"Search for..." Startseite kommt immer wieder!Thema ist geschlossen! |
||
---|---|---|
Thema ist geschlossen! |
||
#0
| ||
05.05.2005, 15:52
Ehrenmitglied
Beiträge: 29434 |
||
|
||
05.05.2005, 17:16
...neu hier
Beiträge: 10 |
#422
Hi Sabina,
hab`s genau gemacht, wie du geschrieben hast. Leider hab ich halt den bootcom key nicht löschen können und beim rkfiles.bat hat es ewig gedauert, bis er fertig war. Leider hat er auch einiges nicht gefunden... Hier der aktuelle HijackThis Log: Zitat Logfile of HijackThis v1.99.1Und hier der log.txt: Zitat C:\Programme\Rkfileswas kommt jetzt? thx im vorraus! kneidi |
|
|
||
05.05.2005, 17:43
Ehrenmitglied
Beiträge: 29434 |
#423
Hallo@kneid
KILLBOX: http://www.bleepingcomputer.com/files/killbox.php 1. Trenne die Internetverbindung und schließe alle laufenden Programme 2. Doppel-klicke auf Killbox.exe und lasse es offen 3. In Killbox klickeauf Delete on Reboot ( roter Kasten ) Fügen diese Datei oben in die Full Path of File to Delete Box (1) in dem man den u.g. Pfad dort eingibt oder mit (2) auf dem Computer nach der Datei suchen C:\WINDOWS\Unwash6.exe C:\WINDOWS\system32\ClrSchP012.dll C:\WINDOWS\system32\ClrSchP0121.dll C:\WINDOWS\system32\cm1.dll C:\WINDOWS\system32\ctbv2.dll C:\WINDOWS\system32\exactsetup.dll C:\WINDOWS\system32\ezStubi.dll C:\WINDOWS\system32\fly.dll C:\WINDOWS\system32\idr_17b.exe C:\WINDOWS\system32\ignet.dll C:\WINDOWS\system32\ignet2.dll C:\WINDOWS\system32\in10b6.dll C:\WINDOWS\system32\installer_im.dll C:\WINDOWS\system32\lame_enc.dll C:\WINDOWS\system32\msasmsn7.dll C:\WINDOWS\system32\ncase.dll C:\WINDOWS\system32\ncase2.dll C:\WINDOWS\system32\NLNP13.dll C:\WINDOWS\system32\nostalgia.dll C:\WINDOWS\system32\perfcl.exe C:\WINDOWS\system32\pr1ze5.dll C:\WINDOWS\system32\SHAgent.dll C:\WINDOWS\system32\SHAgent1007.dll C:\WINDOWS\system32\sstep026.dll C:\WINDOWS\system32\taskschd.exe C:\WINDOWS\system32\UninstXviDDec.exe C:\WINDOWS\system32\wauctl9x.exe C:\WINDOWS\system32\wds19us.exe C:\WINDOWS\system32\wuactl2.exe C:\WINDOWS\system32\Xcite.dll c:\windows\System32\drivers\bootcom.sys 5. Klicke Yes beim Delete on Reboot Prompt. 6. Klicke No beim laufenden Prozesse Prompt 7. Klicke auf den Delete File Button (sieht aus wie ein Stopzeichen (3). 8. Klicke auf Yes beim Delete on Reboot Prompt. 9. Klicke auf Yes beim laufenden Prozesse Prompt, um den Computer neu zu starten. Lasse den Computer neustarten. 10. Sollte folgende Meldung erscheinen, dann führe einen manuellen Neustart durch. "PendingFileRenameOperations Registry Data has been Removed by External Process!" PC neustarten fixe mit dem HijackThis: O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe neustarten und poste das neue Log vom HijackThis + http://bilder.informationsarchiv.net/Nikitas_Tools/FindIt.zip poste bitte die Textdatei ----------------- INFO. "Trojan-Clicker.Win32.Agent.cg" C:\WINDOWS\system32\wuactl2.exe __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
05.05.2005, 21:01
...neu hier
Beiträge: 10 |
#424
Hallo Sabina!
Herzlichen Dank nochmal für Deine Hilfe! Ich denke, jetzt geht`s schon voran. Hier der log.txt: Zitat C:\Programme\Rkfiles... und hier der Hijackthis-log: übrigens der proxy-server passt schon, den hab nämlich ich eingestellt (mein anbieter heißt netpark) Zitat Logfile of HijackThis v1.99.1liebe grüße kneidi |
|
|
||
06.05.2005, 00:28
Ehrenmitglied
Beiträge: 29434 |
#425
Hallo@kneid
Um die Diensteverwaltung explizit aufzurufen, geben Sie unter Start > Ausführen den Befehl services.msc ein. dann den Eintrag Dienste auswählen. Nun werden alle laufenden Dienste angezeigt. Hier den Punkt "RPC+ Service Provider (RPCSS+) " aussuchen. Wenn unter Status "gestartet" steht, mit der rechten Maustaste anklicken und die Option "Eigenschaften" auswählen. Nicht "Den Dienst beenden" auswählen, denn dann wird der "RPC+ Service Provider (RPCSS+) " beim nächsten Systemstart erneut ausgeführt. Als Starttyp "deaktiviert" auswählen und den Dienststatus mit "Beenden" schliessen. Jetzt noch "Übernehmen" anklicken. Der " " läuft nicht mehr im Hintergrund und wird auch nicht mehr bei einem Neustart ausgeführt. Fixe mit dem HijackThis: O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing) O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Programme\VisualRoute\vrie.dll (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {E23DEDBC-B8FE-47BE-9881-0692758326B2} - (no file) (HKCU) O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe PC neustarten -------------------------------------------------------------------------- Start-->Ausfuehren--> kopiere rein: sc delete rpcss+ klicke enter -------------------------------------------------------------------------- Gehe in die Registry findest du das????? HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.affpnpdevsys •Download Registry Search Tool : http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip Doppelklick:regsrch.vbs reinkopieren: RPC+ Service Provider Press 'OK' warten, bis die Suche beendet ist. (Ergebnis bitte posten) RPCSS+ Press 'OK' warten, bis die Suche beendet ist. (Ergebnis bitte posten) BOOTCOM Press 'OK' warten, bis die Suche beendet ist. (Ergebnis bitte posten) Loesche mit der Killbox:-->Full path of file to delete/Select the Delete on reboot option. C:\WINDOWS\System32\rpcss_pl.exe PC neustarten ------------------------------------------------------------------------ INFO: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss Description REG_SZ Provides the endpoint mapper and other miscellaneous RPC services. DisplayName REG_SZ Remote Procedure Call (RPC) ErrorControl REG_DWORD 0x1 Group REG_SZ COM Infrastructure ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost -k rpcss ObjectName REG_SZ LocalSystem Start REG_DWORD 0x2 Type REG_DWORD 0x20 FailureActions REG_BINARY 00000000000000000000000001000000000000000200000060EA0000 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss\Parameters HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss\Security HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss\Enum ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss+ DrvMode REG_DWORD 0x225 Type REG_DWORD 0x10 Start REG_DWORD 0x2 ErrorControl REG_DWORD 0x1 ImagePath REG_EXPAND_SZ C:\WINDOWS\System32\rpcss_pl.exe DisplayName REG_SZ RPC+ Service Provider Group REG_SZ COM Infrastructure ObjectName REG_SZ LocalSystem Description REG_SZ RPC+ Service Provider HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss+\Security HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rpcss+\Enum ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BOOTCOM Type REG_DWORD 0x1 Start REG_DWORD 0x0 ErrorControl REG_DWORD 0x1 ImagePath REG_EXPAND_SZ System32\drivers\bootcom.sys DisplayName REG_SZ BOOTCOM Group REG_SZ System Reserved HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BOOTCOM\Security HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BOOTCOM\Enum ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.affpnpdevsys __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
07.05.2005, 19:23
...neu hier
Beiträge: 10 |
#426
@ Sabina:
Leider kann ich den Dienst nicht beenden! Auch nicht im abgesicherten Modus... Also ich hab unter Ausführen "services.msc" eingegeben, bin dann unter "RPC+ Service Provider" und klickte auf Eigenschaften, dann gleich "Starttyp: Deaktiviert" (unter der Sparte "Allgemein") und wollte übernehmen und dann zeigt er mir "Zugriff verweigert" an! Beim Dienststatus steht "Gestartet" und darunter kann ich nichts anklicken, da die 4 Schaltflächen im Grau-Ton (also deaktivert) sind. Hast du ne Lösung wie ich den Prozess beenden könnte? Ich weis, ich bin echt kein Profi - sorry! ;-) |
|
|
||
07.05.2005, 19:50
Ehrenmitglied
Beiträge: 29434 |
#427
kneidi
wir hatten doch schon vereinbart, dass du nur ausfuehrst, um was ich dich bitte dann finde ich schon einen Weg, um das Problem zu loesen Arbeite also bitte genau ab, was ich geschrieben habe (genauso...) Zitat Fixe mit dem HijackThis: __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
07.05.2005, 20:36
...neu hier
Beiträge: 10 |
#428
Hallo Sabina,
so ich hab`s jetzt mal so gemacht, wie du geschrieben hast. Allerdings glaube ich, dass jetzt irgendwas beim PC nicht stimmt. Es wird wahrscheinlich das RPC-Modul fehlen (hatte schonmal das Problem). Angezeigt hat er mir zwar nicht, dass es fehlt, aber in der Startleiste (also der blaue Streifen ganz unten am Bildschirm) werden die Programme nicht mehr angezeigt, dass sie offen sind. Hoffe ich hab das richtige gemacht. Hier die Logfiles: RPC+ Service Provider Zitat REGEDIT4RPCSS+ Zitat REGEDIT4BOOTCOM Zitat REGEDIT4und den hijackthis-log wirst du evt. auch noch brauchen: Zitat Logfile of HijackThis v1.99.1also dann mal danke für deine antwort ;-) kneidi |
|
|
||
08.05.2005, 14:43
...neu hier
Beiträge: 4 |
#429
Hi Sabina, sorry das ich erst soo spät auf Eintrag #410 antworte!
Hab alle Files die du mir gesagt hast gelöscht. Hier sind die Log's die ich machen sollte: ------------------------------------------------------------------------- 1) (8.5.05 14:16:42) SPSeHjFix started v1.1.1 (8.5.05 14:16:42) OS: WinXP Service Pack 1 (5.1.2600) (8.5.05 14:16:42) Language: deutsch (8.5.05 14:16:43) Disinfection started (8.5.05 14:16:43) Bad-Dll(IEP): c:\dokume~1\rakzero\lokale~1\temp\se.dll (8.5.05 14:16:43) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\ghfd.dll (8.5.05 14:16:43) Searchassistant Uninstaller - Keys Deleted (8.5.05 14:16:43) FilterKey: HKCR\text/html (deleted) (8.5.05 14:16:43) FilterKey: HKCR\CLSID\{AEFB402A-EAE3-4F5E-9766-257F9567A4F4} (deleted) (8.5.05 14:16:43) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting) (8.5.05 14:16:43) FilterKey: HKCR\text/plain (deleted) (8.5.05 14:16:43) FilterKey: HKCR\CLSID\{AEFB402A-EAE3-4F5E-9766-257F9567A4F4} (error while deleting) (8.5.05 14:16:43) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting) (8.5.05 14:16:43) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AD234D0-11DC-4462-8F6E-55B030A88333} (deleted) (8.5.05 14:16:43) BHO-Key: HKCR\CLSID\{1AD234D0-11DC-4462-8F6E-55B030A88333} (deleted) (8.5.05 14:16:43) UBF: 6 (8.5.05 14:16:43) UBB: 3 (8.5.05 14:16:43) UBR: 14 (8.5.05 14:16:43) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll,DllInstall (deleted) (8.5.05 14:16:43) Bad IE-pages: deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\dokume~1\rakzero\lokale~1\temp\se.dll/spage.html deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\dokume~1\rakzero\lokale~1\temp\se.dll/spage.html deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank (8.5.05 14:16:43) Stealth-String not found (8.5.05 14:16:43) Temp-Files delete on Reboot (8.5.05 14:16:43) File added to delete: c:\windows\system32\ghfd.dll (8.5.05 14:16:43) File added to delete: c:\dokume~1\rakzero\lokale~1\temp\se.dll (8.5.05 14:16:43) File added to delete: c:\dokume~1\rakzero\lokale~1\temp\~df2f50.tmp (8.5.05 14:16:43) File added to delete: c:\dokume~1\rakzero\lokale~1\temp\~df9985.tmp (8.5.05 14:16:43) Reboot ------------------------------------------------------------------------ 2) Ad-Aware SE Build 1.05 Logfile Created on:Sonntag, 08. Mai 2005 14:00:21 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R43 06.05.2005 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa(TAC index:5):11 total references AltnetBDE(TAC index:4):25 total references Claria(TAC index:7):20 total references CoolWebSearch(TAC index:10):20 total references Cydoor(TAC index:7):63 total references MRU List(TAC index:0):9 total references Possible Browser Hijack attempt(TAC index:3):1 total references Tracking Cookie(TAC index:3):4 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 08.05.2005 14:00:21 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : C:\Dokumente und Einstellungen\Rakzero\recent Description : list of recently opened documents MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\directinput\mostrecentapplication Description : most recent application to use microsoft directinput MRU List Object Recognized! Location: : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\directinput\mostrecentapplication Description : most recent application to use microsoft directinput MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\windows media\wmsdk\general Description : windows media sdk Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 468 ThreadCreationTime : 08.05.2005 12:59:32 BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 708 ThreadCreationTime : 08.05.2005 12:59:37 BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 732 ThreadCreationTime : 08.05.2005 12:59:38 BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 776 ThreadCreationTime : 08.05.2005 12:59:39 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Anwendung für Dienste und Controller InternalName : services.exe LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 788 ThreadCreationTime : 08.05.2005 12:59:39 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [ati2evxx.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 976 ThreadCreationTime : 08.05.2005 12:59:39 BasePriority : Normal #:7 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1020 ThreadCreationTime : 08.05.2005 12:59:39 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1096 ThreadCreationTime : 08.05.2005 12:59:39 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1276 ThreadCreationTime : 08.05.2005 12:59:40 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1304 ThreadCreationTime : 08.05.2005 12:59:40 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:11 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1640 ThreadCreationTime : 08.05.2005 12:59:40 BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:12 [atkkbservice.exe] FilePath : C:\WINDOWS\ ProcessID : 1824 ThreadCreationTime : 08.05.2005 12:59:41 BasePriority : Normal FileVersion : 1, 0, 0, 0 ProductVersion : 1, 0, 0, 0 ProductName : ASUS Keyboard Service CompanyName : ASUSTeK COMPUTER INC. FileDescription : ASUS Keyboard Service InternalName : ATKKBService LegalCopyright : Copyright (C) 2004 @ASUSTeK COMPUTER INC. OriginalFilename : ATKKBService.exe #:13 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1940 ThreadCreationTime : 08.05.2005 12:59:41 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:14 [tmntsrv.exe] FilePath : C:\Programme\Trend Micro\Internet Security\ ProcessID : 1956 ThreadCreationTime : 08.05.2005 12:59:41 BasePriority : Normal FileVersion : 11.41.0.5021 ProductVersion : 11.41.0 ProductName : Trend Pc-cillin 11 CompanyName : Trend Micro Incorporated. FileDescription : Tmntsrv InternalName : Tmntsrv LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved. LegalTrademarks : Copyright (C) Trend Micro Incorporated. OriginalFilename : Tmntsrv.exe #:15 [tmproxy.exe] FilePath : C:\Programme\Trend Micro\Internet Security\ ProcessID : 1968 ThreadCreationTime : 08.05.2005 12:59:41 BasePriority : Normal FileVersion : 11.40.0.5015 ProductVersion : 11.40.0 ProductName : Trend Pc-cillin 11 CompanyName : Trend Micro Incorporated. FileDescription : TmProxy.exe InternalName : TmProxy.exe LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved. LegalTrademarks : Copyright (C) Trend Micro Incorporated. OriginalFilename : TmProxy.exe #:16 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 376 ThreadCreationTime : 08.05.2005 12:59:42 BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : EXPLORER.EXE #:17 [pccpfw.exe] FilePath : C:\Programme\Trend Micro\Internet Security\ ProcessID : 700 ThreadCreationTime : 08.05.2005 12:59:43 BasePriority : Normal FileVersion : 11.40.0.5015 ProductVersion : 11.40.0 ProductName : Trend Pc-cillin 11 CompanyName : Trend Micro Incorporated. FileDescription : PCCPFW InternalName : PCCPFW LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved. LegalTrademarks : Copyright (C) Trend Micro Incorporated. OriginalFilename : PCCPFW.exe #:18 [hcontrol.exe] FilePath : C:\WINDOWS\ATK0100\ ProcessID : 1448 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 1043, 2, 15, 36 ProductVersion : 1043, 3, 2, 1 ProductName : ATK0100 FileDescription : HControl InternalName : HControl LegalCopyright : Copyright (c) 2003 OriginalFilename : HControl.exe #:19 [soundman.exe] FilePath : C:\WINDOWS\ ProcessID : 1464 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 5.1.0.29 ProductVersion : 5.1.0.29 ProductName : Realtek Sound Manager CompanyName : Realtek Semiconductor Corp. FileDescription : Realtek Sound Manager InternalName : ALSMTray LegalCopyright : Copyright (c) 2001-2004 Realtek Semiconductor Corp. OriginalFilename : ALSMTray.exe Comments : Realtek AC97 Audio Sound Manager #:20 [alu.exe] FilePath : C:\Programme\ASUS\ASUS Live Update\ ProcessID : 1484 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1 ProductName : ALU Application FileDescription : ALU MFC Application InternalName : ALU LegalCopyright : Copyright (C) 2002 ASUSTek. Corporation OriginalFilename : ALU.EXE #:21 [batterylife.exe] FilePath : C:\Programme\ASUS\Power4 Gear\ ProcessID : 1500 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 1043, 6, 15, 110 ProductVersion : 1043, 3, 6, 15 ProductName : BatteryLife CompanyName : ASUSTeK Computer Inc. FileDescription : BatteryLife InternalName : BatteryLife LegalCopyright : Copyright © 2002 ASUSTeK Computer Inc. LegalTrademarks : ASUSTeK Computer Inc. OriginalFilename : BatteryLife.exe Comments : Power4 Gear Utility #:22 [syntplpr.exe] FilePath : C:\Programme\Synaptics\SynTP\ ProcessID : 1512 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 7.11.6 23Jul04 ProductVersion : 7.11.6 23Jul04 ProductName : Synaptics Pointing Device Driver CompanyName : Synaptics, Inc. FileDescription : TouchPad Driver Helper Application InternalName : SynTPLpr LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2004 OriginalFilename : SynTPLpr.exe #:23 [syntpenh.exe] FilePath : C:\Programme\Synaptics\SynTP\ ProcessID : 1536 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 7.11.6 23Jul04 ProductVersion : 7.11.6 23Jul04 ProductName : Synaptics Pointing Device Driver CompanyName : Synaptics, Inc. FileDescription : Synaptics TouchPad Enhancements InternalName : Synaptics Enhancements Application LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2004 OriginalFilename : SynTPEnh.exe #:24 [pccguide.exe] FilePath : C:\Programme\Trend Micro\Internet Security\ ProcessID : 1564 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 11.40.0.5015 ProductVersion : 11.40.0 ProductName : Trend Pc-cillin 11 CompanyName : Trend Micro Incorporated. FileDescription : PCCGuide InternalName : PCCGuide LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved. LegalTrademarks : Copyright (C) Trend Micro Incorporated. OriginalFilename : PCCGuide #:25 [pcclient.exe] FilePath : C:\Programme\Trend Micro\Internet Security\ ProcessID : 1620 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 11.40.0.5015 ProductVersion : 11.40.0 ProductName : Trend Pc-cillin 11 CompanyName : Trend Micro Incorporated. FileDescription : PCClient InternalName : PCClient LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved. LegalTrademarks : Copyright (C) Trend Micro Incorporated. OriginalFilename : PCClient #:26 [tmoagent.exe] FilePath : C:\Programme\Trend Micro\Internet Security\ ProcessID : 1596 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 11.40.0.5015 ProductVersion : 11.40.0 ProductName : Trend Pc-cillin 11 CompanyName : Trend Micro Incorporated. FileDescription : TrendMicro Outbreak agent InternalName : TMOAgent LegalCopyright : Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved. LegalTrademarks : Copyright (C) Trend Micro Incorporated. OriginalFilename : TMOAgent.EXE #:27 [atiptaxx.exe] FilePath : C:\Programme\ATI Technologies\ATI Control Panel\ ProcessID : 1704 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 6.14.10.5115 ProductVersion : 6.14.10.5115 ProductName : ATI Desktop Component CompanyName : ATI Technologies, Inc. FileDescription : ATI Desktop Control Panel InternalName : Atiptaxx.exe LegalCopyright : Copyright (C) 1998-2004 ATI Technologies Inc. OriginalFilename : Atiptaxx.exe #:28 [pdvdserv.exe] FilePath : C:\Programme\ASUSTek\ASUSDVD\ ProcessID : 1756 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 5.00.0000 ProductVersion : 5.00.0000 ProductName : PowerDVD CompanyName : Cyberlink Corp. FileDescription : PowerDVD RC Service InternalName : PowerDVD RC Service LegalCopyright : Copyright (c) CyberLink Corp. 1997-2002 OriginalFilename : PDVDSERV.EXE #:29 [rundll32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1844 ThreadCreationTime : 08.05.2005 12:59:46 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Eine DLL-Datei als Anwendung ausführen InternalName : rundll LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : RUNDLL.EXE CoolWebSearch Object Recognized! Type : Process Data : se.dll Category : Malware Comment : (CSI MATCH) Object : C:\DOKUME~1\Rakzero\LOKALE~1\Temp\ Warning! CoolWebSearch Object found in memory(C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll) "C:\WINDOWS\System32\rundll32.exe"Process terminated successfully #:30 [ctfmon.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1856 ThreadCreationTime : 08.05.2005 12:59:47 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : CTF Loader InternalName : CTFMON LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : CTFMON.EXE #:31 [msmsgs.exe] FilePath : C:\Programme\Messenger\ ProcessID : 2052 ThreadCreationTime : 08.05.2005 12:59:47 BasePriority : Normal FileVersion : 4.7.0041 ProductVersion : Version 4.7 ProductName : Messenger CompanyName : Microsoft Corporation FileDescription : Messenger InternalName : msmsgs LegalCopyright : Copyright (c) Microsoft Corporation 1997-2001 LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries. OriginalFilename : msmsgs.exe #:32 [chkmail.exe] FilePath : C:\Programme\Asus\Asus ChkMail\ ProcessID : 2136 ThreadCreationTime : 08.05.2005 12:59:47 BasePriority : Normal FileVersion : 1043, 1, 15, 5 ProductVersion : 1043, 3, 1, 15 ProductName : asus ChkMail CompanyName : asus FileDescription : ChkMail InternalName : ChkMail LegalCopyright : Copyright c 2000 LegalTrademarks : ASUS OriginalFilename : ChkMail.exe Comments : ASUSTeK #:33 [siwake.exe] FilePath : C:\Programme\Wireless LAN Utility\ ProcessID : 2184 ThreadCreationTime : 08.05.2005 12:59:47 BasePriority : Normal FileVersion : 1, 0, 0, 6 ProductVersion : 1, 0, 0, 6 ProductName : SiWake Application FileDescription : SiWake MFC Application InternalName : SiWake LegalCopyright : Copyright (C) 2003 OriginalFilename : SiWake.EXE #:34 [wmiprvse.exe] FilePath : C:\WINDOWS\System32\wbem\ ProcessID : 2404 ThreadCreationTime : 08.05.2005 12:59:49 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : WMI InternalName : Wmiprvse.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : Wmiprvse.exe #:35 [atkosd.exe] FilePath : C:\WINDOWS\ATK0100\ ProcessID : 2836 ThreadCreationTime : 08.05.2005 12:59:51 BasePriority : Normal FileVersion : 1043, 2, 15, 36 ProductVersion : 1043, 3, 2, 1 ProductName : ATK0100 FileDescription : ATKOSD InternalName : ATKOSD LegalCopyright : Copyright (c) 2003 OriginalFilename : ATKOSD.exe #:36 [iexplore.exe] FilePath : C:\Programme\Internet Explorer\ ProcessID : 2900 ThreadCreationTime : 08.05.2005 12:59:51 BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Internet Explorer InternalName : iexplore LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : IEXPLORE.EXE #:37 [ad-aware.exe] FilePath : C:\Programme\Lavasoft\Ad-Aware SE Personal\ ProcessID : 3876 ThreadCreationTime : 08.05.2005 13:00:10 BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 10 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Cydoor Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\cydoor Cydoor Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\cydoor Value : Desc2 Cydoor Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\cydoor Value : ConnType Alexa Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuText Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuStatusBar Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Script Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : clsid Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Icon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : HotIcon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : ButtonText AltnetBDE Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\adm25.adm25 AltnetBDE Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\adm25.adm25 Value : AltnetBDE Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\adm25.adm25.1 AltnetBDE Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\adm25.adm25.1 Value : AltnetBDE Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\adm4.adm4 AltnetBDE Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\adm4.adm4 Value : AltnetBDE Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\adm4.adm4.1 AltnetBDE Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\adm4.adm4.1 Value : AltnetBDE Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\appid\adm.exe AltnetBDE Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\appid\adm.exe Value : AppID AltnetBDE Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\appid\altnet signing module.exe AltnetBDE Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\appid\altnet signing module.exe Value : AppID Cydoor Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\cydoor Cydoor Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\cydoor Value : AdwrCnt Cydoor Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-642259453-3228153630-4039653244-1005\\software\cydoor Cydoor Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-642259453-3228153630-4039653244-1005\\software\cydoor Value : Desc2 Cydoor Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-642259453-3228153630-4039653244-1005\\software\cydoor Value : ConnType Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "HOMEOldSP" Rootkey : HKEY_USERS Object : S-1-5-21-642259453-3228153630-4039653244-1005\software\microsoft\internet explorer\main Value : HOMEOldSP CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "HOMEOldSP" Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\main Value : HOMEOldSP Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Malware Comment : "sp" Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\run Value : sp Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 34 Objects found so far: 44 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 44 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : rakzero@servedby.netshelter[2].txt Category : Data Miner Comment : Hits:3 Value : Cookie:rakzero@servedby.netshelter.net/ Expires : 15.05.2005 12:23:42 LastSync : Hits:3 UseCount : 0 Hits : 3 Tracking Cookie Object Recognized! Type : IECache Entry Data : rakzero@versiontracker[2].txt Category : Data Miner Comment : Hits:2 Value : Cookie:rakzero@versiontracker.com/ Expires : 09.05.2005 12:50:06 LastSync : Hits:2 UseCount : 0 Hits : 2 Tracking Cookie Object Recognized! Type : IECache Entry Data : rakzero@atdmt[1].txt Category : Data Miner Comment : Hits:1 Value : Cookie:rakzero@atdmt.com/ Expires : 07.05.2010 01:00:00 LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking Cookie Object Recognized! Type : IECache Entry Data : rakzero@adtech[2].txt Category : Data Miner Comment : Hits:2 Value : Cookie:rakzero@adtech.de/ Expires : 06.05.2015 12:49:34 LastSync : Hits:2 UseCount : 0 Hits : 2 Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 4 Objects found so far: 48 Deep scanning and examining files (C »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» AltnetBDE Object Recognized! Type : File Data : A0002877.exe Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 1, 0, 0, 114 ProductVersion : 1, 0, 0, 0 ProductName : Peer Points Manager FileDescription : Peer Points Manager InternalName : Peer Points Manager LegalCopyright : Copyright Altnet Inc. (C) 2002,2003 AltnetBDE Object Recognized! Type : File Data : A0002880.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 1, 0, 0, 7 ProductVersion : 1, 0, 0, 7 ProductName : Brilliant bdedetect CompanyName : Brilliant FileDescription : bdedetect InternalName : bdedetect LegalCopyright : Copyright © 2000 OriginalFilename : bdedetect.dll AltnetBDE Object Recognized! Type : File Data : A0002884.exe Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 1, 0, 0, 55 ProductVersion : 1, 0, 0, 0 ProductName : Altnet Sharing Manager FileDescription : Altnet Sharing Manager InternalName : ASM LegalCopyright : Copyright 2003 OriginalFilename : ASM.EXE AltnetBDE Object Recognized! Type : File Data : A0002888.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 1, 0, 0, 5 ProductVersion : 1, 0, 0, 0 InternalName : ASMPS LegalCopyright : Copyright 2003 OriginalFilename : ASMPS.DLL AltnetBDE Object Recognized! Type : File Data : A0002889.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 3, 0, 39, 2 ProductVersion : 3, 0, 0, 0 ProductName : ADMDloader CompanyName : Altnet FileDescription : BDEDownloader InternalName : ADMDloader LegalCopyright : Copyright © 2001 Altnet OriginalFilename : ADMDloader.dll AltnetBDE Object Recognized! Type : File Data : A0002890.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 1, 0, 1, 10 ProductVersion : 1, 0, 0, 0 ProductName : ADMData CompanyName : Altnet FileDescription : ADMData InternalName : ADMData LegalCopyright : Copyright 1999 OriginalFilename : ADMData.dll AltnetBDE Object Recognized! Type : File Data : A0002891.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 1, 0, 0, 8 ProductVersion : 1, 0, 0, 0 ProductName : ADMFdi CompanyName : Altnet FileDescription : ADMFdi InternalName : ADMFdi LegalCopyright : Copyright © 2000 OriginalFilename : ADMFdi AltnetBDE Object Recognized! Type : File Data : A0002892.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 1, 2, 4, 3 ProductVersion : 1, 0, 0, 0 ProductName : ADM CompanyName : Altnet FileDescription : ADM InternalName : ADM LegalCopyright : Copyright 2002 OriginalFilename : ADM25.dll Cydoor Object Recognized! Type : File Data : A0002893.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 3, 2, 1, 6 ProductVersion : 3, 2, 1, 6 ProductName : cd_clint FileDescription : cd_clint InternalName : cd_clint LegalCopyright : Copyright © 2003 OriginalFilename : cd_clint.dll AltnetBDE Object Recognized! Type : File Data : A0002894.exe Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 4, 0, 0, 5 ProductVersion : 4, 0, 0, 0 ProductName : ADM CompanyName : Altnet FileDescription : ADM InternalName : ADM LegalCopyright : Copyright © 2003, 2004 Altnet OriginalFilename : ADM.exe AltnetBDE Object Recognized! Type : File Data : A0002896.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 4, 0, 0, 6 ProductVersion : 4, 0, 0, 0 ProductName : ADM CompanyName : Altnet FileDescription : ADM InternalName : ADM LegalCopyright : Copyright © 2003 Altnet OriginalFilename : ADM4.dll AltnetBDE Object Recognized! Type : File Data : A0002898.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 4, 0, 0, 4 ProductVersion : 4, 0, 0, 0 ProductName : ADMProg CompanyName : Altnet InternalName : ADMProg LegalCopyright : Copyright © 2003 Altnet OriginalFilename : ADMProg.dll AltnetBDE Object Recognized! Type : File Data : A0002901.exe Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 1, 0, 0, 2 ProductVersion : 1, 0, 0, 0 ProductName : BDE asmend CompanyName : BDE FileDescription : asmend InternalName : KillASM LegalCopyright : Copyright © 2003 OriginalFilename : asmend AltnetBDE Object Recognized! Type : File Data : A0002903.exe Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 1, 0, 0, 17 ProductVersion : 1, 0, 0, 0 ProductName : Altnet Uninstaller CompanyName : Altnet, Inc. FileDescription : Uninstaller InternalName : AltnetUninstall.exe LegalCopyright : Copyright © 2003,2004 OriginalFilename : AltnetUninstall.exe Claria Object Recognized! Type : File Data : A0002955.exe Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : CMESys.exe LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : CMESys.exe Claria Object Recognized! Type : File Data : A0002956.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : CMEIIAPI.DLL LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : CMEIIAPI.DLL Claria Object Recognized! Type : File Data : A0002957.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GAppMgr.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GAppMgr.dll Claria Object Recognized! Type : File Data : A0002958.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GController.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GController.dll Claria Object Recognized! Type : File Data : A0002959.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GDlwdEng.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GDlwdEng.dll Claria Object Recognized! Type : File Data : A0002960.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GIocl.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GIocl.dll Claria Object Recognized! Type : File Data : A0002961.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GIoclClient.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GIoclClient.dll Claria Object Recognized! Type : File Data : A0002962.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GMTProxy.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GMTProxy.dll Claria Object Recognized! Type : File Data : A0002963.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GObjs.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GObjs.dll Claria Object Recognized! Type : File Data : A0002964.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GStore.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GStore.dll Claria Object Recognized! Type : File Data : A0002965.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GStoreServer.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GStoreServer.dll Claria Object Recognized! Type : File Data : A0002966.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : CME CompanyName : GAIN Publishing FileDescription : CME II Client Application InternalName : GTools.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GTools.dll Claria Object Recognized! Type : File Data : A0002970.exe Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : GAIN CompanyName : GAIN Publishing FileDescription : Gator Client Application InternalName : Gator.exe LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : Gator.exe Claria Object Recognized! Type : File Data : A0002971.exe Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : GAIN CompanyName : GAIN Publishing FileDescription : GAIN Uninstaller applet InternalName : GUninstaller.exe LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GUninstaller.exe Claria Object Recognized! Type : File Data : A0002972.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : GAIN CompanyName : GAIN Publishing FileDescription : egIEClient Dynamic Link Library InternalName : egIEClient.dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : egIEClient.dll Claria Object Recognized! Type : File Data : A0002973.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : GAIN CompanyName : GAIN Publishing FileDescription : EGIEProcess Dynamic Link Library InternalName : EGIEProcess dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : EGIEProcess dll Claria Object Recognized! Type : File Data : A0002974.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : GAIN CompanyName : GAIN Publishing FileDescription : EGNSEngine Dynamic Link Library InternalName : EGNSEngine dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : EGNSEngine dll Claria Object Recognized! Type : File Data : A0002975.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : GAIN CompanyName : GAIN Publishing FileDescription : EGGCEngine Dynamic Link Library InternalName : EGGCEngine dll LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : EGGCEngine dll Claria Object Recognized! Type : File Data : A0002976.dll Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ FileVersion : 6.0.5.3 ProductVersion : 6.0.5.3 ProductName : GAIN CompanyName : GAIN Publishing FileDescription : GatorRes Dynamic Link Library InternalName : GatorRes DLL LegalCopyright : Copyright © 1999-2004 GAIN Publishing OriginalFilename : GatorRes DLL Claria Object Recognized! Type : File Data : A0002978.exe Category : Data Miner Comment : Object : C:\System Volume Information\_restore{4AF72122-32A5-491B-AA52-234A521A8206}\RP12\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 82 Deep scanning and examining files (D »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 82 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 82 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : protocols\filter\text/html CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : protocols\filter\text/html Value : CLSID CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : protocols\filter\text/plain CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : protocols\filter\text/plain Value : CLSID CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : CWS.About:Blank Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : CWS.About:Blank Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall Value : DisplayName CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : CWS.About:Blank Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall Value : UninstallString CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Enable Browser Extensions CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Use Custom Search URL CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\search Value : SearchAssistant CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\classes\protocols\filter\text/html Value : CLSID CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\main Value : Use Search Asst CoolWebSearch Object Recognized! Type : RegData Data : no Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Use Search Asst Data : no CoolWebSearch Object Recognized! Type : RegData Data : about:blank Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\search Value : SearchAssistant Data : about:blank CoolWebSearch Object Recognized! Type : RegData Data : no Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\main Value : Use Search Asst Data : no CoolWebSearch Object Recognized! Type : RegData Data : about:blank Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\main Value : Start Page Data : about:blank CoolWebSearch Object Recognized! Type : File Data : se.dll Category : Malware Comment : Object : C:\DOKUME~1\Rakzero\LOKALE~1\Temp\ Cydoor Object Recognized! Type : Folder Category : Data Miner Comment : Object : C:\WINDOWS\System32\AdCache Cydoor Object Recognized! Type : File Data : B_434_0_1_328800.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_1_377500.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_1_377800.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_3_140300.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_3_140400.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_3_140500.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Ob |
|
|
||
08.05.2005, 14:56
...neu hier
Beiträge: 1 |
#430
-->> FORTSETZUNG !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! von #429
Cydoor Object Recognized! Type : File Data : B_434_0_4_220500.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_4_221000.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_4_221200.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_4_320900.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_272300.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_0_148700.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_0_148800.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_118300.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_129000.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_221300.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_0_148700.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_0_148800.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_118300.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_129000.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_221300.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_222300.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_255000.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_281000.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_351500.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_222300.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_281000.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_1_380300.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_3_112000.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_4_203200.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_3_328800.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_3_377500.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_3_377800.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_3_380300.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_106400.swf Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_256200.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_350700.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_350800.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_351000.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_106400.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_256200.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_350700.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_350800.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_4_351000.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_4_349300.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_2_351500.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_3_351100.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_3_351100.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_0_349300.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_272500.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_2_3_204500.htm Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_0_104500.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Cydoor Object Recognized! Type : File Data : B_434_0_3_347100.gif Category : Data Miner Comment : Object : C:\WINDOWS\System32\adcache\ Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 71 Objects found so far: 153 14:04:13 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:03:52.203 Objects scanned:110535 Objects identified:143 Objects ignored:0 New critical objects:143 3) S&D Avenue A, Inc.: Verfolgender Cookie (Internet Explorer: Rakzero) (Cookie, nothing done) Alexa Related: What's related link (Datei austauschen, nothing done) C:\WINDOWS\Web\related.htm AllCyberSearch: Autorun-Einstellungen (Registrierungsdatenbank-Wert, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sp Cydoor: Settings for current user (Registrierungsdatenbank-Schlüssel, nothing done) HKEY_USERS\S-1-5-21-642259453-3228153630-4039653244-1005\Software\Cydoor Cydoor: Cache for ads (Verzeichnis, nothing done) C:\WINDOWS\System32\AdCache\ Cydoor: Globale Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done) HKEY_LOCAL_MACHINE\Software\Cydoor DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 WebDialer: Settings (Registrierungsdatenbank-Wert, nothing done) HKEY_USERS\S-1-5-21-642259453-3228153630-4039653244-1005\Software\Microsoft\Internet Explorer\Main\HOMEOldSP --- Spybot - Search && Destroy version: 1.3 --- 2004-05-12 Includes\Cookies.sbi 2004-05-12 Includes\Dialer.sbi 2004-05-12 Includes\Hijackers.sbi 2004-05-12 Includes\Keyloggers.sbi 2004-05-12 Includes\LSP.sbi 2004-05-12 Includes\Malware.sbi 2004-05-12 Includes\Revision.sbi 2004-05-12 Includes\Security.sbi 2004-05-12 Includes\Spybots.sbi 2004-05-12 Includes\Tracks.uti 2004-05-12 Includes\Trojans.sbi ------------------------------------------------------------------------ 4) Logfile of HijackThis v1.99.1 Scan saved at 14:39:30, on 08.05.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ATKKBService.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe C:\Programme\Trend Micro\Internet Security\tmproxy.exe C:\WINDOWS\Explorer.EXE C:\Programme\Trend Micro\Internet Security\PccPfw.exe C:\WINDOWS\ATK0100\Hcontrol.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\ASUS\ASUS Live Update\ALU.exe C:\Programme\ASUS\Power4 Gear\BatteryLife.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\Programme\Trend Micro\Internet Security\pccguide.exe C:\Programme\Trend Micro\Internet Security\PCClient.exe C:\Programme\Trend Micro\Internet Security\TMOAgent.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\ASUSTek\ASUSDVD\PDVDServ.exe C:\WINDOWS\System32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Asus\Asus ChkMail\ChkMail.exe C:\Programme\Wireless LAN Utility\SiWake.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Programme\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Dokumente und Einstellungen\Rakzero\Desktop\ANTI Serarch for - SIte\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll/spage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll/spage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll O2 - BHO: (no name) - {D47F5BF2-00F9-41AF-88D5-B16601C7D13C} - C:\WINDOWS\System32\ghfd.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ASUS Live Update] C:\Programme\ASUS\ASUS Live Update\ALU.exe O4 - HKLM\..\Run: [Power_Gear] C:\Programme\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\Internet Security\pccguide.exe" O4 - HKLM\..\Run: [PCClient.exe] "C:\Programme\Trend Micro\Internet Security\PCClient.exe" O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Programme\Trend Micro\Internet Security\TMOAgent.exe" /run O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [RemoteControl] C:\Programme\ASUSTek\ASUSDVD\PDVDServ.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll,DllInstall O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - Global Startup: ASUS ChkMail.lnk = C:\Programme\Asus\Asus ChkMail\ChkMail.exe O4 - Global Startup: Hotkey.lnk = C:\Programme\Asus\ASUS Hotkey\Hotkey.exe O4 - Global Startup: SiWake.lnk = C:\Programme\Wireless LAN Utility\SiWake.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Alles mit FlashGet laden - C:\PROGRA~1\FLASHGET\jc_all.htm O8 - Extra context menu item: Mit FlashGet laden - C:\PROGRA~1\FLASHGET\jc_link.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw O18 - Filter: text/html - {81127A12-C5B7-4118-87FD-443DB3C63871} - C:\WINDOWS\System32\ghfd.dll O18 - Filter: text/plain - {81127A12-C5B7-4118-87FD-443DB3C63871} - C:\WINDOWS\System32\ghfd.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Programme\Trend Micro\Internet Security\PccPfw.exe O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Programme\Trend Micro\Internet Security\tmproxy.exe ----------------------------------------------------------------------- Danke im Voraus, bis dann! |
|
|
||
12.05.2005, 10:25
Ehrenmitglied
Beiträge: 29434 |
#431
Hallo@Kneidi
Scanned file: rpcss_pl.exe - infected by Trojan-Downloader.Win32.Zlob.f Hijacker about:blank - se.dll\sp.html--> scannen http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html Start-->Ausfuehren--> cmd (reinschreiben) kopiere rein: sc stop rpcss+ klicke "enter" und warte ein bisschen, dann kopiere rein: sc delete rpcss+ klicke "enter" kopiere rein: del C:\WINDOWS\System32\rpcss_pl.exe Klicke "enter" Fixe mit dem HijackThis: O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe (file missing) PC neustarten Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Zitat REGEDIT4Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken. dann suche bitte: (in der Registry --> bearbeiten--> suchen und unter Windows) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.affpnpdevsys Loesche mit der Killbox: c:\windows\System32\drivers\affpnpdev.sys c:\windows\System32\drivers\bootcom.sys + poste das neue Log vom HijackTHis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
12.05.2005, 10:38
Ehrenmitglied
Beiträge: 29434 |
#432
Hallo@Wonderdave
Scanne noch eimal mit dem se.dll-Entfernungstool (beachte, dass du alle Konten scannst, also Userkonto, Administratorkonto usw, am besten im abgesicherten Modus) Loesche: C:\WINDOWS\System32\adcache Fixe mit dem HijackThis. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll/spage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll/spage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {D47F5BF2-00F9-41AF-88D5-B16601C7D13C} - C:\WINDOWS\System32\ghfd.dll (file missing) O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Rakzero\LOKALE~1\Temp\se.dll,DllInstall O18 - Filter: text/html - {81127A12-C5B7-4118-87FD-443DB3C63871} - C:\WINDOWS\System32\ghfd.dll O18 - Filter: text/plain - {81127A12-C5B7-4118-87FD-443DB3C63871} - C:\WINDOWS\System32\ghfd.dll PC neustarten + poste das neue Log vom HijackTHis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
12.05.2005, 18:17
...neu hier
Beiträge: 9 |
#433
hallo! ja, ich hab auch dieses problem mit dem "search for..." als startseite und hab auch ad-aware, search and destroy und CWShredder benutzt. hab auch mein log-file erstellt und es bei hijackThis automatisch untersuchen lassen. der findet auch 2 sachen die ich fixen soll, was ich auch tue, aber beim nächsten mal sind sie einfach wieder da. ich hab mich auch schon ein bischen durch diesen thread gelesen, aber leider hab ich echt keine ahnung, was ich jetzt genau machen muss vielleicht kann mir ja jemand noch mal kurz helfen, hier mein logfile
Logfile of HijackThis v1.99.1 Scan saved at 18:08:54, on 12.05.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\quicktime\qttask.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe D:\ICQ\ICQLite\ICQLite.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\svchost.exe D:\SpySUbtract\SpySub.exe D:\Spybot - Search & Destroy\SpybotSD.exe D:\Programme\Lavasoft\Ad-aware 6\Ad-aware.exe C:\Programme\Internet Explorer\iexplore.exe C:\Dokumente und Einstellungen\Matthias\Lokale Einstellungen\Temp\HijackThis.exe D:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matthias\LOKALE~1\Temp\se.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Matthias\LOKALE~1\Temp\se.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {EE50CB89-CD21-4F87-8C88-D499BDF12447} - C:\WINDOWS\System32\mcjiic.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [QuickTime Task] "D:\quicktime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dlr] C:\WINDOWS\netstat.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ICQ Lite] D:\ICQ\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Matthias\LOKALE~1\Temp\se.dll,DllInstall O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQ\ICQLite\ICQLite.exe -trayboot O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: SpySubtract.lnk = D:\SpySUbtract\SpySub.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\Office\Office10\EXCEL.EXE/3000 O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3A54EFD3-BB91-4B79-9175-A6A64F9DADB1}: NameServer = 192.168.4.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{FADB04F6-7A26-42EF-BF21-7F3CCBEC1184}: NameServer = 192.168.4.1 O18 - Filter: text/html - {8FE961C0-B0FB-4470-B9D8-5975FD063A29} - C:\WINDOWS\System32\mcjiic.dll O18 - Filter: text/plain - {8FE961C0-B0FB-4470-B9D8-5975FD063A29} - C:\WINDOWS\System32\mcjiic.dll O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe vielen dank schonmal im vorraus! |
|
|
||
12.05.2005, 23:12
Ehrenmitglied
Beiträge: 29434 |
#434
Hallo@Matthi
Hijacker about:blank - se.dll\sp.html--> scannen http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html CCleaner--> loesche alle *temp-Datein http://www.ccleaner.com/ccdownload.asp #neue Startseite gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein starte neu und poste das neue Log vom HijackTHis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
20.07.2005, 01:04
...neu hier
Beiträge: 2 |
#435
Hallöchen Zusammen
ich finde es unglaublich, wie aufwändig Ihr guten Seelen uns PC-Usern helft, diese Trojaner und ähnliche Gestalten loszuwerden! Vielen herzlichen Dank jetzt schon einmal! Habe mich etwas eingelesen, aber feststellen müssen, dass die Lösung schlussendlich doch immer wieder sehr individuell ausfällt. Hier also mein übliches Problem: - Startseite wechselt immer wieder auf searchweb2.com - habe immer wieder mal Icons auf dem Desktop wg. Casino u.ä. Diverse Spysoftware natürlich laufen lassen... ist ja klar, nützt nichts. Habe Hardware-Firewall, aber eben... Hier mal mein Log: Logfile of HijackThis v1.99.1 Scan saved at 13:46:10, on 21.07.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\avmclient\avmbtservice.exe C:\Programme\avmclient\panapp.exe C:\Programme\avmclient\AvmObexService.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\WINDOWS\System32\Fast.exe D:\Programme\norton antivirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Mixer.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe D:\PROGRA~2\NORTON~1\navapw32.exe D:\Programme\Brennersoftware\winoncd\DirectCD\DirectCD.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\System32\taskswitch.exe C:\WINDOWS\System32\fast.exe C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe D:\PROGRA~2\DVD-RE~1\BSCLIP~1\Win2K\BSCLIP.exe C:\WINDOWS\System32\ezSP_Px.exe D:\Programme\Logitech\iTouch\iTouch.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe D:\ATI\ATI Multimedia\main\ATIDtct.EXE C:\Programme\QuickTime\qttask.exe d:\Programme\Logitech\MouseWare\system\em_exec.exe D:\Programme\Microsoft AntiSpyware\gcasServ.exe C:\Programme\avmclient\bluefritz.exe C:\Programme\avmclient\AvmObex.exe C:\Programme\avmclient\AvmObex.exe D:\Programme\QuickTime\iTunesHelper.exe D:\ATI\ATI Multimedia\main\launchpd.exe C:\WINDOWS\system32\ctfmon.exe D:\Programme\Microsoft AntiSpyware\gcasDtServ.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\MSN Messenger\msnmsgr.exe D:\Programme\Nikon\Foto Station Easy\FotoStation Easy AutoLaunch.exe D:\Programme\Nikon\NkvMon.exe D:\Programme\Office\Office\1031\msoffice.exe C:\WINDOWS\system32\RAMASST.exe D:\Programme\3deep\True Internet Color\TICIcon.exe D:\Programme\palm\HOTSYNC.EXE C:\Programme\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe D:\Programme\Office\Office\OUTLOOK.EXE D:\Programme\TWIXTEL\twxroute.exe D:\Programme\TWIXTEL\TwixTel.exe D:\Programme\TWIXTEL\ShowCall.exe c:\progra~1\intern~1\iexplore.exe C:\Programme\Internet Explorer\iexplore.exe D:\Programme\Office\Office\MSPUB.EXE D:\Programme\Office\Office\POWERPNT.EXE D:\PROGRA~2\NETSCAPE\NETSCAPE\NETSCP.EXE F:\j\SICHER~1\WinZip\winzip32.exe C:\DOKUME~1\Besitzer\LOKALE~1\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ddrqophfabffusdxpcy.org/gUjLsK6K7FnNoUwO0GDxLnI4OFiSaQpNT6aefMPZgy/F1cHKzxzEAONx5/IwfsfT.jpg R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cqqgyyfndbfw.com/wohwn17HaL6RdO3Ml8l5ZDEduAuBHs7z28TrKO5P1n0.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.bluewin.ch O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Programme\AcrobatReader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Programme\norton antivirus\NavShExt.dll O2 - BHO: (no name) - {D1833200-F026-55FB-7D2B-AF3F63202CB8} - C:\PROGRA~1\LOCKSA~1\AUDIODATE.exe (file missing) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Programme\norton antivirus\NavShExt.dll O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~2\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Programme\Brennersoftware\winoncd\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] d:\Programme\Creative\SBLive\PROGRAM\ADGJDet.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe" O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe O4 - HKLM\..\Run: [B'sCLiP] D:\PROGRA~2\DVD-RE~1\BSCLIP~1\Win2K\BSCLIP.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [zBrowser Launcher] d:\Programme\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATI DeviceDetect] D:\ATI\ATI Multimedia\main\ATIDtct.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [gcasServ] "D:\Programme\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVMBlueClient] C:\Programme\avmclient\bluefritz.exe O4 - HKLM\..\Run: [AVMBLUEOBEX] C:\Programme\avmclient\AvmObex.exe -pushclient -ftpclient O4 - HKLM\..\Run: [XoftSpy] d:\Programme\XoftSpy\XoftSpy.exe -s O4 - HKLM\..\Run: [iTunesHelper] "D:\Programme\QuickTime\iTunesHelper.exe" O4 - HKCU\..\Run: [ATI Launchpad] "D:\ATI\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Logo this] C:\DOKUME~1\Besitzer\ANWEND~1\CHINRE~1\body inter flag.exe O4 - HKCU\..\Run: [MessengerPlus3] "D:\Programme\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background O4 - Startup: HotSync Manager.lnk = D:\Programme\palm\HOTSYNC.EXE O4 - Startup: MPXPTray.lnk = C:\Programme\Windows Media Bonus Pack for Windows XP\PowerToys\mpxptray.exe O4 - Global Startup: Adobe Reader - Schnellstart.lnk = D:\Programme\AcrobatReader\Reader\reader_sl.exe O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ? O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Office\Office\OSA9.EXE O4 - Global Startup: Mountit.lnk = D:\Programme\Brennersoftware\winoncd\MountIt.exe O4 - Global Startup: NkvMon.exe.lnk = D:\Programme\Nikon\NkvMon.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: True Internet Color Icon.lnk = D:\Programme\3deep\True Internet Color\TICIcon.exe O4 - Global Startup: Zahlungserinnerung.lnk = E:\quicken\billmind.exe O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm368XXCH O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\ATI\ATI Multimedia\tv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - d:\PROGRA~2\Office\OFFICE11\REFIEBAR.DLL O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROProj.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVM BT Connection Service - AVM Berlin - C:\Programme\avmclient\avmbtservice.exe O23 - Service: AVM BT PAN Service - AVM Berlin - C:\Programme\avmclient\panapp.exe O23 - Service: AVM BT OBEX Service (AvmObexService) - AVM Berlin - C:\Programme\avmclient\AvmObexService.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - D:\Programme\norton antivirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe Nun lasse ich jemanden von Euch mal in Ruhe schauen und freue mich auf eine Antwort. Gruss und besten Dank!!! Dieser Beitrag wurde am 21.07.2005 um 13:47 Uhr von nolimit editiert.
|
|
|
||
ich verstehe nicht, was du meinst......fuehre bitte durch, was ich geschrieben habe.....und das korrekt und dann poste das neue Log vom HijackThis
__________
MfG Sabina
rund um die PC-Sicherheit