UnSpyPc.exe und weitere Viecher
18 Beiträge • Seite 1 von 2 • 1, 2
UnSpyPc.exe und weitere Viecher
von N_Man am 25.12.2005, 00:13
Hallo!
Bei mir hat sich nach längerer Zeit mal wieder was eingenistet.
Bin dummerweise einem nicht vertrauensvollen Link gefolgt (eigentlich totaler Anfängerfehler, aber ich war einfach nicht ganz achtsam in dem Moment und schon war's zu spät) und hab mir den UnSpyPc Virus (der diesen gefakten Spyware-Scanner + ein seltsames Popupmenü kurz nach dem Neustart aufruft) eingefangen.
Hijackthis hat ihn in C:\Programme\UnSpyPc\UnSpyPc.exe lokalisiert, diesen Ordner hab ich mit der Killbox gelöscht.
Nun findet Hijackthis den Ordner auch nicht mehr, aber dieses Popup Menü an der rechten Seite des Desktops ist weiterhin nach dem Neustart da, das Ding ist also nicht verschwunden.
Hier mein log file:
Logfile of HijackThis v1.99.1
Scan saved at 22:54:29, on 24.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Antivir\AVWUPSRV.EXE
C:\Programme\Antivir\AVGNT.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Antivir\AVGUARD.EXE
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internetcologne.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.internetcologne.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.internetcologne.de/
R3 - URLSearchHook: (no name) - {2FDB21EE-AE4F-D8B4-B896-B87B675B623B} - pizda.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe
O4 - HKLM\..\Run: [driver32] StatusCheck.exe
O4 - HKLM\..\Run: [backd] abrek.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\Antivir\AVGNT.EXE" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Acrobat Reader\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 6435649072
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BA9C97C-D737-4898-BB15-037A4FF4FE65}: NameServer = 85.255.115.21,85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC0D2DC6-BA0A-4D8C-BCFF-EF2EC10DAFDE}: NameServer = 85.255.115.21 85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE504082-9FBA-4FD8-B3AF-FB5D335AA515}: NameServer = 85.255.115.21,85.255.112.143
O17 - HKLM\System\CS1\Services\Tcpip\..\{4BA9C97C-D737-4898-BB15-037A4FF4FE65}: NameServer = 85.255.115.21,85.255.112.143
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\Antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\Antivir\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Diese abrek.exe und StatusCheck.exe sind auch nicht ganz koscher, hat jemand Tips wie ich nun vorgehen soll?
Bei mir hat sich nach längerer Zeit mal wieder was eingenistet.
Bin dummerweise einem nicht vertrauensvollen Link gefolgt (eigentlich totaler Anfängerfehler, aber ich war einfach nicht ganz achtsam in dem Moment und schon war's zu spät) und hab mir den UnSpyPc Virus (der diesen gefakten Spyware-Scanner + ein seltsames Popupmenü kurz nach dem Neustart aufruft) eingefangen.
Hijackthis hat ihn in C:\Programme\UnSpyPc\UnSpyPc.exe lokalisiert, diesen Ordner hab ich mit der Killbox gelöscht.
Nun findet Hijackthis den Ordner auch nicht mehr, aber dieses Popup Menü an der rechten Seite des Desktops ist weiterhin nach dem Neustart da, das Ding ist also nicht verschwunden.
Hier mein log file:
Logfile of HijackThis v1.99.1
Scan saved at 22:54:29, on 24.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Antivir\AVWUPSRV.EXE
C:\Programme\Antivir\AVGNT.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Antivir\AVGUARD.EXE
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internetcologne.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.internetcologne.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.internetcologne.de/
R3 - URLSearchHook: (no name) - {2FDB21EE-AE4F-D8B4-B896-B87B675B623B} - pizda.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe
O4 - HKLM\..\Run: [driver32] StatusCheck.exe
O4 - HKLM\..\Run: [backd] abrek.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\Antivir\AVGNT.EXE" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Acrobat Reader\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 6435649072
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BA9C97C-D737-4898-BB15-037A4FF4FE65}: NameServer = 85.255.115.21,85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC0D2DC6-BA0A-4D8C-BCFF-EF2EC10DAFDE}: NameServer = 85.255.115.21 85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE504082-9FBA-4FD8-B3AF-FB5D335AA515}: NameServer = 85.255.115.21,85.255.112.143
O17 - HKLM\System\CS1\Services\Tcpip\..\{4BA9C97C-D737-4898-BB15-037A4FF4FE65}: NameServer = 85.255.115.21,85.255.112.143
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\Antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\Antivir\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Diese abrek.exe und StatusCheck.exe sind auch nicht ganz koscher, hat jemand Tips wie ich nun vorgehen soll?
- N_Man
- Beiträge: 30
- Registriert: 12.05.2005, 14:22
von Nikita am 25.12.2005, 01:16
Info: Wareout
http://virus-protect.org/artikel/spyware/idemlog.html
----------------------------------------------------------------------------
Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe --> kopiere den s
canreport ab
wende den cleanUp genau nach Anweisung auf der Seite ab
http://virus-protect.net/cleanup.html
datfindbat--> kopiere hier die 4 Textdateien (2 Monate vom Datum reichen)
http://virus-protect.org/datfindbat.html
winpfind (kopiere hier das log)
http://virus-protect.org/winpfind.html
http://virus-protect.org/artikel/spyware/idemlog.html
----------------------------------------------------------------------------
Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe --> kopiere den s
canreport ab
wende den cleanUp genau nach Anweisung auf der Seite ab
http://virus-protect.net/cleanup.html
datfindbat--> kopiere hier die 4 Textdateien (2 Monate vom Datum reichen)
http://virus-protect.org/datfindbat.html
winpfind (kopiere hier das log)
http://virus-protect.org/winpfind.html
Zuletzt geändert von Nikita am 19.03.2006, 01:18, insgesamt 1-mal geändert.
- Nikita
- Moderator
- Beiträge: 11478
- Registriert: 07.12.2003, 16:53
- Wohnort: Lissabon
von N_Man am 25.12.2005, 02:04
Hi Nikita, vielen Dank für Deine Mühe. 
-------------------------------------------------------------------------------------
Blacklight Scranreport:
12/25/05 00:30:40 [Info]: BlackLight Engine 1.0.30 initialized
12/25/05 00:30:40 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/25/05 00:30:41 [Note]: 7019 4
12/25/05 00:30:41 [Note]: 7005 0
12/25/05 00:30:54 [Note]: 7006 0
12/25/05 00:30:54 [Note]: 7011 1676
12/25/05 00:30:56 [Note]: FSRAW library version 1.7.1014
12/25/05 00:31:01 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
12/25/05 00:31:03 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\CSQSS.EXE
12/25/05 00:31:03 [Note]: 7002 32
12/25/05 00:31:03 [Note]: 7003 1
12/25/05 00:31:04 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DMAPR.EXE
12/25/05 00:31:18 [Note]: 7002 5
12/25/05 00:31:18 [Note]: 7003 1
12/25/05 00:31:19 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\SPHLP32.EXE
12/25/05 00:31:22 [Note]: 7002 5
12/25/05 00:31:22 [Note]: 7003 1
12/25/05 00:31:23 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\HOWIPER.EXE
12/25/05 00:31:23 [Note]: 7002 5
12/25/05 00:31:23 [Note]: 7003 1
12/25/05 00:31:24 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\PPPCGM.EXE
12/25/05 00:31:25 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FAVSET.EXE
12/25/05 00:31:25 [Note]: 7002 5
12/25/05 00:31:25 [Note]: 7003 1
12/25/05 00:31:26 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\IDEMLOG.EXE
12/25/05 00:31:27 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FILESA~1.EXE
12/25/05 00:31:38 [Note]: 7006 0
12/25/05 00:31:38 [Note]: 7011 1676
12/25/05 00:31:39 [Note]: FSRAW library version 1.7.1014
12/25/05 00:31:43 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
12/25/05 00:31:45 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\CSQSS.EXE
12/25/05 00:31:45 [Note]: 7002 32
12/25/05 00:31:45 [Note]: 7003 1
12/25/05 00:31:46 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DMAPR.EXE
12/25/05 00:31:53 [Note]: 7002 5
12/25/05 00:31:53 [Note]: 7003 1
12/25/05 00:31:54 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\SPHLP32.EXE
12/25/05 00:31:54 [Note]: 7002 5
12/25/05 00:31:54 [Note]: 7003 1
12/25/05 00:31:55 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\HOWIPER.EXE
12/25/05 00:31:55 [Note]: 7002 5
12/25/05 00:31:55 [Note]: 7003 1
12/25/05 00:31:56 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\PPPCGM.EXE
12/25/05 00:31:57 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FAVSET.EXE
12/25/05 00:31:57 [Note]: 7002 5
12/25/05 00:31:57 [Note]: 7003 1
12/25/05 00:31:58 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\IDEMLOG.EXE
12/25/05 00:31:59 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FILESA~1.EXE
12/25/05 00:32:54 [Note]: 7006 0
12/25/05 00:32:54 [Note]: 7011 1676
12/25/05 00:32:55 [Note]: FSRAW library version 1.7.1014
12/25/05 00:32:59 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
12/25/05 00:33:00 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\CSQSS.EXE
12/25/05 00:33:00 [Note]: 7002 32
12/25/05 00:33:00 [Note]: 7003 1
12/25/05 00:33:01 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DMAPR.EXE
12/25/05 00:33:07 [Note]: 7002 5
12/25/05 00:33:07 [Note]: 7003 1
12/25/05 00:33:07 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\SPHLP32.EXE
12/25/05 00:33:08 [Note]: 7002 5
12/25/05 00:33:08 [Note]: 7003 1
12/25/05 00:33:09 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\HOWIPER.EXE
12/25/05 00:33:09 [Note]: 7002 5
12/25/05 00:33:09 [Note]: 7003 1
12/25/05 00:33:10 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\PPPCGM.EXE
12/25/05 00:33:10 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FAVSET.EXE
12/25/05 00:33:11 [Note]: 7002 5
12/25/05 00:33:11 [Note]: 7003 1
12/25/05 00:33:12 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\IDEMLOG.EXE
12/25/05 00:33:12 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FILESA~1.EXE
12/25/05 00:33:39 [Note]: 7007 0
--------------------------------------------------------------------------------------
datFind:
Verzeichnis von C:\WINDOWS\system32
23.12.2005 17:30 486 results.txt
23.12.2005 13:58 2.206 wpa.dbl
22.12.2005 14:31 4.984 close.bmp
22.12.2005 14:31 19.712 insurance.bmp
22.12.2005 14:31 21.224 xxx.bmp
22.12.2005 14:31 11.772 spyware.bmp
22.12.2005 14:31 21.872 pharmacy.bmp
22.12.2005 14:30 23.480 gambling.bmp
22.12.2005 14:30 21.872 dating.bmp
22.12.2005 14:30 387 idesk.conf
16.12.2005 19:00 787.052 PerfStringBackup.INI
16.12.2005 19:00 63.778 perfc007.dat
16.12.2005 19:00 52.900 perfc009.dat
16.12.2005 19:00 380.486 perfh009.dat
16.12.2005 19:00 391.330 perfh007.dat
09.12.2005 01:21 2.723.680 MRT.exe
01.12.2005 04:31 1.492.480 shdocvw.dll
24.11.2005 00:58 1.022.464 browseui.dll
24.11.2005 00:58 3.013.632 mshtml.dll
08.11.2005 20:17 168.304 FNTCACHE.DAT
05.11.2005 12:10 2.703 Lexmark Z42-Z43 Series ColorFine.AD2
05.11.2005 04:16 606.208 urlmon.dll
05.11.2005 04:16 1.056.256 danim.dll
26.10.2005 13:22 5.531 jupdate-1.5.0_05-b05.log
21.10.2005 04:40 474.112 shlwapi.dll
21.10.2005 04:40 664.064 wininet.dll
21.10.2005 04:40 530.944 mstime.dll
21.10.2005 04:40 146.432 msrating.dll
21.10.2005 04:40 448.512 mshtmled.dll
21.10.2005 04:40 39.424 pngfilt.dll
21.10.2005 04:40 251.392 iepeers.dll
21.10.2005 04:40 152.064 cdfview.dll
21.10.2005 04:40 55.808 extmgr.dll
21.10.2005 04:40 96.768 inseng.dll
21.10.2005 04:40 205.312 dxtrans.dll
20.10.2005 23:25 1.094.144 esent.dll
13.10.2005 00:11 15.584 spmsg.dll
06.10.2005 04:18 280.064 gdi32.dll
06.10.2005 04:08 1.839.616 win32k.sys
---------------------------------------------------------------------------------------
WinPFind:
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 18.08.2001 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 09.06.2005 22:32:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 09.06.2005 22:32:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PEC2 18.03.2003 20:05:50 2052096 C:\WINDOWS\SYSTEM32\atl71.pdb
winsync 18.08.2001 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PEC2 17.06.1998 3944448 C:\WINDOWS\SYSTEM32\MFC42D.PDB
PEC2 17.06.1998 2052096 C:\WINDOWS\SYSTEM32\MFCD42D.PDB
PEC2 17.06.1998 1454080 C:\WINDOWS\SYSTEM32\MFCN42D.PDB
PEC2 17.06.1998 4395008 C:\WINDOWS\SYSTEM32\MFCO42D.PDB
PEC2 17.06.1998 8015872 C:\WINDOWS\SYSTEM32\MFC42.PDB
PECompact2 09.12.2005 01:21:08 2723680 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 09.12.2005 01:21:08 2723680 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 18.03.2003 22:20:02 10357760 C:\WINDOWS\SYSTEM32\mfc71.pdb
PEC2 18.03.2003 21:28:40 8252416 C:\WINDOWS\SYSTEM32\MFC71d.pdb
PEC2 18.03.2003 22:12:14 10333184 C:\WINDOWS\SYSTEM32\mfc71u.pdb
PEC2 18.03.2003 21:31:58 8293376 C:\WINDOWS\SYSTEM32\mfc71ud.pdb
Umonitor 04.08.2004 09:57:32 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 04.08.2004 09:57:08 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Checking %System%\Drivers folder and sub-folders...
PTech 04.08.2004 07:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
24.12.2005 22:41:54 S 2048 C:\WINDOWS\bootstat.dat
22.12.2005 23:38:06 H 54156 C:\WINDOWS\QTFont.qfn
25.12.2005 00:42:40 H 1024 C:\WINDOWS\system32\config\system.LOG
25.12.2005 00:48:46 H 1024 C:\WINDOWS\system32\config\software.LOG
25.12.2005 00:41:14 H 1024 C:\WINDOWS\system32\config\default.LOG
25.12.2005 00:41:36 H 1024 C:\WINDOWS\system32\config\SAM.LOG
25.12.2005 00:10:18 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
16.12.2005 13:56:54 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
04.11.2005 19:23:22 H 8628 C:\WINDOWS\system32\spool\drivers\w32x86\2\LXATNTCP.GID
15.11.2005 11:31:02 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
15.11.2005 11:31:02 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3b30f5ff-c6a2-4972-82c1-de7d489c4af0
01.12.2005 04:44:42 S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
02.12.2005 01:12:38 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
24.12.2005 22:41:56 H 6 C:\WINDOWS\Tasks\SA.DAT
16.12.2005 18:58:14 RHS 227 C:\WINDOWS\assembly\Desktop.ini
Checking for CPL files...
Sun Microsystems, Inc. 26.08.2005 18:14:42 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Apple Computer, Inc. 23.09.2004 18:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 09:58:22 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 09:58:22 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 09:58:22 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04.08.2004 09:58:22 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 09:58:22 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04.08.2004 09:58:22 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 09:58:22 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 09:58:22 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 04.08.2004 09:58:22 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 09:58:22 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 09:58:22 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
19.08.2003 09:20:04 180224 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 04.08.2004 09:58:22 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04.08.2004 09:58:22 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
18.05.2005 18:33:18 1582 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
18.05.2005 18:09:58 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
19.05.2005 17:57:08 1613 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
18.05.2005 17:57:30 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
18.05.2005 18:09:58 HS 84 C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini
27.05.2005 16:34:24 644 C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Watch.lnk
Checking files in %USERPROFILE%\Application Data folder...
18.05.2005 18:30:02 871 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\AdobeDLM.log
18.05.2005 17:57:30 HS 62 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\desktop.ini
18.05.2005 18:30:02 0 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\dm.ini
29.05.2005 19:14:00 12 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\uns.tmp
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\Antivir\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\Antivir\AVShlExt.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Programme\Acrobat Reader\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Programme\Spybot - Search & Destroy\SDHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole : C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
ButtonText = ICQ Lite : C:\Programme\ICQLite\ICQLite.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PrinTray C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
ICQ Lite C:\Programme\ICQLite\ICQLite.exe -minimize
SunJavaUpdateSched C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
TkBellExe "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
QuickTime Task "C:\Programme\QuickTime\qttask.exe" -atboottime
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
WinDSL MTU-Adjust WinDSL_MTU.exe
driver32 StatusCheck.exe
backd abrek.exe
AVGCtrl "C:\Programme\Antivir\AVGNT.EXE" /min
AVGCtrl "C:\Programme\Antivir\AVGNT.EXE" /min
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
ICQ Lite C:\Programme\ICQLite\ICQLite.exe -trayboot
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = c:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\msonsext.dll
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 25.12.2005 00:59:54
-------------------------------------------------------------------------------------
Blacklight Scranreport:
12/25/05 00:30:40 [Info]: BlackLight Engine 1.0.30 initialized
12/25/05 00:30:40 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/25/05 00:30:41 [Note]: 7019 4
12/25/05 00:30:41 [Note]: 7005 0
12/25/05 00:30:54 [Note]: 7006 0
12/25/05 00:30:54 [Note]: 7011 1676
12/25/05 00:30:56 [Note]: FSRAW library version 1.7.1014
12/25/05 00:31:01 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
12/25/05 00:31:03 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\CSQSS.EXE
12/25/05 00:31:03 [Note]: 7002 32
12/25/05 00:31:03 [Note]: 7003 1
12/25/05 00:31:04 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DMAPR.EXE
12/25/05 00:31:18 [Note]: 7002 5
12/25/05 00:31:18 [Note]: 7003 1
12/25/05 00:31:19 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\SPHLP32.EXE
12/25/05 00:31:22 [Note]: 7002 5
12/25/05 00:31:22 [Note]: 7003 1
12/25/05 00:31:23 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\HOWIPER.EXE
12/25/05 00:31:23 [Note]: 7002 5
12/25/05 00:31:23 [Note]: 7003 1
12/25/05 00:31:24 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\PPPCGM.EXE
12/25/05 00:31:25 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FAVSET.EXE
12/25/05 00:31:25 [Note]: 7002 5
12/25/05 00:31:25 [Note]: 7003 1
12/25/05 00:31:26 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\IDEMLOG.EXE
12/25/05 00:31:27 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FILESA~1.EXE
12/25/05 00:31:38 [Note]: 7006 0
12/25/05 00:31:38 [Note]: 7011 1676
12/25/05 00:31:39 [Note]: FSRAW library version 1.7.1014
12/25/05 00:31:43 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
12/25/05 00:31:45 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\CSQSS.EXE
12/25/05 00:31:45 [Note]: 7002 32
12/25/05 00:31:45 [Note]: 7003 1
12/25/05 00:31:46 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DMAPR.EXE
12/25/05 00:31:53 [Note]: 7002 5
12/25/05 00:31:53 [Note]: 7003 1
12/25/05 00:31:54 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\SPHLP32.EXE
12/25/05 00:31:54 [Note]: 7002 5
12/25/05 00:31:54 [Note]: 7003 1
12/25/05 00:31:55 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\HOWIPER.EXE
12/25/05 00:31:55 [Note]: 7002 5
12/25/05 00:31:55 [Note]: 7003 1
12/25/05 00:31:56 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\PPPCGM.EXE
12/25/05 00:31:57 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FAVSET.EXE
12/25/05 00:31:57 [Note]: 7002 5
12/25/05 00:31:57 [Note]: 7003 1
12/25/05 00:31:58 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\IDEMLOG.EXE
12/25/05 00:31:59 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FILESA~1.EXE
12/25/05 00:32:54 [Note]: 7006 0
12/25/05 00:32:54 [Note]: 7011 1676
12/25/05 00:32:55 [Note]: FSRAW library version 1.7.1014
12/25/05 00:32:59 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
12/25/05 00:33:00 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\CSQSS.EXE
12/25/05 00:33:00 [Note]: 7002 32
12/25/05 00:33:00 [Note]: 7003 1
12/25/05 00:33:01 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DMAPR.EXE
12/25/05 00:33:07 [Note]: 7002 5
12/25/05 00:33:07 [Note]: 7003 1
12/25/05 00:33:07 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\SPHLP32.EXE
12/25/05 00:33:08 [Note]: 7002 5
12/25/05 00:33:08 [Note]: 7003 1
12/25/05 00:33:09 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\HOWIPER.EXE
12/25/05 00:33:09 [Note]: 7002 5
12/25/05 00:33:09 [Note]: 7003 1
12/25/05 00:33:10 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\PPPCGM.EXE
12/25/05 00:33:10 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FAVSET.EXE
12/25/05 00:33:11 [Note]: 7002 5
12/25/05 00:33:11 [Note]: 7003 1
12/25/05 00:33:12 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\IDEMLOG.EXE
12/25/05 00:33:12 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\FILESA~1.EXE
12/25/05 00:33:39 [Note]: 7007 0
--------------------------------------------------------------------------------------
datFind:
Verzeichnis von C:\WINDOWS\system32
23.12.2005 17:30 486 results.txt
23.12.2005 13:58 2.206 wpa.dbl
22.12.2005 14:31 4.984 close.bmp
22.12.2005 14:31 19.712 insurance.bmp
22.12.2005 14:31 21.224 xxx.bmp
22.12.2005 14:31 11.772 spyware.bmp
22.12.2005 14:31 21.872 pharmacy.bmp
22.12.2005 14:30 23.480 gambling.bmp
22.12.2005 14:30 21.872 dating.bmp
22.12.2005 14:30 387 idesk.conf
16.12.2005 19:00 787.052 PerfStringBackup.INI
16.12.2005 19:00 63.778 perfc007.dat
16.12.2005 19:00 52.900 perfc009.dat
16.12.2005 19:00 380.486 perfh009.dat
16.12.2005 19:00 391.330 perfh007.dat
09.12.2005 01:21 2.723.680 MRT.exe
01.12.2005 04:31 1.492.480 shdocvw.dll
24.11.2005 00:58 1.022.464 browseui.dll
24.11.2005 00:58 3.013.632 mshtml.dll
08.11.2005 20:17 168.304 FNTCACHE.DAT
05.11.2005 12:10 2.703 Lexmark Z42-Z43 Series ColorFine.AD2
05.11.2005 04:16 606.208 urlmon.dll
05.11.2005 04:16 1.056.256 danim.dll
26.10.2005 13:22 5.531 jupdate-1.5.0_05-b05.log
21.10.2005 04:40 474.112 shlwapi.dll
21.10.2005 04:40 664.064 wininet.dll
21.10.2005 04:40 530.944 mstime.dll
21.10.2005 04:40 146.432 msrating.dll
21.10.2005 04:40 448.512 mshtmled.dll
21.10.2005 04:40 39.424 pngfilt.dll
21.10.2005 04:40 251.392 iepeers.dll
21.10.2005 04:40 152.064 cdfview.dll
21.10.2005 04:40 55.808 extmgr.dll
21.10.2005 04:40 96.768 inseng.dll
21.10.2005 04:40 205.312 dxtrans.dll
20.10.2005 23:25 1.094.144 esent.dll
13.10.2005 00:11 15.584 spmsg.dll
06.10.2005 04:18 280.064 gdi32.dll
06.10.2005 04:08 1.839.616 win32k.sys
---------------------------------------------------------------------------------------
WinPFind:
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 18.08.2001 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 09.06.2005 22:32:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 09.06.2005 22:32:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PEC2 18.03.2003 20:05:50 2052096 C:\WINDOWS\SYSTEM32\atl71.pdb
winsync 18.08.2001 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PEC2 17.06.1998 3944448 C:\WINDOWS\SYSTEM32\MFC42D.PDB
PEC2 17.06.1998 2052096 C:\WINDOWS\SYSTEM32\MFCD42D.PDB
PEC2 17.06.1998 1454080 C:\WINDOWS\SYSTEM32\MFCN42D.PDB
PEC2 17.06.1998 4395008 C:\WINDOWS\SYSTEM32\MFCO42D.PDB
PEC2 17.06.1998 8015872 C:\WINDOWS\SYSTEM32\MFC42.PDB
PECompact2 09.12.2005 01:21:08 2723680 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 09.12.2005 01:21:08 2723680 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 18.03.2003 22:20:02 10357760 C:\WINDOWS\SYSTEM32\mfc71.pdb
PEC2 18.03.2003 21:28:40 8252416 C:\WINDOWS\SYSTEM32\MFC71d.pdb
PEC2 18.03.2003 22:12:14 10333184 C:\WINDOWS\SYSTEM32\mfc71u.pdb
PEC2 18.03.2003 21:31:58 8293376 C:\WINDOWS\SYSTEM32\mfc71ud.pdb
Umonitor 04.08.2004 09:57:32 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 04.08.2004 09:57:08 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Checking %System%\Drivers folder and sub-folders...
PTech 04.08.2004 07:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
24.12.2005 22:41:54 S 2048 C:\WINDOWS\bootstat.dat
22.12.2005 23:38:06 H 54156 C:\WINDOWS\QTFont.qfn
25.12.2005 00:42:40 H 1024 C:\WINDOWS\system32\config\system.LOG
25.12.2005 00:48:46 H 1024 C:\WINDOWS\system32\config\software.LOG
25.12.2005 00:41:14 H 1024 C:\WINDOWS\system32\config\default.LOG
25.12.2005 00:41:36 H 1024 C:\WINDOWS\system32\config\SAM.LOG
25.12.2005 00:10:18 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
16.12.2005 13:56:54 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
04.11.2005 19:23:22 H 8628 C:\WINDOWS\system32\spool\drivers\w32x86\2\LXATNTCP.GID
15.11.2005 11:31:02 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
15.11.2005 11:31:02 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3b30f5ff-c6a2-4972-82c1-de7d489c4af0
01.12.2005 04:44:42 S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
02.12.2005 01:12:38 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
24.12.2005 22:41:56 H 6 C:\WINDOWS\Tasks\SA.DAT
16.12.2005 18:58:14 RHS 227 C:\WINDOWS\assembly\Desktop.ini
Checking for CPL files...
Sun Microsystems, Inc. 26.08.2005 18:14:42 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Apple Computer, Inc. 23.09.2004 18:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 09:58:22 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 09:58:22 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 09:58:22 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04.08.2004 09:58:22 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 09:58:22 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04.08.2004 09:58:22 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 09:58:22 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 09:58:22 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 04.08.2004 09:58:22 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 09:58:22 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 09:58:22 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
19.08.2003 09:20:04 180224 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 04.08.2004 09:58:22 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04.08.2004 09:58:22 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
18.05.2005 18:33:18 1582 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
18.05.2005 18:09:58 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
19.05.2005 17:57:08 1613 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
18.05.2005 17:57:30 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
18.05.2005 18:09:58 HS 84 C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini
27.05.2005 16:34:24 644 C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\Watch.lnk
Checking files in %USERPROFILE%\Application Data folder...
18.05.2005 18:30:02 871 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\AdobeDLM.log
18.05.2005 17:57:30 HS 62 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\desktop.ini
18.05.2005 18:30:02 0 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\dm.ini
29.05.2005 19:14:00 12 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\uns.tmp
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\Antivir\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\Antivir\AVShlExt.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Programme\Acrobat Reader\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Programme\Spybot - Search & Destroy\SDHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole : C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
ButtonText = ICQ Lite : C:\Programme\ICQLite\ICQLite.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PrinTray C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
ICQ Lite C:\Programme\ICQLite\ICQLite.exe -minimize
SunJavaUpdateSched C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
TkBellExe "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
QuickTime Task "C:\Programme\QuickTime\qttask.exe" -atboottime
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
WinDSL MTU-Adjust WinDSL_MTU.exe
driver32 StatusCheck.exe
backd abrek.exe
AVGCtrl "C:\Programme\Antivir\AVGNT.EXE" /min
AVGCtrl "C:\Programme\Antivir\AVGNT.EXE" /min
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
ICQ Lite C:\Programme\ICQLite\ICQLite.exe -trayboot
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = c:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\msonsext.dll
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 25.12.2005 00:59:54
- N_Man
- Beiträge: 30
- Registriert: 12.05.2005, 14:22
von Nikita am 25.12.2005, 14:07
die Reinigung ist der letzte Artikel auf dieser Seite:
http://virus-protect.net/artikel/spyware/idemlog.html
poste C:\fixwareout\report.txt , dann sehen wir weiter
http://virus-protect.net/artikel/spyware/idemlog.html
poste C:\fixwareout\report.txt , dann sehen wir weiter
- Nikita
- Moderator
- Beiträge: 11478
- Registriert: 07.12.2003, 16:53
- Wohnort: Lissabon
von N_Man am 25.12.2005, 15:44
Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\rpamd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSUWP.EXE
C:\WINDOWS\SYSTEM32\DMAPR.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
Last edited 12/5/2005
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\rpamd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSUWP.EXE
C:\WINDOWS\SYSTEM32\DMAPR.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
- N_Man
- Beiträge: 30
- Registriert: 12.05.2005, 14:22
von Nikita am 25.12.2005, 15:53
Zuletzt geändert von Nikita am 19.03.2006, 01:19, insgesamt 1-mal geändert.
- Nikita
- Moderator
- Beiträge: 11478
- Registriert: 07.12.2003, 16:53
- Wohnort: Lissabon
von N_Man am 25.12.2005, 16:07
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" ["Lexmark"]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"WinDSL MTU-Adjust" = "WinDSL_MTU.exe" ["Engel Technologieberatung, Entwicklung/Verkauf von Soft- und Hardware KG"]
"driver32" = "StatusCheck.exe" [file not found]
"backd" = "abrek.exe" [file not found]
"dmapr.exe" = "C:\WINDOWS\system32\dmapr.exe" [null data]
"AVGCtrl" = ""C:\Programme\Antivir\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Antivir\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Antivir\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart
"Watch" -> shortcut to: "C:\WINDOWS\twain_32\A4CIS600\WATCH.exe" ["Common Group"]
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Acrobat Reader\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll" [file not found]
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
Missing lines (compared with English-language version):
"{2FDB21EE-AE4F-D8B4-B896-B87B675B623B}" = "RtlFindVal"
-> {CLSID}\InProcServer32\(Default) = "pizda.dll" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AntiVir Service, AntiVirService, ""C:\Programme\Antivir\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\Antivir\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""c:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 139 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 75 seconds.
---------- (total run time: 282 seconds)
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" ["Lexmark"]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"WinDSL MTU-Adjust" = "WinDSL_MTU.exe" ["Engel Technologieberatung, Entwicklung/Verkauf von Soft- und Hardware KG"]
"driver32" = "StatusCheck.exe" [file not found]
"backd" = "abrek.exe" [file not found]
"dmapr.exe" = "C:\WINDOWS\system32\dmapr.exe" [null data]
"AVGCtrl" = ""C:\Programme\Antivir\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Antivir\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Antivir\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart
"Watch" -> shortcut to: "C:\WINDOWS\twain_32\A4CIS600\WATCH.exe" ["Common Group"]
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Acrobat Reader\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll" [file not found]
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
Missing lines (compared with English-language version):
"{2FDB21EE-AE4F-D8B4-B896-B87B675B623B}" = "RtlFindVal"
-> {CLSID}\InProcServer32\(Default) = "pizda.dll" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AntiVir Service, AntiVirService, ""C:\Programme\Antivir\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\Antivir\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""c:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 139 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 75 seconds.
---------- (total run time: 282 seconds)
- N_Man
- Beiträge: 30
- Registriert: 12.05.2005, 14:22
von Nikita am 25.12.2005, 16:55
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fix.reg" auf dem Desktop doppelklicken
loesche:
C:\WINDOWS\system32\dmapr.exe
scanne mit kaspersky und kopiere hier den scanreport
http://virus-protect.org/onlinescan.html
- Code: Alles auswählen
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"driver32"=-
"backd"=-
"dmapr.exe"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{2FDB21EE-AE4F-D8B4-B896-B87B675B623B}"=-
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fix.reg" auf dem Desktop doppelklicken
loesche:
C:\WINDOWS\system32\dmapr.exe
scanne mit kaspersky und kopiere hier den scanreport
http://virus-protect.org/onlinescan.html
Zuletzt geändert von Nikita am 19.03.2006, 01:19, insgesamt 1-mal geändert.
- Nikita
- Moderator
- Beiträge: 11478
- Registriert: 07.12.2003, 16:53
- Wohnort: Lissabon
von N_Man am 25.12.2005, 18:03
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, December 25, 2005 17:00:02
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/12/2005
Kaspersky Anti-Virus database records: 157225
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\
Scan Statistics:
Total number of scanned objects: 15444
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 1507 sec
Infected Object Name - Virus Name
C:\WINDOWS\system32\csuwp.exe Infected: Trojan-Downloader.Win32.Agent.uj
Scan process completed.
KASPERSKY ON-LINE SCANNER REPORT
Sunday, December 25, 2005 17:00:02
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/12/2005
Kaspersky Anti-Virus database records: 157225
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\
Scan Statistics:
Total number of scanned objects: 15444
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 1507 sec
Infected Object Name - Virus Name
C:\WINDOWS\system32\csuwp.exe Infected: Trojan-Downloader.Win32.Agent.uj
Scan process completed.
- N_Man
- Beiträge: 30
- Registriert: 12.05.2005, 14:22
von N_Man am 25.12.2005, 19:30
Puh, da tummelt sich aber noch einiges 
Incident Status Location
Adware:adware/startpage.amb Not desinfected C:\Dokumente und Einstellungen\Administrator\Favoriten\Online Pharmacy
Adware:adware/webhancer Not desinfected C:\PROGRAMME\whInstall
Adware:adware/savenow Not desinfected C:\PROGRAMME\Save
Adware:Adware/IST.ISTBar Not desinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-24d12aaf.zip[InstallerApplet.class]
Virus:Exploit/ByteVerify Disinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-78b082f6.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-78b082f6.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-78b082f6.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-78b082f6.zip[Installer.class]
Adware:Adware/IST.ISTBar Not desinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-65f270c9.zip[InstallerApplet.class]
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\WhAgent.exe
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\whInstaller.exe
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\WhSurvey.exe
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\Webhdll.dll
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\whiehlpr.dll
Adware:Adware/SaveNow Not desinfected C:\Programme\Save\ACM.dll
Incident Status Location
Adware:adware/startpage.amb Not desinfected C:\Dokumente und Einstellungen\Administrator\Favoriten\Online Pharmacy
Adware:adware/webhancer Not desinfected C:\PROGRAMME\whInstall
Adware:adware/savenow Not desinfected C:\PROGRAMME\Save
Adware:Adware/IST.ISTBar Not desinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-24d12aaf.zip[InstallerApplet.class]
Virus:Exploit/ByteVerify Disinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-78b082f6.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-78b082f6.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-78b082f6.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-78b082f6.zip[Installer.class]
Adware:Adware/IST.ISTBar Not desinfected C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-65f270c9.zip[InstallerApplet.class]
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\WhAgent.exe
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\whInstaller.exe
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\WhSurvey.exe
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\Webhdll.dll
Adware:Adware/WebHancer Not desinfected C:\Programme\whInstall\whiehlpr.dll
Adware:Adware/SaveNow Not desinfected C:\Programme\Save\ACM.dll
- N_Man
- Beiträge: 30
- Registriert: 12.05.2005, 14:22
von Nikita am 25.12.2005, 19:56
LSPfix
http://www.spychecker.com/program/lspfix.html
schreibe mir, welche dll du findest
-------------------------------------------------------------------------
SmitRem2.8
http://noahdfear.geekstogo.com/click%20 ... k.php?id=1
laden--> in den abgesicherten Modus booten --> öffne smitRem folder --> Doppelklick: RunThis.bat
warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)
suche smitfiles.txt und kopiere die Textdatei in den Thread
-------------------------------------------------------------------------
deinstalliere/loesche:
C:\Programme\whInstall
C:\Programme\Save
C:\Dokumente und Einstellungen\Administrator\Favoriten\Online Pharmacy.url<--loeschen
CCleaner
http://www.ccleaner.com/ccdownload.asp
lösche alle temp-Dateien und leere mit dem Tool das java-Cache.
-------------------------------------------------------------------------------------
http://www.spychecker.com/program/lspfix.html
schreibe mir, welche dll du findest
-------------------------------------------------------------------------
SmitRem2.8
http://noahdfear.geekstogo.com/click%20 ... k.php?id=1
laden--> in den abgesicherten Modus booten --> öffne smitRem folder --> Doppelklick: RunThis.bat
warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)
suche smitfiles.txt und kopiere die Textdatei in den Thread
-------------------------------------------------------------------------
deinstalliere/loesche:
C:\Programme\whInstall
C:\Programme\Save
C:\Dokumente und Einstellungen\Administrator\Favoriten\Online Pharmacy.url<--loeschen
CCleaner
http://www.ccleaner.com/ccdownload.asp
lösche alle temp-Dateien und leere mit dem Tool das java-Cache.
-------------------------------------------------------------------------------------
- Nikita
- Moderator
- Beiträge: 11478
- Registriert: 07.12.2003, 16:53
- Wohnort: Lissabon
von N_Man am 25.12.2005, 20:49
Nikita hat geschrieben:LSPfix
schreibe mir, welche dll du findest
Er findet
File ......................... Description
-----------------------------------
mswsock.dll..............TCP/IP
winrnr.dll.................. NTDS
rsvpsp.dll.................(Protocol handler)
Hier die smitfiles.txt:
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 740 'explorer.exe'
Starting registry repairs
Deleting files
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
- N_Man
- Beiträge: 30
- Registriert: 12.05.2005, 14:22
von Nikita am 25.12.2005, 21:36
der Hancer ist also nicht im Winsock verankert,, du kannst also alles loeschen:
C:\Programme\whInstall\WhAgent.exe
C:\Programme\whInstall\whInstaller.exe
C:\Programme\whInstall\WhSurvey.exe
C:\Programme\whInstall\Webhdll.dll
C:\Programme\whInstall\whiehlpr.dll
C:\Programme\whInstall
C:\Programme\Save
C:\Dokumente und Einstellungen\Administrator\Favoriten\Online Pharmacy.url<--loeschen
CCleaner
http://www.ccleaner.com/ccdownload.asp
lösche alle temp-Dateien und leere mit dem Tool das java-Cache.
C:\Programme\whInstall\WhAgent.exe
C:\Programme\whInstall\whInstaller.exe
C:\Programme\whInstall\WhSurvey.exe
C:\Programme\whInstall\Webhdll.dll
C:\Programme\whInstall\whiehlpr.dll
C:\Programme\whInstall
C:\Programme\Save
C:\Dokumente und Einstellungen\Administrator\Favoriten\Online Pharmacy.url<--loeschen
CCleaner
http://www.ccleaner.com/ccdownload.asp
lösche alle temp-Dateien und leere mit dem Tool das java-Cache.
- Nikita
- Moderator
- Beiträge: 11478
- Registriert: 07.12.2003, 16:53
- Wohnort: Lissabon
von N_Man am 25.12.2005, 21:40
das hab ich doch bereits alles gelöscht.
ist dann jetzt alles wieder sauber?
edit:
bzw.. den ccleaner hab ich einfach einmal so laufen lassen und alles, was defaultmäßig eingestellt war, gelöscht (temp, cache, cookies etc)
muss ich für den java cache irgendwo gesondert etwas einstellen in dem tool? hab nix konkretes gefunden...
ist dann jetzt alles wieder sauber?
edit:
bzw.. den ccleaner hab ich einfach einmal so laufen lassen und alles, was defaultmäßig eingestellt war, gelöscht (temp, cache, cookies etc)
muss ich für den java cache irgendwo gesondert etwas einstellen in dem tool? hab nix konkretes gefunden...
- N_Man
- Beiträge: 30
- Registriert: 12.05.2005, 14:22
von Nikita am 25.12.2005, 21:59
scanne mit spyxposer und berichte
http://virus-protect.org/antispytools.html
http://virus-protect.org/antispytools.html
Zuletzt geändert von Nikita am 19.03.2006, 01:20, insgesamt 1-mal geändert.
- Nikita
- Moderator
- Beiträge: 11478
- Registriert: 07.12.2003, 16:53
- Wohnort: Lissabon
18 Beiträge • Seite 1 von 2 • 1, 2
Zurück zu Online- und PC-Sicherheit
Wer ist online?
Mitglieder in diesem Forum: 0 Mitglieder und 1 Gast