Hallo Leute,

habe seit einigen Tagen folgendes Problem:

1. Internet Explorer öffnet sich selbstständig und zeigt dann folgende Seiten:

http://69.20.61.245/info@nictechnetwork ... rmorie.htm

oder auch:

http://mediabuy-nic.cjt1.net/HTM/406/1/ ... 4869822515?

lässt sich zwar über das SCHLIESSEN Kreuz wegkriegen - nervt aber ohne Ende!!!

2. Der Rechner macht ein schwarzes Bild, wird von Geisterhand runtergefahren und macht einen Neustart.
(Dieses Problem konnte ich durch Systemwiederherstellung weg kriegen - aber kommts wieder??)

Kann mir vielleicht jemand Hilfe leisten? Bekomms allein nicht geregelt. Ad-Aware...Panda Titanium Anti Vir...Clear Progr...helfen auch nicht.

Hier mein aktueller hijackthis-log:

Logfile of HijackThis v1.98.2
Scan saved at 11:56:21, on 10.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\Dit.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\ISDN_UTL\isdnsta.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\fgwdvj.exe
C:\PROGRA~1\GEMEIN~1\WinTools\WToolsA.exe
C:\Programme\ISTsvc\istsvc.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Nokia\Nokia PC Suite 6\pcsync2.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\DitExp.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\PROGRA~1\COMMON~1\tsa\ts2.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SCARDS32.EXE
C:\Programme\Gemeinsame Dateien\WinTools\WSup.exe
C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programme\Microsoft ActiveSync\WCESMgr.exe
C:\Programme\Microsoft Office\Office\OUTLOOK.EXE
C:\Dokumente und Einstellungen\STANDARD\Eigene Dateien\Rainer\Downl.Rainer\tools von Asss\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.de/ws2/eBayISAPI.dl ... enav=&sid=
&ruproduct=&pp=&co_partnerId=2&ru=&i1=&ruparams=&pageType=
&pa2=&bshowgif=&pa1=&pUserId=&errmsg=&UsingSSL=&runame=&siteid=77
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.71.94.149:8080
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\GEMEIN~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [ISDNStatus] C:\Programme\ISDN_UTL\isdnsta.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [dnNO9u] C:\WINDOWS\fgwdvj.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\GEMEIN~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [PcSync] C:\Programme\Nokia\Nokia PC Suite 6\pcsync2.exe /NoDialog
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

Lieben Dank im Vorraus - flatjamboo!!

Hallo@flatjamboo

#Arbeitsplatz -> rechter Mausklick -->Windows Explorer -> "Extras/Ordneroptionen" ->
"Ansicht" -> Haken entfernen bei "Geschützte Systemdateien
ausblenden (empfohlen)" und "Alle Dateien und Ordner anzeigen"
aktivieren -> "OK"

Deaktivieren Wiederherstellung
«XP
http://service1.symantec.com/SUPPORT/IN ... 7105707924

Lade (und alles auf dem Desktop abspeichern) --> noch nicht scannen, erst im abgesicherten Modus

#AboutBuster -->updaten
www.malwarebytes.biz/AboutBuster.zip

#eScan-Erkennungstool
http://www.rokop-security.de/board/inde ... topic=3867
erstelle den Ordner c:\bases
mwav.exe runterladen, die Datei in den Ordner c:\bases (wichtig!) entpacken und danach kavupd.exe (Update- in DOS) ausführen

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.de/ws2/eBayISAPI.dl ... oduct=&pp= &co_partnerId=2&ru=&i1=&ruparams=&pageType=&pa2=&bshowgif=&pa1=&pUserId=&errmsg= &UsingSSL=&runame=&siteid=77
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\GEMEIN~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [dnNO9u] C:\WINDOWS\fgwdvj.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\GEMEIN~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

PC neustarten

KillBox
http://www.bleepingcomputer.com/files/killbox.php
<Delete File on Reboot

C:\PROGRA~1\GEMEIN~1\WinTools\WToolsB.dll
C:\PROGRA~1\GEMEIN~1\WinTools\WToolsA.exe
C:\Programme\Gemeinsame Dateien\WinTools\WSup.exe
C:\WINDOWS\fgwdvj.exe
C:\Programme\ISTsvc\istsvc.exe
c:\windows\system32\Guard.tmp
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

PC neustarten
gehe in den abgesicherten Modus
http://www.tu-berlin.de/www/software/vi ... mode.shtml

Loesche:
C:\PROGRA~1\GEMEIN~1\WinTools\
C:\Programme\ISTsvc\
C:\PROGRA~1\COMMON~1\tsa\

Datenträgerbereinigung: und Löschen der Temporary-Dateien
<Start<Ausfuehren--> reinschreiben : cleanmgr
loesche nur:
#Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k.
#Click:Temporäre Dateien, o.k

loeschen temporaere Dateien
C:\WINDOWS\Temp\
C:\Temp\
C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Temporary Internet Files\Content.IE5 (nicht die inex.dat loeschen)

#scanne mit AboutBuster --> poste dann das Log vom Scan

und den Scanner mit der "mwav.exe"[oder:MWAVSCAN.COM] starten. Alle Häkchen setzen :
Auswählen: "all files", Memory, Startup-Folders, Registry, System Folders,
Services, Drive/All Local drives, Folder [C:\WINDOWS], Include SubDirectory
-->und "Scan " klicken.

gehe wieder in den Normalmodus

HOSTFILE:
#öffne das HijackThis
http://www.downloads.subratam.org/hijackthis.zip
"Do a system scan only"-->Config--> Misc Tools-->Open Hosts file Manager--> delet line(s) -->save Log
lösche alles , lasse nur stehen:
127.0.0.1 localhost
#Orginal Host Datei

#ClaerProg..lade die neuste Version <1.4.0 Final
http://www.clearprog.de/downloads.php
<und saeubere den Browser.
Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera:
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)
- die eingetragenen URLs

------------------------------------------------------------------------------------------------
mache bitte folgendes:
nun öffnest du mit dem editor, die mwav.txt und gehst unter bearbeiten -> suchen, hier gibst du infected ein

jene zeile in der infected steht, markieren, und hier einfügen, weitersuchen usw.
und ganz unten steht die zusammenfassung, diese auch hier posten

Installiere und aktualisiere bitte Adaware:-->poste bitte das Log vom Scann
http://www.download.com/Ad-Aware-SE-Per ... l&tag=top5
Lade das vx2 Plugin dafuer und nutze es nach Anleitung:
http://www.lavasoft.de/software/addons/vx2cleaner.shtml

Please download DllCompare from here
http://www.atribune.org/downloads/DllCompare.exe
klick: Locate.com button.
wenn der Scan beendet ist
klick:Compare button
klick: und erstelle das Log--->bitte posten

Lade: FindIt.zip--> poste das Log vom Scan
http://bilder.informationsarchiv.net/Nikitas_Tools/
Lade, entpacke und klicke auf: "find.bat" [ignoriere : File not found messages]
<DOS oeffnet sich -->warte den Scan ab --> es oeffnet sich der Texteditor --> und poste den Text von output.txt.

#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

+ das neue Log vom HijackThis

und nocheinmal.....danke Nikita...


für die prompte Hilfe, habe versucht nach Deiner Anleitung vorzugehen und schicke Dir jetzt die logfiles.

An einer Stelle bin ich allerdings nicht weitergekommen:

mache bitte folgendes:
nun öffnest du mit dem editor, die mwav.txt und gehst unter bearbeiten -> suchen, hier gibst du infected ein

jene zeile in der infected steht, markieren, und hier einfügen, weitersuchen usw.
und ganz unten steht die zusammenfassung, diese auch hier posten

was ist hier mit 'dem editor' gemeint - was ist mwav text??


Hier nun die logfiles:


AB logfile:
Scanned at: 14:43:41 on: 10.01.2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 22

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 22

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!



Lavasoft Ad-aware Personal Build 162
Logfile created on :Montag, 10. Januar 2005 16:13:57
Created with Ad-aware Personal, free for private use.
Using reference-file :0R150 05.07.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 10.01.2005 14:56:58
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 10.01.2005 14:57:04
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 10.01.2005 14:57:04
BasePriority : Normal
FileSize : 106 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. Alle Rechte vorbehalten.
CompanyName : Microsoft Corporation
FileDescription : Anwendung f r Dienste und Controller
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Betriebssystem Microsoft Windows
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 15:13:57
Last modified : 03.08.2004 23:58:12

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 10.01.2005 14:57:04
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft Windows Operating System
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 15:13:57
Last modified : 03.08.2004 23:58:00

#:5 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 10.01.2005 14:57:04
BasePriority : Normal
FileSize : 404 KB
FileVersion : 6.14.10.4109
ProductVersion : 6.14.10.4109.04
Copyright : Copyright 1999-2004 ATI Technologies Inc.
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
OriginalFilename : ATI2EVXX.EXE
ProductName : ATI External Event Utility for WindowsNT and Windows9X
Created on : 26.10.2004 19:33:52
Last accessed : 10.01.2005 15:13:57
Last modified : 26.10.2004 19:33:52

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 10.01.2005 14:57:04
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 15:13:57
Last modified : 03.08.2004 23:58:16

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 10.01.2005 14:57:05
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 15:13:57
Last modified : 03.08.2004 23:58:16

#:8 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 10.01.2005 14:57:07
BasePriority : Normal
FileSize : 33 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. Alle Rechte vorbehalten.
CompanyName : Microsoft Corporation
FileDescription : Eine DLL-Datei als Anwendung ausf hren
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Betriebssystem Microsoft Windows
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 14:17:53
Last modified : 03.08.2004 23:58:12

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 10.01.2005 14:57:07
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft Windows Operating System
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 15:13:57
Last modified : 03.08.2004 23:58:16

#:10 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 10.01.2005 14:57:10
BasePriority : Normal
FileSize : 404 KB
FileVersion : 6.14.10.4109
ProductVersion : 6.14.10.4109.04
Copyright : Copyright 1999-2004 ATI Technologies Inc.
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
OriginalFilename : ATI2EVXX.EXE
ProductName : ATI External Event Utility for WindowsNT and Windows9X
Created on : 26.10.2004 19:33:52
Last accessed : 10.01.2005 15:13:57
Last modified : 26.10.2004 19:33:52

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 10.01.2005 14:57:10
BasePriority : Normal
FileSize : 1011 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
Copyright : Microsoft Corporation. Alle Rechte vorbehalten.
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Betriebssystem Microsoft Windows
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 14:57:10
Last modified : 03.08.2004 23:57:54

#:12 [atiptaxx.exe]
FilePath : C:\Programme\ATI Technologies\ATI Control Panel\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 336 KB
FileVersion : 6.14.10.5131
ProductVersion : 6.14.10.5131
Copyright : Copyright (C) 1998-2004 ATI Technologies Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
OriginalFilename : Atiptaxx.exe
ProductName : ATI Desktop Component
Created on : 17.11.2004 18:08:33
Last accessed : 10.01.2005 14:56:52
Last modified : 26.10.2004 20:10:00

#:13 [soundman.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 46 KB
FileVersion : 5.0.17
ProductVersion : 5.0.17
Copyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp.
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
OriginalFilename : ALSMTray.exe
ProductName : Realtek Sound Manager
Created on : 17.11.2004 18:11:37
Last accessed : 10.01.2005 15:13:57
Last modified : 20.01.2003 09:48:14

#:14 [apvxdwin.exe]
FilePath : C:\Programme\Panda Software\Panda Titanium Antivirus 2004\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 252 KB
FileVersion : 4.07.09
ProductVersion : 4.07.09
Copyright : Panda Software 2004
CompanyName : Panda Software International
FileDescription : ApVxdWin
InternalName : ApVxdWin.exe
OriginalFilename : ApVxdWin.exe
ProductName : Panda Antivirus Aplication
Created on : 17.11.2004 18:22:26
Last accessed : 10.01.2005 15:13:57
Last modified : 17.12.2004 12:29:30

#:15 [hotkey.exe]
FilePath : C:\WINDOWS\Twain_32\FlatBed\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 452 KB
Created on : 17.11.2004 21:10:31
Last accessed : 10.01.2005 14:57:40
Last modified : 13.08.2002 07:14:10

#:16 [aoldial.exe]
FilePath : C:\Programme\Gemeinsame Dateien\AOL\ACS\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 485 KB
FileVersion : 2.6.6.3.DE.55
ProductVersion : 2.6.6.3.DE.55
Copyright : Copyright 2003 America Online, Inc.
CompanyName : America Online, Inc
FileDescription : AOL Connectivity Service Dialer
OriginalFilename : AOLDial.exe
ProductName : AOL Connectivity Service
Created on : 09.11.2004 20:36:02
Last accessed : 10.01.2005 14:23:16
Last modified : 09.11.2004 20:36:02

#:17 [type32.exe]
FilePath : C:\Programme\Microsoft Hardware\Keyboard\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 92 KB
FileVersion : 2.20.447.0
ProductVersion : 2.2
Copyright : Copyright (C) Microsoft Corp. 1995-2001
CompanyName : Microsoft Corporation
FileDescription : Microsoft IntelliType Pro
InternalName : Type32
OriginalFilename : Type32.exe
ProductName : Microsoft IntelliType Pro
Created on : 22.03.2002 04:41:56
Last accessed : 10.01.2005 15:13:57
Last modified : 22.03.2002 04:41:56

#:18 [dit.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 72 KB
Created on : 17.11.2004 23:15:11
Last accessed : 10.01.2005 15:13:57
Last modified : 28.08.2002 12:43:26

#:19 [pcmservice.exe]
FilePath : C:\Programme\Home Cinema\PowerCinema\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 80 KB
FileVersion : 3.0.2108
ProductVersion : 3.0.2108
Copyright : Copyright (c) 2003 CyberLink Corp.
CompanyName : CyberLink Corp.
FileDescription : CyberLink PowerCinema Resident Program
InternalName : CyberLink PowerCinema Resident Program
OriginalFilename : PCMService.EXE
ProductName : Cyberlink PowerCinema 3.0
Created on : 18.11.2004 13:34:08
Last accessed : 10.01.2005 15:13:57
Last modified : 08.09.2004 20:32:08

#:20 [isdnsta.exe]
FilePath : C:\Programme\ISDN_UTL\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 468 KB
FileVersion : 3.30
ProductVersion : 3.30
Copyright : Copyright 2000-2002
CompanyName : ISDN Company
FileDescription : ISDN Status Monitor
InternalName : ISDNSTA
OriginalFilename : ISDNSTA.exe
ProductName : ISDN Status Monitor
Created on : 18.11.2004 22:06:14
Last accessed : 10.01.2005 14:57:13
Last modified : 27.12.2002 10:34:42

#:21 [hpwuschd.exe]
FilePath : C:\Programme\Hewlett-Packard\HP Software Update\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 48 KB
Created on : 17.12.2002 10:40:22
Last accessed : 10.01.2005 15:13:57
Last modified : 17.12.2002 10:40:22

#:22 [hpotdd01.exe]
FilePath : C:\Programme\Hewlett-Packard\Digital Imaging\bin\
ThreadCreationTime : 10.01.2005 14:57:11
BasePriority : Normal
FileSize : 40 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2002
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
OriginalFilename : hpotdd01.exe
ProductName : Hewlett-Packard hpotdd01
Created on : 02.12.2002 19:56:10
Last accessed : 10.01.2005 15:13:57
Last modified : 02.12.2002 19:56:10

#:23 [instan~1.exe]
FilePath : C:\PROGRA~1\TEXTBR~1.0\Bin\
ThreadCreationTime : 10.01.2005 14:57:12
BasePriority : Normal
FileSize : 31 KB

#:24 [datala~1.exe]
FilePath : C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\
ThreadCreationTime : 10.01.2005 14:57:12
BasePriority : Normal
FileSize : 995 KB
FileVersion : 6, 4, 76, 5
ProductVersion : 5, 0
Copyright : Copyright (c) 2004. Nokia. All rights reserved.
CompanyName : Nokia Mobile Phones Ltd.
FileDescription : DataLayer 2.0 Module
InternalName : DataLayer 2.0
OriginalFilename : DataLayer.exe
ProductName : Nokia PC Suite

#:25 [trayap~1.exe]
FilePath : C:\PROGRA~1\Nokia\NOKIAP~1\
ThreadCreationTime : 10.01.2005 14:57:12
BasePriority : Normal
FileSize : 145 KB
FileVersion : 6, 4, 27, 0
ProductVersion : 6, 0, 27, 0
Copyright : Copyright 2001 - 2004 Nokia. All Rights Reserved.
FileDescription : Tray Application
InternalName : Tray Application
OriginalFilename : TrayApplication.EXE
ProductName : Tray Application

#:26 [fpassist.exe]
FilePath : C:\Programme\FreePDF_XP\
ThreadCreationTime : 10.01.2005 14:57:12
BasePriority : Normal
FileSize : 127 KB
FileVersion : 3.00.0132 8
Produc
ProductVersion : 3.00.0132 4
Intern
Copyright : Stefan Heinz - shbox.de 8
LegalTrademarks Fre
CompanyName : shbox.de h>
File
FileDescription : FreePDF Assistent f r FreePDF3 T0
LegalCopyright Stefan Hein
InternalName : fpAssist D
Orig
OriginalFilename : fpAssist.exe ??

?
ProductName : FreePDF_Assistant 4
FileVersion 3
Created on : 29.12.2003 15:30:38
Last accessed : 10.01.2005 14:57:13
Last modified : 29.12.2003 15:30:38

#:27 [skype.exe]
FilePath : C:\Programme\Skype\Phone\
ThreadCreationTime : 10.01.2005 14:57:13
BasePriority : Normal
FileSize : 11029 KB
Created on : 12.11.2004 16:32:54
Last accessed : 10.01.2005 14:57:13
Last modified : 12.11.2004 16:32:54

#:28 [wcescomm.exe]
FilePath : C:\Programme\Microsoft ActiveSync\
ThreadCreationTime : 10.01.2005 14:57:13
BasePriority : Normal
FileSize : 408 KB
FileVersion : 3.7.0.3083
ProductVersion : 3.7.3083
Copyright : Copyright 1995-2003 Microsoft Corp. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Connection Manager
InternalName : wcescomm
OriginalFilename : WCESCOMM.EXE
ProductName : Microsoft ActiveSync
Created on : 17.11.2004 23:04:02
Last accessed : 10.01.2005 15:13:58
Last modified : 22.04.2003 17:06:56

#:29 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 10.01.2005 14:57:13
BasePriority : Normal
FileSize : 15 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft Windows Operating System
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 15:13:58
Last modified : 03.08.2004 23:57:50

#:30 [em_exec.exe]
FilePath : C:\Programme\Logitech\MouseWare\system\
ThreadCreationTime : 10.01.2005 14:57:13
BasePriority : Normal
FileSize : 37 KB
FileVersion : 9.79.025
ProductVersion : 9.79.025
Copyright : (C) 1987-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 17.11.2004 22:19:31
Last accessed : 10.01.2005 15:13:58
Last modified : 08.01.2004 08:50:00

#:31 [pcsync2.exe]
FilePath : C:\Programme\Nokia\Nokia PC Suite 6\
ThreadCreationTime : 10.01.2005 14:57:13
BasePriority : Normal
FileSize : 1100 KB
FileVersion : 2.00 (398)
ProductVersion : 2.00
Copyright : Copyright Time I.S. Ltd. 2002 - 2004
CompanyName : Time Information Services Ltd.
FileDescription : PC Sync
InternalName : PcSync2
OriginalFilename : PcSync2.EXE
ProductName : PC Sync
Created on : 23.09.2004 17:26:04
Last accessed : 10.01.2005 14:57:16
Last modified : 23.09.2004 17:26:04

#:32 [ditexp.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 10.01.2005 14:57:15
BasePriority : Normal
FileSize : 64 KB
Created on : 17.11.2004 23:15:11
Last accessed : 10.01.2005 15:13:58
Last modified : 12.07.2002 09:29:24

#:33 [servic~1.exe]
FilePath : C:\PROGRA~1\GEMEIN~1\PCSuite\Services\
ThreadCreationTime : 10.01.2005 14:57:15
BasePriority : Normal
FileSize : 86 KB
FileVersion : 6, 4, 17, 0
ProductVersion : 6.0
Copyright : Copyright 2002-2004 Nokia. All Rights Reserved.
CompanyName : Nokia.
FileDescription : ServiceLayer Module
InternalName : ServiceLayer
OriginalFilename : ServiceLayer.exe
ProductName : Nokia Connectivity Library

#:34 [aolacsd.exe]
FilePath : C:\Programme\Gemeinsame Dateien\AOL\ACS\
ThreadCreationTime : 10.01.2005 14:57:15
BasePriority : Normal
FileSize : 1113 KB
FileVersion : 2.6.6.3.DE.55
ProductVersion : 2.6.6.3.DE.55
Copyright : Copyright 2003 America Online, Inc.
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : AOLacsd
OriginalFilename : AOLacsd.exe
ProductName : AOL Connectivity Service
Created on : 09.11.2004 20:36:01
Last accessed : 10.01.2005 14:56:52
Last modified : 09.11.2004 20:36:01

#:35 [mdm.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\
ThreadCreationTime : 10.01.2005 14:57:16
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright (C) Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 23.02.2001 09:07:30
Last accessed : 10.01.2005 14:56:52
Last modified : 23.02.2001 09:07:30

#:36 [pavprsrv.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\
ThreadCreationTime : 10.01.2005 14:57:17
BasePriority : Normal
FileSize : 32 KB
FileVersion : 1.1.1.4
ProductVersion : 1.1.1.4
Copyright : Copyright 2004, Panda Software
CompanyName : Panda Software
FileDescription : Panda Process Protection Service
InternalName : PavPrSrv
OriginalFilename : PavPrSrv.exe
ProductName : PandaShield
Created on : 17.11.2004 18:21:39
Last accessed : 10.01.2005 14:56:52
Last modified : 17.11.2004 18:24:57

#:37 [pavsrv51.exe]
FilePath : C:\Programme\Panda Software\Panda Titanium Antivirus 2004\
ThreadCreationTime : 10.01.2005 14:57:21
BasePriority : High
FileSize : 204 KB
FileVersion : 1, 3, 144, 9
ProductVersion : 1.3.144.0
Copyright : Panda Software 2004.
CompanyName : Panda Software
FileDescription : On-Access Antivirus Scanner Service.
InternalName : pavsrv.exe
OriginalFilename : pavsrv.exe
ProductName : Panda Antivirus for Windows NT/2000/XP/2003
Created on : 17.11.2004 18:22:24
Last accessed : 10.01.2005 14:56:52
Last modified : 21.06.2004 22:40:32

#:38 [psimsvc.exe]
FilePath : C:\Programme\Panda Software\Panda Titanium Antivirus 2004\
ThreadCreationTime : 10.01.2005 14:57:21
BasePriority : Normal
FileSize : 60 KB
FileVersion : 1, 3, 2, 0
ProductVersion : 1, 3, 2, 0
Copyright : Panda Software 2004.
CompanyName : Panda Software Internacional
FileDescription : Common Interface Manager
InternalName : PsImSvc
OriginalFilename : PsImSvc.exe
ProductName : Panda Antivirus
Created on : 17.11.2004 18:25:03
Last accessed : 10.01.2005 14:56:52
Last modified : 17.11.2004 18:24:57

#:39 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 10.01.2005 14:57:22
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 15:13:57
Last modified : 03.08.2004 23:58:16

#:40 [avengine.exe]
FilePath : C:\Programme\Panda Software\Panda Titanium Antivirus 2004\
ThreadCreationTime : 10.01.2005 14:57:22
BasePriority : Normal
FileSize : 92 KB
FileVersion : 1, 3, 144, 3
ProductVersion : 1.3.144.0
Copyright : Panda Software 2004.
CompanyName : Panda Software
FileDescription : Enhanced On-Access Antivirus Scanner Process.
InternalName : avengine.exe
OriginalFilename : avengine.exe
ProductName : Panda Antivirus for Windows NT/2000/XP/2003
Created on : 17.11.2004 18:22:24
Last accessed : 10.01.2005 14:37:06
Last modified : 24.08.2004 08:18:06

#:41 [scards32.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 10.01.2005 14:57:22
BasePriority : Normal
FileSize : 280 KB
FileVersion : V2.14.38
ProductVersion : V2.14
Copyright : 1998-2002, Towitoko AG
CompanyName : Towitoko AG
FileDescription : SCARD 32-Bit 95/98-ServerProcess / NT-Service
InternalName : SCARDS32
OriginalFilename : SCARDS32.EXE
ProductName : CHIPDRIVE IFD Drivers
Created on : 17.11.2004 20:16:16
Last accessed : 10.01.2005 15:13:58
Last modified : 17.06.2002 01:14:00

#:42 [mpapi3s.exe]
FilePath : C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\
ThreadCreationTime : 10.01.2005 14:57:23
BasePriority : Normal
FileSize : 446 KB
FileVersion : 6.4.147.1
ProductVersion : 6.0
Copyright : Copyright 1999-2004 Nokia. All Rights Reserved
CompanyName : Nokia Corporation
FileDescription : Mobile Phone API
InternalName : MPAPI
OriginalFilename : MPAPI.EXE
ProductName : Nokia Connectivity Library
Created on : 22.09.2004 12:40:58
Last accessed : 10.01.2005 15:13:58
Last modified : 22.09.2004 12:40:58

#:43 [x10nets.exe]
FilePath : C:\PROGRA~1\COMMON~1\X10\Common\
ThreadCreationTime : 10.01.2005 14:57:37
BasePriority : Normal
FileSize : 20 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 1999 X10
CompanyName : X10
FileDescription : X10 Module
InternalName : x10
OriginalFilename : x10.exe
ProductName : x10 Module
Created on : 17.11.2004 15:59:41
Last accessed : 10.01.2005 14:56:52
Last modified : 12.11.2001 12:31:48

#:44 [webproxy.exe]
FilePath : C:\Programme\Panda Software\Panda Titanium Antivirus 2004\
ThreadCreationTime : 10.01.2005 14:57:42
BasePriority : Normal
FileSize : 72 KB
FileVersion : 4, 6, 9, 6
ProductVersion : 2, 1, 0, 0
Copyright : Panda Software 2004
CompanyName : Panda Software
FileDescription : WebProxy
InternalName : WebProxy
OriginalFilename : WebProxy.exe
ProductName : Internet Resident
Created on : 17.11.2004 18:22:24
Last accessed : 10.01.2005 15:13:58
Last modified : 17.06.2004 16:26:16

#:45 [wcesmgr.exe]
FilePath : C:\Programme\Microsoft ActiveSync\
ThreadCreationTime : 10.01.2005 14:57:46
BasePriority : Normal
FileSize : 936 KB
FileVersion : 3.7.0.3083
ProductVersion : 3.7.3083
Copyright : Copyright 1995-2003 Microsoft Corp. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : ActiveSync Application
InternalName : wcesmgr
OriginalFilename : WCESMGR.EXE
ProductName : Microsoft ActiveSync
Created on : 17.11.2004 23:04:02
Last accessed : 10.01.2005 14:56:52
Last modified : 22.04.2003 17:06:56

#:46 [outlook.exe]
FilePath : C:\Programme\Microsoft Office\Office\
ThreadCreationTime : 10.01.2005 14:58:02
BasePriority : Normal
FileSize : 56 KB
FileVersion : 9.0.2416
ProductVersion : 9.0.2416
Copyright : Copyright Microsoft Corporation 1983-1999. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Microsoft Outlook
InternalName : Outlook
OriginalFilename : Outlook.exe
ProductName : Microsoft Outlook
Created on : 16.12.1998 19:09:20
Last accessed : 10.01.2005 15:13:58
Last modified : 16.12.1998 19:09:20

#:47 [iexplore.exe]
FilePath : C:\Programme\Internet Explorer\
ThreadCreationTime : 10.01.2005 15:05:30
BasePriority : Normal
FileSize : 91 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
Copyright : Microsoft Corporation. Alle Rechte vorbehalten.
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Betriebssystem Microsoft Windows
Created on : 17.11.2004 14:07:31
Last accessed : 10.01.2005 15:05:31
Last modified : 03.08.2004 23:57:58

#:48 [hh.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 10.01.2005 15:12:28
BasePriority : Normal
FileSize : 10 KB
FileVersion : 5.2.3790.1159 (dnsrv.040209-1620)
ProductVersion : 5.2.3790.1159
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Microsoft HTML Help Executable
InternalName : HH 1.41
OriginalFilename : HH.exe
ProductName : HTML Help
Created on : 29.08.2002 12:00:00
Last accessed : 10.01.2005 15:12:28
Last modified : 03.08.2004 23:57:58

#:49 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-aware 6\
ThreadCreationTime : 10.01.2005 15:13:11
BasePriority : Normal
FileSize : 645 KB
FileVersion : 6.0.1.165
ProductVersion : 6.0.0.0
Copyright : Copyright Lavasoft Sweden
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 18.11.2004 13:43:12
Last accessed : 10.01.2005 15:03:50
Last modified : 08.02.2003 20:50:52

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\IST


istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 2


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 2


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for C:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 2

16:24:48 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:10:51:109
Objects scanned :88287
Objects identified :2
Objects ignored :0
New objects :2



* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dn0001~1.dll Sun 2 Jan 2005 12:09:54 ..S.R 223.233 218,00 K
C:\WINDOWS\SYSTEM32\dn6q01~1.dll Mon 10 Jan 2005 11:45:00 ..S.R 223.643 218,40 K
C:\WINDOWS\SYSTEM32\e0jm0a~1.dll Wed 5 Jan 2005 8:39:56 ..S.R 225.126 219,85 K
C:\WINDOWS\SYSTEM32\en2ul1~1.dll Mon 10 Jan 2005 15:57:08 ..S.R 223.168 217,94 K
C:\WINDOWS\SYSTEM32\en68l1~1.dll Wed 5 Jan 2005 8:36:36 ..S.R 224.672 219,41 K
C:\WINDOWS\SYSTEM32\enn2l1~1.dll Sun 9 Jan 2005 13:48:40 ..S.R 222.833 217,61 K
C:\WINDOWS\SYSTEM32\i2240c~1.dll Fri 7 Jan 2005 10:59:38 ..S.R 225.173 219,89 K
C:\WINDOWS\SYSTEM32\l06o0a~1.dll Thu 6 Jan 2005 12:17:10 ..S.R 225.111 219,83 K
C:\WINDOWS\SYSTEM32\l4n4le~1.dll Sun 9 Jan 2005 13:28:44 ..S.R 222.935 217,71 K
C:\WINDOWS\SYSTEM32\lvj209~1.dll Tue 4 Jan 2005 22:44:54 ..S.R 224.672 219,41 K
C:\WINDOWS\SYSTEM32\mvn6l9~1.dll Mon 10 Jan 2005 14:25:06 ..S.R 225.099 219,82 K
C:\WINDOWS\SYSTEM32\s0pula~1.dll Tue 4 Jan 2005 13:48:12 ..S.R 225.126 219,85 K
C:\WINDOWS\SYSTEM32\wacsapi.dll Mon 10 Jan 2005 15:57:08 ..S.R 225.099 219,82 K
________________________________________________

1.427 items found: 1.427 files (13 H/S), 0 directories.
Total of file sizes: 288.816.901 bytes 275,43 M

Administrator Account = True

--------------------End log---------------------


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 689A-3A80

Verzeichnis von C:\WINDOWS\System32

10.01.2005 15:57 225.099 wacsapi.dll
10.01.2005 15:57 223.168 en2ul1f91.dll
10.01.2005 14:25 225.099 mvn6l95s1.dll
10.01.2005 11:44 223.643 dn6q01j5e.dll
09.01.2005 13:59 <DIR> dllcache
09.01.2005 13:48 222.833 enn2l15o1.dll
09.01.2005 13:28 222.935 l4n4le5q1h.dll
07.01.2005 10:59 225.173 i2240cfqef2e0.dll
06.01.2005 12:17 225.111 l06o0aj3edo.dll
05.01.2005 08:39 225.126 e0jm0a11ed.dll
05.01.2005 08:36 224.672 en68l1ju1.dll
04.01.2005 22:44 224.672 lvj2091oe.dll
04.01.2005 13:48 225.126 s0pula791d.dll
02.01.2005 12:09 223.233 dn0001dme.dll
17.11.2004 17:57 <DIR> Microsoft
13 Datei(en) 2.915.890 Bytes
2 Verzeichnis(se), 48.312.565.760 Bytes frei

------- Hidden Files in System32 Directory -------

Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 689A-3A80

Verzeichnis von C:\WINDOWS\System32

09.01.2005 13:59 <DIR> dllcache
17.11.2004 15:09 488 logonui.exe.manifest
17.11.2004 15:09 488 WindowsLogon.manifest
17.11.2004 15:09 749 nwc.cpl.manifest
17.11.2004 15:09 749 sapi.cpl.manifest
17.11.2004 15:09 749 ncpa.cpl.manifest
17.11.2004 15:09 749 wuaucpl.cpl.manifest
17.11.2004 15:09 749 cdplayer.exe.manifest
7 Datei(en) 4.721 Bytes
1 Verzeichnis(se), 48.312.561.664 Bytes frei

---------- Files Named "Guard" -------------

Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 689A-3A80

Verzeichnis von C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 689A-3A80

Verzeichnis von C:\WINDOWS\System32

29.08.2002 13:00 2.951 CONFIG.TMP
1 Datei(en) 2.951 Bytes
0 Verzeichnis(se), 48.312.557.568 Bytes frei

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D601381E-110C-4E12-8C1D-69FD199735BA}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mvn6l95s1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

Das angegebene Programm kann nicht ausgef

.....leider hat der ganze Aufwand und alle Versuche nicht zum Erfolg geführt.
Sofort nach dem Öffnen des IE schieben sich ein, zwei weitere IE davor, die sich schliessen lassen, jedoch nach unbestimmter Zeit wieder neu öffnen.
Was kann ich denn nun noch tun??? Bin mittelmäßig verzweifelt!

Liebe Grüsse
flatjamboo

Hallo@flatjamboo

Bei einer so schweren Verseuchung, muss man beid er Reinigung Geduld haben (alle Tools, die ich dir gepostet habe--> loeschen nicht, sondern erkennen die Malware)

du sollst die mwav.txt (oder mwav.log) suchen und dann anklicken, dann muesste sich das Notepad oeffnen und du kannst alles, was infiziert ist rauskopieren)

-----------------------------------------------------------------------------------------------

oeffne das Notepad:

kopiere folgendes rein, speicher ab als: fixme.reg (auf dem Desktop abspeichern)


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]


dann doppelklicken auf die fixme.reg und wenn die Frage kommt, zur Registry beifuegen, antworte mit "yes" (oder "ja")
--------------------------------------------------------------------------------------------------------------------


kopiere in die Killbox:

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

c:\windows\system32\Guard.tmp
C:\WINDOWS\system32\mvn6l95s1.dll
C:\WINDOWS\System32\wacsapi.dll
C:\WINDOWS\System32\en2ul1f91.dll
C:\WINDOWS\System32\dn6q01j5e.dll
C:\WINDOWS\System32\enn2l15o1.dll
C:\WINDOWS\System32\l4n4le5q1h.dll
C:\WINDOWS\System32\i2240cfqef2e0.dll
C:\WINDOWS\System32\l06o0aj3edo.dll
C:\WINDOWS\System32\e0jm0a11ed.dll
C:\WINDOWS\System32\en68l1ju1.dll
C:\WINDOWS\System32\lvj2091oe.dll
C:\WINDOWS\System32\s0pula791d.dll
C:\WINDOWS\System32\dn0001dme.dll

PC neustarten

HOSTFILE:
#öffne das HijackThis
http://www.downloads.subratam.org/hijackthis.zip
"Do a system scan only"-->Config--> Misc Tools-->Open Hosts file Manager--> delet line(s) -->save Log
lösche alles , lasse nur stehen:
127.0.0.1 localhost
#Orginal Host Datei

dann scanne bitte noch mal mit
DllCompare + FindIt.zip

und poste das neue Log vom HijackThis

Hallo Nikita,

danke für den nächsten Versuch - hab alles ausgeführt, was aber nicht klappt, ist:

.......dann doppelklicken auf die fixme.reg und wenn die Frage kommt, zur Registry beifuegen, antworte mit "yes" (oder "ja") .........

es erscheint ein Fenster, in dem steht, 'kann nicht importiert werden.
Die angegebene Datei ist keine Registrierungsdatei.

Die Datei liegt nun auf meinem desktop....


hier aber nun die logs:


infected aus mwav.txt.doc

Mon Jan 10 14:50:37 2005 => File C:\WINDOWS\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dk" Virus. Action Taken: No Action Taken.

Mon Jan 10 14:50:38 2005 => File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.

Mon Jan 10 14:50:39 2005 => File C:\WINDOWS\VT00.exe infected by "Trojan-Downloader.Win32.Lookme.g" Virus. Action Taken: No Action Taken.


Mon Jan 10 14:53:44 2005 => File C:\Dokumente und Einstellungen\STANDARD\Eigene Dateien\Rainer\Downl.Rainer\tools von Asss\backups\backup-20050109-135911-586.dll infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.


Mon Jan 10 15:02:02 2005 => File C:\Programme\SurfSideKick 2\Ssk.exe infected by "Trojan.Win32.Agent.aj" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:05:45 2005 => File C:\WINDOWS\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dk" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:07:46 2005 => File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No

Mon Jan 10 15:10:03 2005 => File C:\WINDOWS\VT00.exe infected by "Trojan-Downloader.Win32.Lookme.g" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:11:13 2005 => File D:\System Volume Information\_restore{0102DAF3-3A7E-4AF1-BB7A-88B04D45A817}\RP103\A0030876.exe infected by "not-virus:Joke.Win32.FakeFormat.105" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:14:26 2005 => File C:\WINDOWS\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dk" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:16:12 2005 => File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:18:22 2005 => File C:\WINDOWS\VT00.exe infected by "Trojan-Downloader.Win32.Lookme.g" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:18:26 2005 => Total Disinfected Files: 0

Mon Jan 10 15:26:39 2005 => File C:\WINDOWS\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dk" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:26:39 2005 => File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:26:40 2005 => File C:\WINDOWS\VT00.exe infected by "Trojan-Downloader.Win32.Lookme.g" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:29:21 2005 => File C:\Dokumente und Einstellungen\STANDARD\Eigene Dateien\Rainer\Downl.Rainer\tools von Asss\backups\backup-20050109-135911-586.dll infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:37:31 2005 => File C:\Programme\SurfSideKick 2\Ssk.exe infected by "Trojan.Win32.Agent.aj" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:40:55 2005 => File C:\WINDOWS\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dk" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:42:46 2005 => File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:44:54 2005 => File C:\WINDOWS\VT00.exe infected by "Trojan-Downloader.Win32.Lookme.g" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:46:03 2005 => File D:\System Volume Information\_restore{0102DAF3-3A7E-4AF1-BB7A-88B04D45A817}\RP103\A0030876.exe infected by "not-virus:Joke.Win32.FakeFormat.105" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:49:05 2005 => File C:\WINDOWS\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dk" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:50:56 2005 => File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:53:03 2005 => File C:\WINDOWS\VT00.exe infected by "Trojan-Downloader.Win32.Lookme.g" Virus. Action Taken: No Action Taken.

Mon Jan 10 15:53:05 2005 => Total Disinfected Files: 0




Tue Jan 11 13:36:26 2005 => File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.

Tue Jan 11 13:38:02 2005 => File C:\DOKUME~1\STANDARD\LOKALE~1\TEMPOR~1\Content.IE5\4ZVZM45D\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.of" Virus. Action Taken: No Action Taken.

Tue Jan 11 13:38:02 2005 => File C:\DOKUME~1\STANDARD\LOKALE~1\TEMPOR~1\Content.IE5\QDBGTCZE\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.of" Virus. Action Taken: No Action Taken.


Tue Jan 11 13:41:40 2005 => File C:\Dokumente und Einstellungen\STANDARD\Eigene Dateien\Rainer\Downl.Rainer\tools von Asss\backups\backup-20050109-135911-586.dll infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.

Tue Jan 11 13:43:34 2005 => File C:\Dokumente und Einstellungen\STANDARD\Lokale Einstellungen\Temporary Internet Files\Content.IE5\4ZVZM45D\AppWrap[1].exe infected by "Trojan-Dropper.Win32.Small.of" Virus. Action Taken: No Action Taken.

Tue Jan 11 14:15:06 2005 => File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.

Tue Jan 11 14:17:27 2005 => File C:\WINDOWS\Temp\bw2.exe infected by "Trojan-Dropper.Win32.Small.of" Virus. Action Taken: No Action Taken.

Tue Jan 11 14:21:44 2005 => File D:\System Volume Information\_restore{0102DAF3-3A7E-4AF1-BB7A-88B04D45A817}\RP103\A0030876.exe infected by "not-virus:Joke.Win32.FakeFormat.105" Virus. Action Taken: No Action Taken.


Tue Jan 11 14:31:16 2005 => File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.

Tue Jan 11 14:33:31 2005 => File C:\WINDOWS\Temp\bw2.exe infected by "Trojan-Dropper.Win32.Small.of" Virus. Action Taken: No Action Taken.

Tue Jan 11 14:33:38 2005 => ***** Scanning complete. *****

Tue Jan 11 14:33:38 2005 => Total Files Scanned: 70804
Tue Jan 11 14:33:38 2005 => Total Virus(es) Found: 68
Tue Jan 11 14:33:38 2005 => Total Disinfected Files: 0
Tue Jan 11 14:33:38 2005 => Total Files Renamed: 0
Tue Jan 11 14:33:38 2005 => Total Deleted Files: 0
Tue Jan 11 14:33:38 2005 => Total Errors: 100
Tue Jan 11 14:33:38 2005 => Time Elapsed: 00:57:59
Tue Jan 11 14:33:38 2005 => Virus Database Date: 2005/01/10
Tue Jan 11 14:33:38 2005 => Virus Database Count: 115106

Tue Jan 11 14:33:38 2005 => Scan Completed.

Tue Jan 11 14:38:16 2005 => Virus Database Date: 2005/01/10
Tue Jan 11 14:38:16 2005 => Virus Database Count: 115106




hijackthis.log

Logfile of HijackThis v1.99.0
Scan saved at 16:16:05, on 11.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\Dit.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\ISDN_UTL\isdnsta.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Nokia\Nokia PC Suite 6\pcsync2.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\DitExp.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SCARDS32.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programme\Microsoft ActiveSync\WCESMgr.exe
C:\Programme\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\VBouncer\VIRTUA~1.EXE
C:\PROGRA~1\ADDEST~1\ADDEST~1.EXE
C:\Dokumente und Einstellungen\STANDARD\Eigene Dateien\Rainer\Downl.Rainer\tools von Asss\HijackThis.exe
C:\Programme\AOL 9.0\waol.exe
C:\Programme\AOL 9.0\shellmon.exe
C:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://signin.ebay.de/ws/eBayISAPI.dll ... &siteid=77
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Programme\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [ISDNStatus] C:\Programme\ISDN_UTL\isdnsta.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [PcSync] C:\Programme\Nokia\Nokia PC Suite 6\pcsync2.exe /NoDialog
O4 - Startup: AdDestroyer.lnk = C:\Programme\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A064BC44-29C1-4F08-8224-85FAB2DE8343}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programme\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: CHIPDRIVE SCARD Service - Towitoko AG - C:\WINDOWS\SCARDS32.EXE
O23 - Service: X10 Device Network Service - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe



DLLcompareloglog.txt

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\hrls05~1.dll Tue 11 Jan 2005 15:26:00 ..S.R 225.192 219,91 K
C:\WINDOWS\SYSTEM32\j44ole~1.dll Tue 11 Jan 2005 15:23:00 ..S.R 222.880 217,66 K
C:\WINDOWS\SYSTEM32\kt04l7~1.dll Tue 11 Jan 2005 15:30:08 ..S.R 222.880 217,66 K
________________________________________________

1.422 items found: 1.422 files (3 H/S), 0 directories.
Total of file sizes: 286.926.939 bytes 273,63 M

Administrator Account = True

--------------------End log---------------------


Finditoutput.txt

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 689A-3A80

Verzeichnis von C:\WINDOWS\System32

11.01.2005 15:30 222.880 kt04l7dq1.dll
11.01.2005 15:25 225.192 hrls0537e.dll
11.01.2005 15:22 222.880 j44oleh31h4.dll
09.01.2005 13:59 <DIR> dllcache
17.11.2004 17:57 <DIR> Microsoft
3 Datei(en) 670.952 Bytes
2 Verzeichnis(se), 48.202.256.384 Bytes frei

------- Hidden Files in System32 Directory -------

Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 689A-3A80

Verzeichnis von C:\WINDOWS\System32

09.01.2005 13:59 <DIR> dllcache
17.11.2004 15:09 488 logonui.exe.manifest
17.11.2004 15:09 488 WindowsLogon.manifest
17.11.2004 15:09 749 nwc.cpl.manifest
17.11.2004 15:09 749 sapi.cpl.manifest
17.11.2004 15:09 749 ncpa.cpl.manifest
17.11.2004 15:09 749 wuaucpl.cpl.manifest
17.11.2004 15:09 749 cdplayer.exe.manifest
7 Datei(en) 4.721 Bytes
1 Verzeichnis(se), 48.202.256.384 Bytes frei

---------- Files Named "Guard" -------------

Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 689A-3A80

Verzeichnis von C:\WINDOWS\System32

11.01.2005 15:58 222.880 guard.tmp
1 Datei(en) 222.880 Bytes
0 Verzeichnis(se), 48.202.252.288 Bytes frei

--------- Temp Files in System32 Directory --------

Datentr„ger in Laufwerk C: ist Lokaler Datentr„ger
Volumeseriennummer: 689A-3A80

Verzeichnis von C:\WINDOWS\System32

11.01.2005 15:58 222.880 guard.tmp
03.08.2004 23:56 1.236.480 ~GLH0015.TMP
03.08.2004 23:56 1.236.480 ~GLH001b.TMP
31.03.2003 06:00 44.032 ~GLH001a.TMP
31.03.2003 06:00 44.032 ~GLH0014.TMP
29.08.2002 13:00 2.951 CONFIG.TMP
6 Datei(en) 2.786.855 Bytes
0 Verzeichnis(se), 48.202.252.288 Bytes frei

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D601381E-110C-4E12-8C1D-69FD199735BA}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j44oleh31h4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

Das angegebene Programm kann nicht ausgef

gehe in die Registry
start<ausfuehren-- reinschreiben: regedit

die Registry oeffnet sich

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

loesche:
"{D601381E-110C-4E12-8C1D-69FD199735BA}"=""


#C:\Dokumente und Einstellungen\STANDARD\Lokale Einstellungen\Temporary Internet Files\Content.IE5\
leere den Ordner (nur die index.dat lasse)
-------------------------------------------------------------------------------------

kopiere alles, was der escan anzeigt, in die Killbox:

C:\WINDOWS\optimize.exe
C:\WINDOWS\SSK_B5.EXE
C:\Dokumente und Einstellungen\STANDARD\Eigene Dateien\Rainer\Downl.Rainer\tools von Asss\backups\backup-20050109-135911-586.dll
C:\WINDOWS\VT00.exe
C:\WINDOWS\Temp\bw2.exe

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\GLH0014.TMP
C:\WINDOWS\System32\GLH0015.TMP
C:\WINDOWS\System32\GLH001b.TMP
C:\WINDOWS\System32\GLH001a.TMP
C:\WINDOWS\System32\GLH0014.TMP

C:\WINDOWS\System32\kt04l7dq1.dll
C:\WINDOWS\System32\hrls0537e.dll
C:\WINDOWS\System32\j44oleh31h4.dll

PC NEUSTARTEN

#dann deaktiviere die Wiederherstellung.

scanne noch mal mit allen Tools , poste wieder alle Logs (auch, was der escan noch anzeigt)

dann muesste alles sauber sein
dann klicke noch mal das Host-Tool und poste das neue Log vom HijackThis

Hallo Nikita,

habe deine Anweisungen befolgt und alles abgearbeitet.
Leider erfolglos. Es ist verhext.
Nach dem ersten Neustart sofort dasselbe Bild - Ein zweiter IE schiebt sich über den ersten: diesesmal:

http://www.funbuddyicons.com/?partner=ZBxdm046

Mitten in eScan ( der braucht inzwischen eine 3/4 Stunde für seine Arbeit) schwarzer Bildschirm-Neustart!!
Ich werd bald verrückt!!
habe über 60(!!) Einträge in die killbox kopiert, beim nächsten scan mit eScan dann immer noch etwa die Hälfte....wie kommt das??

Was kann ich jetzt noch tun ? Viele Grüsse

flatjamboo

Hier die logs:

AB logfile:

Scanned at: 14:05:17 on: 12.01.2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 22

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 22

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!



AdAware:

Ad-Aware SE Build 1.05
Logfile Created on:Mittwoch, 12. Januar 2005 14:21:57
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R25 11.01.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AdDestroyer(TAC index:5):7 total references
IBIS Toolbar(TAC index:5):111 total references
MRU List(TAC index:0):29 total references
NetworkEssentials(TAC index:7):3 total references
Other(TAC index:5):2 total references
Redirected hostfile entry(TAC index:4):3 total references
VirtualBouncer(TAC index:5):19 total references
VX2(TAC index:10):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12.01.2005 14:21:57 - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 440
ThreadCreationTime : 12.01.2005 13:15:38
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 524
ThreadCreationTime : 12.01.2005 13:15:44
BasePriority : High


VX2 Object Recognized!
Type : Process
Data : k2pmlc711f.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\k2pmlc711f.dll)


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 568
ThreadCreationTime : 12.01.2005 13:15:44
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 580
ThreadCreationTime : 12.01.2005 13:15:44
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 740
ThreadCreationTime : 12.01.2005 13:15:44
BasePriority : Normal
FileVersion : 6.14.10.4109
ProductVersion : 6.14.10.4109.04
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 752
ThreadCreationTime : 12.01.2005 13:15:44
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 892
ThreadCreationTime : 12.01.2005 13:15:45
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1348
ThreadCreationTime : 12.01.2005 13:15:47
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:9 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1636
ThreadCreationTime : 12.01.2005 13:15:49
BasePriority : Normal
FileVersion : 6.14.10.4109
ProductVersion : 6.14.10.4109.04
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1692
ThreadCreationTime : 12.01.2005 13:15:50
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

VX2 Object Recognized!
Type : Process
Data : dccpmon.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\dccpmon.dll)


#:11 [atiptaxx.exe]
FilePath : C:\Programme\ATI Technologies\ATI Control Panel\
ProcessID : 1772
ThreadCreationTime : 12.01.2005 13:15:50
BasePriority : Normal
FileVersion : 6.14.10.5131
ProductVersion : 6.14.10.5131
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2004 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:12 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 1784
ThreadCreationTime : 12.01.2005 13:15:51
BasePriority : Normal
FileVersion : 5.0.17
ProductVersion : 5.0.17
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:13 [apvxdwin.exe]
FilePath : C:\Programme\Panda Software\Panda Titanium Antivirus 2004\
ProcessID : 1792
ThreadCreationTime : 12.01.2005 13:15:51
BasePriority : Normal
FileVersion : 4.07.09
ProductVersion : 4.07.09
ProductName : Panda Antivirus Aplication
CompanyName : Panda Software International
FileDescription : ApVxdWin
InternalName : ApVxdWin.exe
LegalCopyright : © Panda Software 2004
OriginalFilename : ApVxdWin.exe

#:14 [hotkey.exe]
FilePath : C:\WINDOWS\Twain_32\FlatBed\
ProcessID : 1800
ThreadCreationTime : 12.01.2005 13:15:51
BasePriority : Normal


#:15 [aoldial.exe]
FilePath : C:\Programme\Gemeinsame Dateien\AOL\ACS\
ProcessID : 1816
ThreadCreationTime : 12.01.2005 13:15:51
BasePriority : Normal
FileVersion : 2.6.6.3.DE.55
ProductVersion : 2.6.6.3.DE.55
ProductName : AOL Connectivity Service
CompanyName : America Online, Inc
FileDescription : AOL Connectivity Service Dialer
LegalCopyright : Copyright © 2003 America Online, Inc.
OriginalFilename : AOLDial.exe

#:16 [type32.exe]
FilePath : C:\Programme\Microsoft Hardware\Keyboard\
ProcessID : 1840
ThreadCreationTime : 12.01.2005 13:15:51
BasePriority : Normal


#:17 [dit.exe]
FilePath : C:\WINDOWS\
ProcessID : 1856
ThreadCreationTime : 12.01.2005 13:15:51
BasePriority : Normal


#:18 [pcmservice.exe]
FilePath : C:\Programme\Home Cinema\PowerCinema\
ProcessID : 1880
ThreadCreationTime : 12.01.2005 13:15:51
BasePriority : Normal
FileVersion : 3.0.2108
ProductVersion : 3.0.2108
ProductName : Cyberlink PowerCinema 3.0
CompanyName : CyberLink Corp.
FileDescription : CyberLink PowerCinema Resident Program
InternalName : CyberLink PowerCinema Resident Program
LegalCopyright : Copyright (c) 2003 CyberLink Corp.
OriginalFilename : PCMService.EXE

#:19 [isdnsta.exe]
FilePath : C:\Programme\ISDN_UTL\
ProcessID : 1896
ThreadCreationTime : 12.01.2005 13:15:51
BasePriority : Normal
FileVersion : 3.30
ProductVersion : 3.30
ProductName : ISDN Status Monitor
CompanyName : ISDN Company
FileDescription : ISDN Status Monitor
InternalName : ISDNSTA
LegalCopyright : Copyright © 2000-2002
OriginalFilename : ISDNSTA.exe

#:20 [hpwuschd.exe]
FilePath : C:\Programme\Hewlett-Packard\HP