomputer.com/files/killbox.php
1. Trenne die Internetverbindung und schließe alle laufenden Programme
2. Doppel-klicke auf Killbox.exe und lasse es offen
3. In Killbox klickeauf Delete on Reboot ( roter Kasten )

Fügen diese Datei oben in die Full Path of File to Delete Box (1) in
dem man den u.g. Pfad dort eingibt oder mit (2) auf dem Computer nach der Datei suchen

C:\WINDOWS\Unwash6.exe
C:\WINDOWS\system32\ClrSchP012.dll
C:\WINDOWS\system32\ClrSchP0121.dll
C:\WINDOWS\system32\cm1.dll
C:\WINDOWS\system32\ctbv2.dll
C:\WINDOWS\system32\exactsetup.dll
C:\WINDOWS\system32\ezStubi.dll
C:\WINDOWS\system32\fly.dll
C:\WINDOWS\system32\idr_17b.exe
C:\WINDOWS\system32\ignet.dll
C:\WINDOWS\system32\ignet2.dll
C:\WINDOWS\system32\in10b6.dll
C:\WINDOWS\system32\installer_im.dll
C:\WINDOWS\system32\lame_enc.dll
C:\WINDOWS\system32\msasmsn7.dll
C:\WINDOWS\system32\ncase.dll
C:\WINDOWS\system32\ncase2.dll
C:\WINDOWS\system32\NLNP13.dll
C:\WINDOWS\system32\nostalgia.dll
C:\WINDOWS\system32\perfcl.exe
C:\WINDOWS\system32\pr1ze5.dll
C:\WINDOWS\system32\SHAgent.dll
C:\WINDOWS\system32\SHAgent1007.dll
C:\WINDOWS\system32\sstep026.dll
C:\WINDOWS\system32\taskschd.exe
C:\WINDOWS\system32\UninstXviDDec.exe
C:\WINDOWS\system32\wauctl9x.exe
C:\WINDOWS\system32\wds19us.exe
C:\WINDOWS\system32\wuactl2.exe
C:\WINDOWS\system32\Xcite.dll
c:\windows\System32\drivers\bootcom.sys

5. Klicke Yes beim Delete on Reboot Prompt.
6. Klicke No beim laufenden Prozesse Prompt
7. Klicke auf den Delete File Button (sieht aus wie ein Stopzeichen (3).
8. Klicke auf Yes beim Delete on Reboot Prompt.
9. Klicke auf Yes beim laufenden Prozesse Prompt, um den Computer neu zu starten. Lasse den Computer neustarten.
10. Sollte folgende Meldung erscheinen, dann führe einen manuellen Neustart durch. "PendingFileRenameOperations Registry Data has been Removed by External Process!"

PC neustarten


fixe mit dem HijackThis:


O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe

neustarten und poste das neue Log vom HijackThis

+

http://bilder.informationsarchiv.net/Nikitas_Tools/FindIt.zip
poste bitte die Textdatei

-----------------
INFO.

"Trojan-Clicker.Win32.Agent.cg"

C:\WINDOWS\system32\wuactl2.exe
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
05.05.2005, 21:01
...neu hier

Beiträge: 10
#424 Hallo Sabina!
Herzlichen Dank nochmal für Deine Hilfe! Ich denke, jetzt geht`s schon voran.

Hier der log.txt:

Zitat

C:\Programme\Rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
... und hier der Hijackthis-log:
übrigens der proxy-server passt schon, den hab nämlich ich eingestellt (mein anbieter heißt netpark)

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 20:17:28, on 05.05.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\rpcss_pl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Logitech\Video\LogiTray.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\System32\LVComS.exe
C:\Programme\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.at/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = myproxy.netpark.at:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Programme\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: Download with Go!Zilla - file://F:\Programme\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {E23DEDBC-B8FE-47BE-9881-0692758326B2} - (no file) (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\GEMEIN~1\SONYSH~1\AVLib\Sptisrv.exe
liebe grüße
kneidi
Seitenanfang Seitenende
06.05.2005, 00:28
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#425 Hallo@kneid

Um die Diensteverwaltung explizit aufzurufen, geben Sie unter Start > Ausführen den Befehl services.msc ein.

dann den Eintrag Dienste auswählen. Nun werden alle laufenden Dienste angezeigt. Hier den Punkt "RPC+ Service Provider (RPCSS+) " aussuchen. Wenn unter Status "gestartet" steht, mit der rechten Maustaste anklicken und die Option "Eigenschaften" auswählen. Nicht "Den Dienst beenden" auswählen, denn dann wird der
"RPC+ Service Provider (RPCSS+) " beim nächsten Systemstart erneut ausgeführt.

Als Starttyp "deaktiviert" auswählen und den Dienststatus mit "Beenden" schliessen. Jetzt noch "Übernehmen" anklicken. Der " " läuft nicht mehr im Hintergrund und wird auch nicht mehr bei einem Neustart ausgeführt.

Fixe mit dem HijackThis:


O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {E23DEDBC-B8FE-47BE-9881-0692758326B2} - (no file) (HKCU)
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe

PC neustarten

--------------------------------------------------------------------------

Start-->Ausfuehren--> kopiere rein:

sc delete rpcss+

klicke enter

--------------------------------------------------------------------------
Gehe in die Registry

findest du das?????
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.affpnpdevsys

•Download Registry Search Tool :
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
Doppelklick:regsrch.vbs

reinkopieren:


RPC+ Service Provider

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

RPCSS+

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

BOOTCOM

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)


Loesche mit der Killbox:-->Full path of file to delete/Select the Delete on reboot option.

C:\WINDOWS\System32\rpcss_pl.exe

PC neustarten

------------------------------------------------------------------------

INFO:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss
Description REG_SZ Provides the endpoint mapper and other miscellaneous RPC services.
DisplayName REG_SZ Remote Procedure Call (RPC)
ErrorControl REG_DWORD 0x1
Group REG_SZ COM Infrastructure
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost -k rpcss
ObjectName REG_SZ LocalSystem
Start REG_DWORD 0x2
Type REG_DWORD 0x20
FailureActions REG_BINARY 00000000000000000000000001000000000000000200000060EA0000

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss\Parameters

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss\Security

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss\Enum

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss+
DrvMode REG_DWORD 0x225
Type REG_DWORD 0x10
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ C:\WINDOWS\System32\rpcss_pl.exe
DisplayName REG_SZ RPC+ Service Provider
Group REG_SZ COM Infrastructure
ObjectName REG_SZ LocalSystem
Description REG_SZ RPC+ Service Provider

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss+\Security

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss+\Enum

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BOOTCOM
Type REG_DWORD 0x1
Start REG_DWORD 0x0
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ System32\drivers\bootcom.sys
DisplayName REG_SZ BOOTCOM
Group REG_SZ System Reserved

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BOOTCOM\Security

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BOOTCOM\Enum

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.affpnpdevsys
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
07.05.2005, 19:23
...neu hier

Beiträge: 10
#426 @ Sabina:
Leider kann ich den Dienst nicht beenden! Auch nicht im abgesicherten Modus...

Also ich hab unter Ausführen "services.msc" eingegeben, bin dann unter "RPC+ Service Provider" und klickte auf Eigenschaften, dann gleich "Starttyp: Deaktiviert" (unter der Sparte "Allgemein") und wollte übernehmen und dann zeigt er mir "Zugriff verweigert" an!

Beim Dienststatus steht "Gestartet" und darunter kann ich nichts anklicken, da die 4 Schaltflächen im Grau-Ton (also deaktivert) sind.

Hast du ne Lösung wie ich den Prozess beenden könnte?
Ich weis, ich bin echt kein Profi - sorry! ;-)
Seitenanfang Seitenende
07.05.2005, 19:50
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#427 kneidi

wir hatten doch schon vereinbart, dass du nur ausfuehrst, um was ich dich bitte dann finde ich schon einen Weg, um das Problem zu loesen ;)

Arbeite also bitte genau ab, was ich geschrieben habe (genauso...)

Zitat

Fixe mit dem HijackThis:

O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {E23DEDBC-B8FE-47BE-9881-0692758326B2} - (no file) (HKCU)
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe

PC neustarten

--------------------------------------------------------------------------

Start-->Ausfuehren--> kopiere rein:

sc delete rpcss+

klicke enter

--------------------------------------------------------------------------
Gehe in die Registry

findest du das?????
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.affpnpdevsys

•Download Registry Search Tool :
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
Doppelklick:regsrch.vbs

reinkopieren:

RPC+ Service Provider

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

RPCSS+

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

BOOTCOM

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)


Loesche mit der Killbox:-->Full path of file to delete/Select the Delete on reboot option.

C:\WINDOWS\System32\rpcss_pl.exe

PC neustarten

------------------------------------------------------------------------

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
07.05.2005, 20:36
...neu hier

Beiträge: 10
#428 Hallo Sabina,
so ich hab`s jetzt mal so gemacht, wie du geschrieben hast.
Allerdings glaube ich, dass jetzt irgendwas beim PC nicht stimmt. Es wird wahrscheinlich das RPC-Modul fehlen (hatte schonmal das Problem).
Angezeigt hat er mir zwar nicht, dass es fehlt, aber in der Startleiste (also der blaue Streifen ganz unten am Bildschirm) werden die Programme nicht mehr angezeigt, dass sie offen sind.

Hoffe ich hab das richtige gemacht.
Hier die Logfiles:

RPC+ Service Provider

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "RPC+ Service Provider" 07.05.2005 20:18:02

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCSS+\0000]
"DeviceDesc"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RPCSS+]
"DisplayName"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RPCSS+]
"Description"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCSS+\0000]
"DeviceDesc"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RPCSS+]
"DisplayName"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RPCSS+]
"Description"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_RPCSS+\0000]
"DeviceDesc"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\RPCSS+]
"DisplayName"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\RPCSS+]
"Description"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS+\0000]
"DeviceDesc"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCSS+]
"DisplayName"="RPC+ Service Provider"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCSS+]
"Description"="RPC+ Service Provider"
RPCSS+

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "RPCSS+" 07.05.2005 20:21:13

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCSS+\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCSS+\0000]
"Service"="RPCSS+"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RPCSS+\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCSS+\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCSS+\0000]
"Service"="RPCSS+"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCSS+\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCSS+\0000\Control]
"ActiveService"="RPCSS+"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RPCSS+\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RPCSS+\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RPCSS+\Enum]
"0"="Root\\LEGACY_RPCSS+\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\SafeBoot\Minimal\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\SafeBoot\Network\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_RPCSS+\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_RPCSS+\0000]
"Service"="RPCSS+"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Eventlog\Application\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\RPCSS+\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS+\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS+\0000]
"Service"="RPCSS+"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS+\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS+\0000\Control]
"ActiveService"="RPCSS+"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCSS+]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCSS+\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCSS+\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCSS+\Enum]
"0"="Root\\LEGACY_RPCSS+\\0000"

[HKEY_USERS\S-1-5-21-1454471165-1935655697-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"d"="sc delete rpcss+\\1"
BOOTCOM

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "BOOTCOM" 07.05.2005 20:24:11

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BOOTCOM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BOOTCOM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BOOTCOM\0000]
"Service"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BOOTCOM\0000]
"DeviceDesc"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BOOTCOM\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BOOTCOM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BOOTCOM]
"DisplayName"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BOOTCOM\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BOOTCOM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BOOTCOM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BOOTCOM\0000]
"Service"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BOOTCOM\0000]
"DeviceDesc"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BOOTCOM\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BOOTCOM\0000\Control]
"ActiveService"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BOOTCOM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BOOTCOM]
"DisplayName"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BOOTCOM\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BOOTCOM\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BOOTCOM\Enum]
"0"="Root\\LEGACY_BOOTCOM\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_BOOTCOM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_BOOTCOM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_BOOTCOM\0000]
"Service"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_BOOTCOM\0000]
"DeviceDesc"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BOOTCOM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BOOTCOM]
"DisplayName"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BOOTCOM\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BOOTCOM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BOOTCOM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BOOTCOM\0000]
"Service"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BOOTCOM\0000]
"DeviceDesc"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BOOTCOM\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BOOTCOM\0000\Control]
"ActiveService"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOOTCOM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOOTCOM]
"DisplayName"="BOOTCOM"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOOTCOM\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOOTCOM\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOOTCOM\Enum]
"0"="Root\\LEGACY_BOOTCOM\\0000"
und den hijackthis-log wirst du evt. auch noch brauchen:

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 20:37:08, on 07.05.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Logitech\Video\LogiTray.exe
C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Programme\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Thomas\LOKALE~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Thomas\LOKALE~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hanssoellner.at/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = myproxy.netpark.at:8080
O2 - BHO: (no name) - {55C299C2-FFFF-43E8-9050-D2D0F4D25EF9} - C:\WINDOWS\System32\kgf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Thomas\LOKALE~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {E23DEDBC-B8FE-47BE-9881-0692758326B2} - (no file) (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Filter: text/html - {A4DF964E-B5F7-43A0-B5BA-3E3AADDDAE0D} - C:\WINDOWS\System32\kgf.dll
O18 - Filter: text/plain - {A4DF964E-B5F7-43A0-B5BA-3E3AADDDAE0D} - C:\WINDOWS\System32\kgf.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\GEMEIN~1\SONYSH~1\AVLib\Sptisrv.exe
also dann mal danke für deine antwort ;-)
kneidi
Seitenanfang Seitenende
08.05.2005, 14:43
...neu hier

Beiträge: 4
#429 Hi Sabina, sorry das ich erst soo spät auf Eintrag #410 antworte!
Hab alle Files die du mir gesagt hast gelöscht.
Hier sind die Log's die ich machen sollte:

-------------------------------------------------------------------------

1)

(8.5.05 14:16:42) SPSeHjFix started v1.1.1
(8.5.05 14:16:42) OS: WinXP Service Pack 1 (5.1.2600)
(8.5.05 14:16:42) Language: deutsch
(8.5.05 14:16:43) Disinfection started
(8.5.05 14:16:43) Bad-Dll(IEP): c:\dokume~1\rakzero\lokale~1\temp\se.dll
(8.5.05 14:16:43) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\ghfd.dll
(8.5.05 14:16:43) Searchassistant Uninstaller - Keys Deleted
(8.5.05 14:16:43) FilterKey: HKCR\text/html (deleted)
(8.5.05 14:16:43) FilterKey: HKCR\CLSID\{AEFB402A-EAE3-4F5E-9766-257F9567A4F4} (deleted)
(8.5.05 14:16:43) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(8.5.05 14:16:43) FilterKey: HKCR\text/plain (deleted)
(8.5.05 14:16:43) FilterKey: HKCR\CLSID\{AEFB402A-EAE3-4F5E-9766-257F9567A4F4} (error while deleting)
(8.5.05 14:16:43) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(8.5.05 14:16:43) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AD234D0-11DC-4462-8F6E-55B030A88333} (deleted)
(8.5.05 14:16:43) BHO-Key: HKCR\CLSID\{1AD234D0-11DC-4462-8F6E-55B030A88333} (deleted)
(8.5.05 14:16:43) UBF: 6
(8.5.05 14:16:43) UBB: 3
(8.5.05 14:16:43) UBR: 14
(8.5.05 14:16:43) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll,DllInstall (deleted)
(8.5.05 14:16:43) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\dokume~1\rakzero\lokale~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\dokume~1\rakzero\lokale~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(8.5.05 14:16:43) Stealth-String not found
(8.5.05 14:16:43) Temp-Files delete on Reboot
(8.5.05 14:16:43) File added to delete: c:\windows\system32\ghfd.dll
(8.5.05 14:16:43) File added to delete: c:\dokume~1\rakzero\lokale~1\temp\se.dll
(8.5.05 14:16:43) File added to delete: c:\dokume~1\rakzero\lokale~1\temp\~df2f50.tmp
(8.5.05 14:16:43) File added to delete: c:\dokume~1\rakzero\lokale~1\temp\~df9985.tmp
(8.5.05 14:16:43) Reboot

------------------------------------------------------------------------

2)
Ad-Aware SE Build 1.05
Logfile Created on:Sonntag, 08. Mai 2005 14:00:21
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R43 06.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):11 total references
AltnetBDE(TAC index:4):25 total references
Claria(TAC index:7):20 total references
CoolWebSearch(TAC index:10):20 total references
Cydoor(TAC index:7):63 total references
MRU List(TAC index:0):9 total references
Possible Browser Hijack attempt(TAC index:3):1 total references
Tracking Cookie(TAC index:3):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


08.05.2005 14:00:21 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Rakzero\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 468
ThreadCreationTime : 08.05.2005 12:59:32
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 708
ThreadCreationTime : 08.05.2005 12:59:37
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 732
ThreadCreationTime : 08.05.2005 12:59:38
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 776
ThreadCreationTime : 08.05.2005 12:59:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 788
ThreadCreationTime : 08.05.2005 12:59:39
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 976
ThreadCreationTime : 08.05.2005 12:59:39
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1020
ThreadCreationTime : 08.05.2005 12:59:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1096
ThreadCreationTime : 08.05.2005 12:59:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1276
ThreadCreationTime : 08.05.2005 12:59:40
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1304
ThreadCreationTime : 08.05.2005 12:59:40
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1640
ThreadCreationTime : 08.05.2005 12:59:40
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [atkkbservice.exe]
FilePath : C:\WINDOWS\
ProcessID : 1824
ThreadCreationTime : 08.05.2005 12:59:41
BasePriority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : ASUS Keyboard Service
CompanyName : ASUSTeK COMPUTER INC.
FileDescription : ASUS Keyboard Service
InternalName : ATKKBService
LegalCopyright : Copyright (C) 2004 @ASUSTeK COMPUTER INC.
OriginalFilename : ATKKBService.exe

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1940
ThreadCreationTime : 08.05.2005 12:59:41
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [tmntsrv.exe]
FilePath : C:\Programme\Trend Micro\Internet Security\
ProcessID : 1956
ThreadCreationTime : 08.05.2005 12:59:41
BasePriority : Normal
FileVersion : 11.41.0.5021
ProductVersion : 11.41.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : Tmntsrv
InternalName : Tmntsrv
LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : Tmntsrv.exe

#:15 [tmproxy.exe]
FilePath : C:\Programme\Trend Micro\Internet Security\
ProcessID : 1968
ThreadCreationTime : 08.05.2005 12:59:41
BasePriority : Normal
FileVersion : 11.40.0.5015
ProductVersion : 11.40.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : TmProxy.exe
InternalName : TmProxy.exe
LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : TmProxy.exe

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 376
ThreadCreationTime : 08.05.2005 12:59:42
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:17 [pccpfw.exe]
FilePath : C:\Programme\Trend Micro\Internet Security\
ProcessID : 700
ThreadCreationTime : 08.05.2005 12:59:43
BasePriority : Normal
FileVersion : 11.40.0.5015
ProductVersion : 11.40.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : PCCPFW
InternalName : PCCPFW
LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : PCCPFW.exe

#:18 [hcontrol.exe]
FilePath : C:\WINDOWS\ATK0100\
ProcessID : 1448
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 1043, 2, 15, 36
ProductVersion : 1043, 3, 2, 1
ProductName : ATK0100
FileDescription : HControl
InternalName : HControl
LegalCopyright : Copyright (c) 2003
OriginalFilename : HControl.exe

#:19 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 1464
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 5.1.0.29
ProductVersion : 5.1.0.29
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2004 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:20 [alu.exe]
FilePath : C:\Programme\ASUS\ASUS Live Update\
ProcessID : 1484
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : ALU Application
FileDescription : ALU MFC Application
InternalName : ALU
LegalCopyright : Copyright (C) 2002 ASUSTek. Corporation
OriginalFilename : ALU.EXE

#:21 [batterylife.exe]
FilePath : C:\Programme\ASUS\Power4 Gear\
ProcessID : 1500
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 1043, 6, 15, 110
ProductVersion : 1043, 3, 6, 15
ProductName : BatteryLife
CompanyName : ASUSTeK Computer Inc.
FileDescription : BatteryLife
InternalName : BatteryLife
LegalCopyright : Copyright © 2002 ASUSTeK Computer Inc.
LegalTrademarks : ASUSTeK Computer Inc.
OriginalFilename : BatteryLife.exe
Comments : Power4 Gear Utility

#:22 [syntplpr.exe]
FilePath : C:\Programme\Synaptics\SynTP\
ProcessID : 1512
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 7.11.6 23Jul04
ProductVersion : 7.11.6 23Jul04
ProductName : Synaptics Pointing Device Driver
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2004
OriginalFilename : SynTPLpr.exe

#:23 [syntpenh.exe]
FilePath : C:\Programme\Synaptics\SynTP\
ProcessID : 1536
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 7.11.6 23Jul04
ProductVersion : 7.11.6 23Jul04
ProductName : Synaptics Pointing Device Driver
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Synaptics Enhancements Application
LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2004
OriginalFilename : SynTPEnh.exe

#:24 [pccguide.exe]
FilePath : C:\Programme\Trend Micro\Internet Security\
ProcessID : 1564
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 11.40.0.5015
ProductVersion : 11.40.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : PCCGuide
InternalName : PCCGuide
LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : PCCGuide

#:25 [pcclient.exe]
FilePath : C:\Programme\Trend Micro\Internet Security\
ProcessID : 1620
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 11.40.0.5015
ProductVersion : 11.40.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : PCClient
InternalName : PCClient
LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : PCClient

#:26 [tmoagent.exe]
FilePath : C:\Programme\Trend Micro\Internet Security\
ProcessID : 1596
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 11.40.0.5015
ProductVersion : 11.40.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : TrendMicro Outbreak agent
InternalName : TMOAgent
LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : TMOAgent.EXE

#:27 [atiptaxx.exe]
FilePath : C:\Programme\ATI Technologies\ATI Control Panel\
ProcessID : 1704
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 6.14.10.5115
ProductVersion : 6.14.10.5115
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2004 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:28 [pdvdserv.exe]
FilePath : C:\Programme\ASUSTek\ASUSDVD\
ProcessID : 1756
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 5.00.0000
ProductVersion : 5.00.0000
ProductName : PowerDVD
CompanyName : Cyberlink Corp.
FileDescription : PowerDVD RC Service
InternalName : PowerDVD RC Service
LegalCopyright : Copyright (c) CyberLink Corp. 1997-2002
OriginalFilename : PDVDSERV.EXE

#:29 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1844
ThreadCreationTime : 08.05.2005 12:59:46
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Eine DLL-Datei als Anwendung ausführen
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : RUNDLL.EXE

CoolWebSearch Object Recognized!
Type : Process
Data : se.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\DOKUME~1\Rakzero\LOKALE~1\Temp\


Warning! CoolWebSearch Object found in memory(C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll)

"C:\WINDOWS\System32\rundll32.exe"Process terminated successfully

#:30 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1856
ThreadCreationTime : 08.05.2005 12:59:47
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:31 [msmsgs.exe]
FilePath : C:\Programme\Messenger\
ProcessID : 2052
ThreadCreationTime : 08.05.2005 12:59:47
BasePriority : Normal
FileVersion : 4.7.0041
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 1997-2001
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:32 [chkmail.exe]
FilePath : C:\Programme\Asus\Asus ChkMail\
ProcessID : 2136
ThreadCreationTime : 08.05.2005 12:59:47
BasePriority : Normal
FileVersion : 1043, 1, 15, 5
ProductVersion : 1043, 3, 1, 15
ProductName : asus ChkMail
CompanyName : asus
FileDescription : ChkMail
InternalName : ChkMail
LegalCopyright : Copyright c 2000
LegalTrademarks : ASUS
OriginalFilename : ChkMail.exe
Comments : ASUSTeK

#:33 [siwake.exe]
FilePath : C:\Programme\Wireless LAN Utility\
ProcessID : 2184
ThreadCreationTime : 08.05.2005 12:59:47
BasePriority : Normal
FileVersion : 1, 0, 0, 6
ProductVersion : 1, 0, 0, 6
ProductName : SiWake Application
FileDescription : SiWake MFC Application
InternalName : SiWake
LegalCopyright : Copyright (C) 2003
OriginalFilename : SiWake.EXE

#:34 [wmiprvse.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 2404
ThreadCreationTime : 08.05.2005 12:59:49
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:35 [atkosd.exe]
FilePath : C:\WINDOWS\ATK0100\
ProcessID : 2836
ThreadCreationTime : 08.05.2005 12:59:51
BasePriority : Normal
FileVersion : 1043, 2, 15, 36
ProductVersion : 1043, 3, 2, 1
ProductName : ATK0100
FileDescription : ATKOSD
InternalName : ATKOSD
LegalCopyright : Copyright (c) 2003
OriginalFilename : ATKOSD.exe

#:36 [iexplore.exe]
FilePath : C:\Programme\Internet Explorer\
ProcessID : 2900
ThreadCreationTime : 08.05.2005 12:59:51
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : IEXPLORE.EXE

#:37 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3876
ThreadCreationTime : 08.05.2005 13:00:10
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Cydoor Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\cydoor

Cydoor Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\cydoor
Value : Desc2

Cydoor Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\cydoor
Value : ConnType

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm25.adm25

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm25.adm25
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm25.adm25.1

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm25.adm25.1
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm4.adm4

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm4.adm4
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm4.adm4.1

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm4.adm4.1
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\adm.exe

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\adm.exe
Value : AppID

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\altnet signing module.exe

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\altnet signing module.exe
Value : AppID

Cydoor Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\cydoor

Cydoor Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\cydoor
Value : AdwrCnt

Cydoor Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-642259453-3228153630-4039653244-1005\\software\cydoor

Cydoor Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-642259453-3228153630-4039653244-1005\\software\cydoor
Value : Desc2

Cydoor Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-642259453-3228153630-4039653244-1005\\software\cydoor
Value : ConnType

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_USERS
Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\internet explorer\main
Value : HOMEOldSP

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : HOMEOldSP

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "sp"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : sp

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 34
Objects found so far: 44


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 44


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : rakzero@servedby.netshelter[2].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:rakzero@servedby.netshelter.net/
Expires : 15.05.2005 12:23:42
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : rakzero@versiontracker[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:rakzero@versiontracker.com/
Expires : 09.05.2005 12:50:06
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : rakzero@atdmt[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:rakzero@atdmt.com/
Expires : 07.05.2010 01:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : rakzero@adtech[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:rakzero@adtech.de/
Expires : 06.05.2015 12:49:34
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 48



Deep scanning and examining files (C;)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AltnetBDE Object Recognized!
Type : File
Data : A0002877.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 1, 0, 0, 114
ProductVersion : 1, 0, 0, 0
ProductName : Peer Points Manager
FileDescription : Peer Points Manager
InternalName : Peer Points Manager
LegalCopyright : Copyright Altnet Inc. (C) 2002,2003


AltnetBDE Object Recognized!
Type : File
Data : A0002880.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 1, 0, 0, 7
ProductVersion : 1, 0, 0, 7
ProductName : Brilliant bdedetect
CompanyName : Brilliant
FileDescription : bdedetect
InternalName : bdedetect
LegalCopyright : Copyright © 2000
OriginalFilename : bdedetect.dll


AltnetBDE Object Recognized!
Type : File
Data : A0002884.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 1, 0, 0, 55
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Sharing Manager
FileDescription : Altnet Sharing Manager
InternalName : ASM
LegalCopyright : Copyright 2003
OriginalFilename : ASM.EXE


AltnetBDE Object Recognized!
Type : File
Data : A0002888.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
InternalName : ASMPS
LegalCopyright : Copyright 2003
OriginalFilename : ASMPS.DLL


AltnetBDE Object Recognized!
Type : File
Data : A0002889.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 3, 0, 39, 2
ProductVersion : 3, 0, 0, 0
ProductName : ADMDloader
CompanyName : Altnet
FileDescription : BDEDownloader
InternalName : ADMDloader
LegalCopyright : Copyright © 2001 Altnet
OriginalFilename : ADMDloader.dll


AltnetBDE Object Recognized!
Type : File
Data : A0002890.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 1, 0, 1, 10
ProductVersion : 1, 0, 0, 0
ProductName : ADMData
CompanyName : Altnet
FileDescription : ADMData
InternalName : ADMData
LegalCopyright : Copyright 1999
OriginalFilename : ADMData.dll


AltnetBDE Object Recognized!
Type : File
Data : A0002891.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 0
ProductName : ADMFdi
CompanyName : Altnet
FileDescription : ADMFdi
InternalName : ADMFdi
LegalCopyright : Copyright © 2000
OriginalFilename : ADMFdi


AltnetBDE Object Recognized!
Type : File
Data : A0002892.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 1, 2, 4, 3
ProductVersion : 1, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright 2002
OriginalFilename : ADM25.dll


Cydoor Object Recognized!
Type : File
Data : A0002893.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 3, 2, 1, 6
ProductVersion : 3, 2, 1, 6
ProductName : cd_clint
FileDescription : cd_clint
InternalName : cd_clint
LegalCopyright : Copyright © 2003
OriginalFilename : cd_clint.dll


AltnetBDE Object Recognized!
Type : File
Data : A0002894.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 4, 0, 0, 5
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003, 2004 Altnet
OriginalFilename : ADM.exe


AltnetBDE Object Recognized!
Type : File
Data : A0002896.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 4, 0, 0, 6
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003 Altnet
OriginalFilename : ADM4.dll


AltnetBDE Object Recognized!
Type : File
Data : A0002898.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 4, 0, 0, 4
ProductVersion : 4, 0, 0, 0
ProductName : ADMProg
CompanyName : Altnet
InternalName : ADMProg
LegalCopyright : Copyright © 2003 Altnet
OriginalFilename : ADMProg.dll


AltnetBDE Object Recognized!
Type : File
Data : A0002901.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 0
ProductName : BDE asmend
CompanyName : BDE
FileDescription : asmend
InternalName : KillASM
LegalCopyright : Copyright © 2003
OriginalFilename : asmend


AltnetBDE Object Recognized!
Type : File
Data : A0002903.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Uninstaller
CompanyName : Altnet, Inc.
FileDescription : Uninstaller
InternalName : AltnetUninstall.exe
LegalCopyright : Copyright © 2003,2004
OriginalFilename : AltnetUninstall.exe


Claria Object Recognized!
Type : File
Data : A0002955.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : CMESys.exe
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : CMESys.exe


Claria Object Recognized!
Type : File
Data : A0002956.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : CMEIIAPI.DLL
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : CMEIIAPI.DLL


Claria Object Recognized!
Type : File
Data : A0002957.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GAppMgr.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GAppMgr.dll


Claria Object Recognized!
Type : File
Data : A0002958.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GController.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GController.dll


Claria Object Recognized!
Type : File
Data : A0002959.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GDlwdEng.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GDlwdEng.dll


Claria Object Recognized!
Type : File
Data : A0002960.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GIocl.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GIocl.dll


Claria Object Recognized!
Type : File
Data : A0002961.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GIoclClient.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GIoclClient.dll


Claria Object Recognized!
Type : File
Data : A0002962.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GMTProxy.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GMTProxy.dll


Claria Object Recognized!
Type : File
Data : A0002963.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GObjs.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GObjs.dll


Claria Object Recognized!
Type : File
Data : A0002964.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GStore.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GStore.dll


Claria Object Recognized!
Type : File
Data : A0002965.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GStoreServer.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GStoreServer.dll


Claria Object Recognized!
Type : File
Data : A0002966.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GTools.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GTools.dll


Claria Object Recognized!
Type : File
Data : A0002970.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : Gator Client Application
InternalName : Gator.exe
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : Gator.exe


Claria Object Recognized!
Type : File
Data : A0002971.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : GAIN Uninstaller applet
InternalName : GUninstaller.exe
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GUninstaller.exe


Claria Object Recognized!
Type : File
Data : A0002972.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : egIEClient Dynamic Link Library
InternalName : egIEClient.dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : egIEClient.dll


Claria Object Recognized!
Type : File
Data : A0002973.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : EGIEProcess Dynamic Link Library
InternalName : EGIEProcess dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : EGIEProcess dll


Claria Object Recognized!
Type : File
Data : A0002974.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : EGNSEngine Dynamic Link Library
InternalName : EGNSEngine dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : EGNSEngine dll


Claria Object Recognized!
Type : File
Data : A0002975.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : EGGCEngine Dynamic Link Library
InternalName : EGGCEngine dll
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : EGGCEngine dll


Claria Object Recognized!
Type : File
Data : A0002976.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\
FileVersion : 6.0.5.3
ProductVersion : 6.0.5.3
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : GatorRes Dynamic Link Library
InternalName : GatorRes DLL
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GatorRes DLL


Claria Object Recognized!
Type : File
Data : A0002978.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 82


Deep scanning and examining files (D;)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 82


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 82




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html
Value : CLSID

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain
Value : CLSID

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment : CWS.About:Blank
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : CWS.About:Blank
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : CWS.About:Blank
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall
Value : UninstallString

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\protocols\filter\text/html
Value : CLSID

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant
Data : about:blank

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

CoolWebSearch Object Recognized!
Type : File
Data : se.dll
Category : Malware
Comment :
Object : C:\DOKUME~1\Rakzero\LOKALE~1\Temp\



Cydoor Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\AdCache

Cydoor Object Recognized!
Type : File
Data : B_434_0_1_328800.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_1_377500.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_1_377800.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_3_140300.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_3_140400.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_3_140500.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Ob
Seitenanfang Seitenende
08.05.2005, 14:56
...neu hier

Beiträge: 1
#430 -->> FORTSETZUNG !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! von #429


Cydoor Object Recognized!
Type : File
Data : B_434_0_4_220500.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_4_221000.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_4_221200.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_4_320900.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_272300.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_0_148700.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_0_148800.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_118300.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_129000.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_221300.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_0_148700.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_0_148800.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_118300.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_129000.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_221300.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_222300.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_255000.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_281000.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_351500.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_222300.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_281000.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_1_380300.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_3_112000.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_4_203200.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_3_328800.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_3_377500.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_3_377800.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_3_380300.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_106400.swf
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_256200.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_350700.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_350800.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_351000.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_106400.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_256200.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_350700.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_350800.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_4_351000.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_4_349300.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_2_351500.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_3_351100.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_3_351100.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_0_349300.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_272500.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_2_3_204500.htm
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_0_104500.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Cydoor Object Recognized!
Type : File
Data : B_434_0_3_347100.gif
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\adcache\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 71
Objects found so far: 153

14:04:13 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:03:52.203
Objects scanned:110535
Objects identified:143
Objects ignored:0
New critical objects:143


3) S&D

Avenue A, Inc.: Verfolgender Cookie (Internet Explorer: Rakzero) (Cookie, nothing done)


Alexa Related: What's related link (Datei austauschen, nothing done)
C:\WINDOWS\Web\related.htm

AllCyberSearch: Autorun-Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sp

Cydoor: Settings for current user (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_USERS\S-1-5-21-642259453-3228153630-4039653244-1005\Software\Cydoor

Cydoor: Cache for ads (Verzeichnis, nothing done)
C:\WINDOWS\System32\AdCache\

Cydoor: Globale Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_LOCAL_MACHINE\Software\Cydoor

DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

WebDialer: Settings (Registrierungsdatenbank-Wert, nothing done)
HKEY_USERS\S-1-5-21-642259453-3228153630-4039653244-1005\Software\Microsoft\Internet Explorer\Main\HOMEOldSP


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

------------------------------------------------------------------------

4)

Logfile of HijackThis v1.99.1
Scan saved at 14:39:30, on 08.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe
C:\Programme\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\ASUS\ASUS Live Update\ALU.exe
C:\Programme\ASUS\Power4 Gear\BatteryLife.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Trend Micro\Internet Security\pccguide.exe
C:\Programme\Trend Micro\Internet Security\PCClient.exe
C:\Programme\Trend Micro\Internet Security\TMOAgent.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Asus\Asus ChkMail\ChkMail.exe
C:\Programme\Wireless LAN Utility\SiWake.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\Rakzero\Desktop\ANTI Serarch for - SIte\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {D47F5BF2-00F9-41AF-88D5-B16601C7D13C} - C:\WINDOWS\System32\ghfd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programme\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programme\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Programme\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Programme\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\ASUSTek\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programme\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Hotkey.lnk = C:\Programme\Asus\ASUS Hotkey\Hotkey.exe
O4 - Global Startup: SiWake.lnk = C:\Programme\Wireless LAN Utility\SiWake.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Alles mit FlashGet laden - C:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: Mit FlashGet laden - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O18 - Filter: text/html - {81127A12-C5B7-4118-87FD-443DB3C63871} - C:\WINDOWS\System32\ghfd.dll
O18 - Filter: text/plain - {81127A12-C5B7-4118-87FD-443DB3C63871} - C:\WINDOWS\System32\ghfd.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Programme\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Programme\Trend Micro\Internet Security\tmproxy.exe

-----------------------------------------------------------------------

Danke im Voraus, bis dann!
Seitenanfang Seitenende
12.05.2005, 10:25
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#431 Hallo@Kneidi

Scanned file: rpcss_pl.exe - infected by
Trojan-Downloader.Win32.Zlob.f


Hijacker about:blank - se.dll\sp.html--> scannen
http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html

Start-->Ausfuehren--> cmd (reinschreiben)

kopiere rein:
sc stop rpcss+
klicke "enter"

und warte ein bisschen,
dann kopiere rein:

sc delete rpcss+
klicke "enter"

kopiere rein:
del C:\WINDOWS\System32\rpcss_pl.exe
Klicke "enter"



Fixe mit dem HijackThis:
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe (file missing)


PC neustarten


Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.



Zitat

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCSS+\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RPCSS+]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_RPCSS+\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RPCSS+]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_RPCSS+\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\RPCSS+]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCSS+\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCSS+]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BOOTCOM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BOOTCOM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BOOTCOM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BOOTCOM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_BOOTCOM]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BOOTCOM]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BOOTCOM\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BOOTCOM]

Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken).
Die Datei "fixme.reg" auf dem Desktop doppelklicken.


dann suche bitte: (in der Registry --> bearbeiten--> suchen und unter Windows)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.affpnpdevsys

Loesche mit der Killbox:
c:\windows\System32\drivers\affpnpdev.sys
c:\windows\System32\drivers\bootcom.sys


+ poste das neue Log vom HijackTHis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.05.2005, 10:38
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#432 Hallo@Wonderdave

Scanne noch eimal mit dem se.dll-Entfernungstool (beachte, dass du alle Konten scannst, also Userkonto, Administratorkonto usw, am besten im abgesicherten Modus)

Loesche:
C:\WINDOWS\System32\adcache

Fixe mit dem HijackThis.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {D47F5BF2-00F9-41AF-88D5-B16601C7D13C} - C:\WINDOWS\System32\ghfd.dll (file missing)
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {81127A12-C5B7-4118-87FD-443DB3C63871} - C:\WINDOWS\System32\ghfd.dll
O18 - Filter: text/plain - {81127A12-C5B7-4118-87FD-443DB3C63871} - C:\WINDOWS\System32\ghfd.dll


PC neustarten

+
poste das neue Log vom HijackTHis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.05.2005, 18:17
...neu hier

Beiträge: 9
#433 hallo! ja, ich hab auch dieses problem mit dem "search for..." als startseite und hab auch ad-aware, search and destroy und CWShredder benutzt. hab auch mein log-file erstellt und es bei hijackThis automatisch untersuchen lassen. der findet auch 2 sachen die ich fixen soll, was ich auch tue, aber beim nächsten mal sind sie einfach wieder da. ich hab mich auch schon ein bischen durch diesen thread gelesen, aber leider hab ich echt keine ahnung, was ich jetzt genau machen muss ;) vielleicht kann mir ja jemand noch mal kurz helfen, hier mein logfile

Logfile of HijackThis v1.99.1
Scan saved at 18:08:54, on 12.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\quicktime\qttask.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
D:\ICQ\ICQLite\ICQLite.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
D:\SpySUbtract\SpySub.exe
D:\Spybot - Search & Destroy\SpybotSD.exe
D:\Programme\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Matthias\Lokale Einstellungen\Temp\HijackThis.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matthias\LOKALE~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matthias\LOKALE~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {EE50CB89-CD21-4F87-8C88-D499BDF12447} - C:\WINDOWS\System32\mcjiic.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "D:\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dlr] C:\WINDOWS\netstat.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] D:\ICQ\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Matthias\LOKALE~1\Temp\se.dll,DllInstall
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQ\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = D:\SpySUbtract\SpySub.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A54EFD3-BB91-4B79-9175-A6A64F9DADB1}: NameServer = 192.168.4.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FADB04F6-7A26-42EF-BF21-7F3CCBEC1184}: NameServer = 192.168.4.1
O18 - Filter: text/html - {8FE961C0-B0FB-4470-B9D8-5975FD063A29} - C:\WINDOWS\System32\mcjiic.dll
O18 - Filter: text/plain - {8FE961C0-B0FB-4470-B9D8-5975FD063A29} - C:\WINDOWS\System32\mcjiic.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

vielen dank schonmal im vorraus!
Seitenanfang Seitenende
12.05.2005, 23:12
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#434 Hallo@Matthi

Hijacker about:blank - se.dll\sp.html--> scannen
http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html

CCleaner--> loesche alle *temp-Datein
http://www.ccleaner.com/ccdownload.asp



#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein


starte neu und poste das neue Log vom HijackTHis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.07.2005, 01:04
...neu hier

Beiträge: 2
#435 Hallöchen Zusammen

ich finde es unglaublich, wie aufwändig Ihr guten Seelen uns PC-Usern helft, diese Trojaner und ähnliche Gestalten loszuwerden! Vielen herzlichen Dank jetzt schon einmal!

Habe mich etwas eingelesen, aber feststellen müssen, dass die Lösung schlussendlich doch immer wieder sehr individuell ausfällt. Hier also mein übliches Problem:

- Startseite wechselt immer wieder auf searchweb2.com
- habe immer wieder mal Icons auf dem Desktop wg. Casino u.ä.

Diverse Spysoftware natürlich laufen lassen... ist ja klar, nützt nichts. Habe Hardware-Firewall, aber eben...

Hier mal mein Log:

Logfile of HijackThis v1.99.1
Scan saved at 13:46:10, on 21.07.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\avmclient\avmbtservice.exe
C:\Programme\avmclient\panapp.exe
C:\Programme\avmclient\AvmObexService.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\Fast.exe
D:\Programme\norton antivirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe
D:\PROGRA~2\NORTON~1\navapw32.exe
D:\Programme\Brennersoftware\winoncd\DirectCD\DirectCD.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
D:\PROGRA~2\DVD-RE~1\BSCLIP~1\Win2K\BSCLIP.exe
C:\WINDOWS\System32\ezSP_Px.exe
D:\Programme\Logitech\iTouch\iTouch.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\ATI\ATI Multimedia\main\ATIDtct.EXE
C:\Programme\QuickTime\qttask.exe
d:\Programme\Logitech\MouseWare\system\em_exec.exe
D:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\Programme\avmclient\bluefritz.exe
C:\Programme\avmclient\AvmObex.exe
C:\Programme\avmclient\AvmObex.exe
D:\Programme\QuickTime\iTunesHelper.exe
D:\ATI\ATI Multimedia\main\launchpd.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\MSN Messenger\msnmsgr.exe
D:\Programme\Nikon\Foto Station Easy\FotoStation Easy AutoLaunch.exe
D:\Programme\Nikon\NkvMon.exe
D:\Programme\Office\Office\1031\msoffice.exe
C:\WINDOWS\system32\RAMASST.exe
D:\Programme\3deep\True Internet Color\TICIcon.exe
D:\Programme\palm\HOTSYNC.EXE
C:\Programme\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
D:\Programme\Office\Office\OUTLOOK.EXE
D:\Programme\TWIXTEL\twxroute.exe
D:\Programme\TWIXTEL\TwixTel.exe
D:\Programme\TWIXTEL\ShowCall.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
D:\Programme\Office\Office\MSPUB.EXE
D:\Programme\Office\Office\POWERPNT.EXE
D:\PROGRA~2\NETSCAPE\NETSCAPE\NETSCP.EXE
F:\j\SICHER~1\WinZip\winzip32.exe
C:\DOKUME~1\Besitzer\LOKALE~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ddrqophfabffusdxpcy.org/gUjLsK6K7FnNoUwO0GDxLnI4OFiSaQpNT6aefMPZgy/F1cHKzxzEAONx5/IwfsfT.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cqqgyyfndbfw.com/wohwn17HaL6RdO3Ml8l5ZDEduAuBHs7z28TrKO5P1n0.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.bluewin.ch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Programme\AcrobatReader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Programme\norton antivirus\NavShExt.dll
O2 - BHO: (no name) - {D1833200-F026-55FB-7D2B-AF3F63202CB8} - C:\PROGRA~1\LOCKSA~1\AUDIODATE.exe (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Programme\norton antivirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~2\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Programme\Brennersoftware\winoncd\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] d:\Programme\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [B'sCLiP] D:\PROGRA~2\DVD-RE~1\BSCLIP~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [zBrowser Launcher] d:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] D:\ATI\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "D:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVMBlueClient] C:\Programme\avmclient\bluefritz.exe
O4 - HKLM\..\Run: [AVMBLUEOBEX] C:\Programme\avmclient\AvmObex.exe -pushclient -ftpclient
O4 - HKLM\..\Run: [XoftSpy] d:\Programme\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programme\QuickTime\iTunesHelper.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "D:\ATI\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Logo this] C:\DOKUME~1\Besitzer\ANWEND~1\CHINRE~1\body inter flag.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Programme\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = D:\Programme\palm\HOTSYNC.EXE
O4 - Startup: MPXPTray.lnk = C:\Programme\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = D:\Programme\AcrobatReader\Reader\reader_sl.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Office\Office\OSA9.EXE
O4 - Global Startup: Mountit.lnk = D:\Programme\Brennersoftware\winoncd\MountIt.exe
O4 - Global Startup: NkvMon.exe.lnk = D:\Programme\Nikon\NkvMon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: True Internet Color Icon.lnk = D:\Programme\3deep\True Internet Color\TICIcon.exe
O4 - Global Startup: Zahlungserinnerung.lnk = E:\quicken\billmind.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm368XXCH
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\ATI\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - d:\PROGRA~2\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVM BT Connection Service - AVM Berlin - C:\Programme\avmclient\avmbtservice.exe
O23 - Service: AVM BT PAN Service - AVM Berlin - C:\Programme\avmclient\panapp.exe
O23 - Service: AVM BT OBEX Service (AvmObexService) - AVM Berlin - C:\Programme\avmclient\AvmObexService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - D:\Programme\norton antivirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe



Nun lasse ich jemanden von Euch mal in Ruhe schauen und freue mich auf eine Antwort. Gruss und besten Dank!!!
Dieser Beitrag wurde am 21.07.2005 um 13:47 Uhr von nolimit editiert.
Seitenanfang Seitenende