| |
| |||||||
Log-Analyse und Auswertung: Internet Explorer öffnet einfach SeitenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
| |
11.10.2005, 21:44
| #1 |
 |  Internet Explorer öffnet einfach Seiten Hi, ich hoffe ihr könnt mir helfen... saß jetzt bestimmt schon 6 stunden daran und habe sämtliche antiviren tools durch laufen lassen, wie Ad-Aware SE Personal, AntiVir, Spyware Doctor und wie sie alle heißen.... vll mache ich ja auch einfach nur was falsch. wie oben schon beschrieben öffnet mein internet explorer so alle 5 min irgendwelche seiten und hin und wieder kommt auch ne seite mit folgenden text ">spyware or adware may be damaging your computer. > if you have downloaded music online or visited adult website, spyware may be running in your computer. spyware may cause slow computer speeds, unwanted pop up ads or personal identity theft. > click 'ok' to scan your PC now."!!! ich gebe euch mal nun den log von hijack this: ________________________ Logfile of HijackThis v1.99.1 Scan saved at 22:38:08, on 11.10.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: O:\WINDOWS\System32\smss.exe O:\WINDOWS\system32\winlogon.exe O:\WINDOWS\system32\services.exe O:\WINDOWS\system32\lsass.exe O:\WINDOWS\system32\svchost.exe O:\WINDOWS\System32\svchost.exe O:\WINDOWS\system32\spoolsv.exe O:\WINDOWS\system32\rundll32.exe O:\WINDOWS\Explorer.EXE F:\Programme\The Cleaner\tcm.exe F:\Programme\The Cleaner\tca.exe O:\WINDOWS\SOUNDMAN.EXE O:\WINDOWS\System32\RUNDLL32.EXE F:\Programme\ICQLite\ICQLite.exe O:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE F:\Programme\D-Tools\daemon.exe F:\Programme\AVPersonal\AVGNT.EXE O:\Programme\Messenger\msmsgs.exe O:\WINDOWS\System32\ctfmon.exe I:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O:\Programme\VIA\RAID\raid_tool.exe F:\Programme\AVPersonal\AVGUARD.EXE F:\Programme\AVPersonal\AVWUPSRV.EXE O:\WINDOWS\System32\nvsvc32.exe F:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe O:\WINDOWS\System32\wuauclt.exe O:\WINDOWS\System32\wuauclt.exe O:\Programme\Internet Explorer\iexplore.exe O:\Dokumente und Einstellungen\Enduro\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\Programme\ICQToolbar\toolbaru.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\Programme\ICQToolbar\toolbaru.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - O:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE O:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [tcmonitor] F:\Programme\The Cleaner\tcm.exe O4 - HKLM\..\Run: [tcactive] F:\Programme\The Cleaner\tca.exe O4 - HKLM\..\Run: [SpySweeper] "F:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE O:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ICQ Lite] f:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [EM_EXEC] O:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Programme\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [AVGCtrl] F:\Programme\AVPersonal\AVGNT.EXE /min O4 - HKLM\..\Run: [AnyDVD] "F:\Programme\SlySoft\AnyDVD\AnyDVD.exe" O4 - HKCU\..\Run: [MSMSGS] "O:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [CTFMON.EXE] O:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\RunOnce: [ICQ Lite] F:\Programme\ICQLite\ICQLite.exe -trayboot O4 - Global Startup: Adobe Reader - Schnellstart.lnk = I:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = O:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: VIA RAID TOOL.lnk = O:\Programme\VIA\RAID\raid_tool.exe O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - f:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - f:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {522696DF-119E-49B5-A82E-03667D741489} - f:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {522696DF-119E-49B5-A82E-03667D741489} - f:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124753553499 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124753543014 O20 - Winlogon Notify: URL - O:\WINDOWS\system32\gp68l3ju1.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - F:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - F:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - O:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - O:\WINDOWS\System32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe _____________________ ich danke euch schonmal im vorraus für eure hilfe!!! mfg enduro |
|
11.10.2005, 22:22
| #2 |
 | Internet Explorer öffnet einfach Seiten Hallo Enduro,
__________________lade Dir clearprog 1.4.1 final und nimm eine Datenträgerbereinigung vor (Programm starten Häckchen bei "Alles Löschen" und auf "Löschen" klicken). Lösche ebenfalls den Quaratäne-Ordener Deines Antivir-Programmes. Scanne dann dDeon System mit Escan . Bitte erst aufmerkam lesen und dann scannen. Teile das Ergebnis miitels der "find.bat" mit. dartus
__________________ |
|
12.10.2005, 21:37
| #3 |
| | Internet Explorer öffnet einfach Seiten die "find.bat" erstellt die escan.txt irgendwie net.... werde morgen nochmal einen scan durchführen und hoffe das ich sie dann erstellen kann
__________________gruß enduro |
|
12.10.2005, 22:03
| #4 |
| | Internet Explorer öffnet einfach Seiten habe es doch nochmal schnell so gemacht und in der log datei nach infected und tagged gesucht: infected gesucht Wed Oct 12 16:45:00 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken. Wed Oct 12 16:45:00 2005 => System found infected with cws.loadadv.400 Browser Hijacker ({5e2121ee-0300-11d4-8d3b-444553540000})! Action taken: No Action Taken. Wed Oct 12 16:45:00 2005 => System found infected with bearshare Spyware/Adware ({905d0df2-3a0a-4d94-853c-54a12a745905})! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\0923gtuj\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\0923gtuj\show_ads[2].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\6tajyji1\adswrapper[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\is2um5f7\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\kxyzodq3\adsend[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\otsx690h\show_ads[2].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\ynsvqd09\adsend[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\ynsvqd09\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\0923gtuj\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\0923gtuj\show_ads[2].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\6tajyji1\adswrapper[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\is2um5f7\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\kxyzodq3\adsend[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\otsx690h\show_ads[2].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\ynsvqd09\adsend[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\ynsvqd09\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 21:04:34 2005 => File J:\Programme\Norton AntiVirus\Quarantine\6F5E2D91.dat infected by "Email-Worm.VBS.LoveLetter" Virus! Action Taken: No Action Taken. Wed Oct 12 21:04:34 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\50AC71A0.dat Wed Oct 12 21:04:34 2005 => File J:\Programme\Norton AntiVirus\Quarantine\50AC71A0.dat infected by "Email-Worm.VBS.LoveLetter" Virus! Action Taken: No Action Taken. Wed Oct 12 21:04:34 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\3C9049BB.dat Wed Oct 12 21:04:34 2005 => File J:\Programme\Norton AntiVirus\Quarantine\3C9049BB.dat infected by "Email-Worm.Win32.Stator.a" Virus! Action Taken: No Action Taken. Wed Oct 12 21:04:43 2005 => File J:\Programme\Norton AntiVirus\Quarantine\70602B3D.dat infected by "Email-Worm.VBS.LoveLetter" Virus! Action Taken: No Action Taken. Wed Oct 12 21:04:59 2005 => File J:\Programme\Norton AntiVirus\Quarantine\42E812A8.dat infected by "Email-Worm.VBS.LoveLetter.bt" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B3D68DE.dat infected by "Email-Worm.VBS.LoveLetter.bk" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B4E3ACC.dat infected by "Email-Worm.VBS.LoveLetter.bt" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B5738C1.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B5738C1.dat infected by "Email-Worm.VBS.generic" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B6136B6.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B6136B6.dat infected by "Email-Worm.VBS.LoveLetter.bt" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B680AAF.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B680AAF.dat infected by "Type_Script" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B6E5EA8.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B6E5EA8.dat infected by "Type_Script" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B7B0699.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B7B0699.dat infected by "Email-Worm.VBS.generic" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B825A92.dat Wed Oct 12 21:05:01 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B825A92.dat infected by "Email-Worm.VBS.LoveLetter.bt" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:01 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B8C5887.dat Wed Oct 12 21:05:01 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B8C5887.dat infected by "Email-Worm.VBS.generic" Virus! Action Taken: No Action Taken. tagged gesucht _________________ Wed Oct 12 18:08:53 2005 => File F:\SIERRA\Half-Life\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Wed Oct 12 18:13:35 2005 => File F:\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Wed Oct 12 20:09:07 2005 => File J:\Downloads\HL CS\HL\HL updates\g(erman)11091110.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Wed Oct 12 20:09:19 2005 => File J:\Downloads\HL CS\HL\HL updates\11091110(US).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Wed Oct 12 20:10:54 2005 => File J:\Downloads\HL CS\CS\CS updates\cs1005(englisch).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Wed Oct 12 20:36:01 2005 => File J:\Downloads\Mirc\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Wed Oct 12 21:14:28 2005 => File J:\Sierra\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.601. No Action Taken. Wed Oct 12 21:16:24 2005 => File O:\Dokumente und Einstellungen\Enduro\Desktop\BSINSTALLDE.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.z". Action Taken: No Action Taken. Wed Oct 12 21:49:00 2005 => File O:\WINDOWS\system32\ckyptext.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:49:07 2005 => File O:\WINDOWS\system32\cpbjmon.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:49:07 2005 => File O:\WINDOWS\system32\cuwmdm.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:49:12 2005 => File O:\WINDOWS\system32\dbnput.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:49:22 2005 => File O:\WINDOWS\system32\djrgres.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:27 2005 => File O:\WINDOWS\system32\iFspolcy.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:31 2005 => File O:\WINDOWS\system32\isrtprio.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:41 2005 => File O:\WINDOWS\system32\mjiwave.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:56 2005 => File O:\WINDOWS\system32\nhwrsit.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:56 2005 => File O:\WINDOWS\system32\nktui1.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:54:19 2005 => File O:\WINDOWS\system32\otethk32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken Wed Oct 12 21:54:39 2005 => File O:\WINDOWS\system32\sqripto.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. |
|
17.10.2005, 12:00
| #5 |
| | Internet Explorer öffnet einfach Seiten als erstes der log des silentrunners: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Steam" = (empty string) "MSMSGS" = ""O:\Programme\Messenger\msmsgs.exe" /background" [MS] "CTFMON.EXE" = "O:\WINDOWS\System32\ctfmon.exe" [MS] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "ICQ Lite" = "F:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE O:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "tcmonitor" = "F:\Programme\The Cleaner\tcm.exe" ["MooSoft Development"] "tcactive" = "F:\Programme\The Cleaner\tca.exe" ["MooSoft Development"] "SpySweeper" = ""F:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE O:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS] "ICQ Lite" = "f:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."] "EM_EXEC" = "O:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "] "DAEMON Tools-1033" = ""F:\Programme\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"] "AVGCtrl" = "F:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"] "AnyDVD" = ""F:\Programme\SlySoft\AnyDVD\AnyDVD.exe"" ["SlySoft, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\Audiodev.dll" [MS] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] "{36533DA5-8FB6-4D67-BAA9-7DD407FE32D5}" = (no title provided) -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\system32\dpmsadsn.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! ModuleUsage\DLLName = "O:\WINDOWS\system32\fpj4031qe.dll" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ewido\security suite\context.dll" ["ewido networks"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ewido\security suite\context.dll" ["ewido networks"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "O:\WINDOWS\web\wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "O:\WINDOWS\System32\logon.scr" [MS] Startup items in "Enduro" & "All Users" startup folders: -------------------------------------------------------- O:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Reader - Schnellstart" -> shortcut to: "I:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Logitech Desktop Messenger" -> shortcut to: "O:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" [empty string] "VIA RAID TOOL" -> shortcut to: "O:\Programme\VIA\RAID\raid_tool.exe" ["VIA Technologies"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {522696DF-119E-49B5-A82E-03667D741489}\ "ButtonText" = "Klicke hier um das Projekt xp-AntiSpy zu unterstützen" "MenuText" = "Unterstützung für xp-AntiSpy" "Exec" = "f:\Programme\xp-AntiSpy\sponsoring\sponsor.html" [null data] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\ "ButtonText" = "Spyware Doctor" "CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "f:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, "F:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""F:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] ewido security suite control, ewido security suite control, "F:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "F:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"] NVIDIA Display Driver Service, NVSvc, "O:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] Webroot Spy Sweeper Engine, svcWRSSSDK, "F:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."] Windows User Mode Driver Framework, UMWdf, "O:\WINDOWS\System32\wdfmgr.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 25 seconds, including 3 seconds for message boxes) _____________________________________________________________________________________________ ewitolog: --------------------------------------------------------- ewido security suite - Scan Report --------------------------------------------------------- + Erstellt am: 12:11:02, 17.10.2005 + Report-Checksumme: 69C9A351 + Scanergebnis: O:\WINDOWS\SoftwareDistribution\Download\7cd8322ddb034116adc611f13235be423cf05661/mrt.exe -> Heuristic.Win32.AVKiller : Gesäubert mit Backup O:\WINDOWS\SoftwareDistribution\Download\7cd8322ddb034116adc611f13235be423cf05661/mrt.exe -> Heuristic.Win32.AVKiller : Gesäubert mit Backup [676] O:\WINDOWS\system32\lhrhelp.dll -> Spyware.Look2Me : Fehler beim Säubern [1436] O:\WINDOWS\system32\lhrhelp.dll -> Spyware.Look2Me : Fehler beim Säubern C:\WINDOWS\Cookies\stephen@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Gesäubert mit Backup C:\Program Files\SpySheriff\Uninstall.exe -> Adware.SpySheriff : Gesäubert mit Backup O:\!KillBox\ckyptext.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\cpbjmon.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\cuwmdm.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\dbnput.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\djrgres.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\dwvx_xx11.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\dywsock.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\gtu32.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\iFspolcy.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\isrtprio.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\kddfi.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\mjiwave.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\mnvcr71.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\nhwrsit.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\nktui1.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\nphwvid.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\otethk32.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\sqripto.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\vbmdbg.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\WINDOWS\system32\whadefui.dll -> Spyware.Look2Me : Gesäubert mit Backup ::Report Ende die datei die sich selbst immer neu generiert "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! ModuleUsage\DLLName = "O:\WINDOWS\system32\fpj4031qe.dll" [null data]" ist leider nicht löschbar weder mit hijack noch killbox.... und ewido verzweifelt auch daran... |
|
12.10.2005, 22:05
| #7 |
| | Internet Explorer öffnet einfach Seiten Hallo Enduro, den Quarantäne-Ordner Deines Antivir-Programm hadt Du nicht geleert und Du hast "Clearprog" nicht ausgeführt. Bitte nachholen! Downloade Adaware und Spybot S&D . Installieren und updaten. Bereinige Deine Registry z.B. mit Regseeker . Adaware und Spybot nacheinander scannen lassen und alle Fund löschen. Neustart --> Systemwiederherstellung kann wieder aktiviert werden Neues Logfile dartus
__________________ Kein Support per PN Geändert von dartus (12.10.2005 um 22:27 Uhr) |
|
13.10.2005, 20:51
| #8 |
| | Internet Explorer öffnet einfach Seiten schaff das heute net mehr... kriegst den log morgen um 17:30 so |
|
14.10.2005, 14:33
| #9 |
| | Internet Explorer öffnet einfach Seiten k habe nun das auch mit der find.bat hingekriegt. es sind zwar auch lieder darunter aber ich lass den log erstma so wie er angefertigt wurde: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "infected" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fri Oct 14 06:19:24 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken. Fri Oct 14 06:19:24 2005 => System found infected with cws.loadadv.400 Browser Hijacker ({5e2121ee-0300-11d4-8d3b-444553540000})! Action taken: No Action Taken. Fri Oct 14 06:42:23 2005 => Scanning Folder: F:\Programme\AVPersonal\INFECTED\*.* Fri Oct 14 07:19:13 2005 => Scanning File F:\Programme\Return to Castle Wolfenstein\Main\main\maps\infected.bsp Fri Oct 14 07:53:38 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 02 - Over My Head.mp3 Fri Oct 14 07:53:38 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 05 - Asshole.mp3 Fri Oct 14 07:53:39 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 06 - Yesterday.Com.mp3 Fri Oct 14 09:13:11 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 02 - Over My Head.mp3.xml Fri Oct 14 09:13:11 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 05 - Asshole.mp3.xml Fri Oct 14 09:13:11 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 06 - Yesterday.Com.mp3.xml Fri Oct 14 09:13:19 2005 => Scanning File H:\Programme\Shareaza\Incomplete\COAU5WOOJJMOIR6VUYLUE3UXDJT6MVTE ALBUM Sum41 - Does This Look Infected .zip.mp3 [**] Fri Oct 14 09:13:19 2005 => Scanning File H:\Programme\Shareaza\Incomplete\COAU5WOOJJMOIR6VUYLUE3UXDJT6MVTE ALBUM Sum41 - Does This Look Infected .zip.mp3.sd Fri Oct 14 10:27:07 2005 => Scanning File J:\Downloads\Return to Castle Wolfenstein\Maps\Infected.zip Fri Oct 14 10:28:38 2005 => Scanning File J:\Downloads\Return to Castle Wolfenstein\Maps\Maps\main\maps\infected.bsp Fri Oct 14 11:27:07 2005 => Total Disinfected Files: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "tagged" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fri Oct 14 07:43:23 2005 => File F:\SIERRA\Half-Life\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Fri Oct 14 07:48:05 2005 => File F:\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Fri Oct 14 09:42:01 2005 => File J:\Downloads\HL CS\HL\HL updates\g(erman)11091110.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Fri Oct 14 09:42:13 2005 => File J:\Downloads\HL CS\HL\HL updates\11091110(US).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Fri Oct 14 09:43:47 2005 => File J:\Downloads\HL CS\CS\CS updates\cs1005(englisch).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Fri Oct 14 10:08:53 2005 => File J:\Downloads\Mirc\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Fri Oct 14 10:46:18 2005 => File J:\Sierra\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.601. No Action Taken. Fri Oct 14 10:48:28 2005 => File O:\Dokumente und Einstellungen\Enduro\Desktop\BSINSTALLDE.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.z". Action Taken: No Action Taken. Fri Oct 14 11:20:51 2005 => File O:\WINDOWS\system32\ckyptext.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:20:58 2005 => File O:\WINDOWS\system32\cpbjmon.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:20:58 2005 => File O:\WINDOWS\system32\cuwmdm.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:21:03 2005 => File O:\WINDOWS\system32\dbnput.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:21:13 2005 => File O:\WINDOWS\system32\djrgres.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:11 2005 => File O:\WINDOWS\system32\dwvx_xx11.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:12 2005 => File O:\WINDOWS\system32\dywsock.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:16 2005 => File O:\WINDOWS\system32\gtu32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:19 2005 => File O:\WINDOWS\system32\iFspolcy.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:23 2005 => File O:\WINDOWS\system32\isrtprio.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:27 2005 => File O:\WINDOWS\system32\kddfi.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:34 2005 => File O:\WINDOWS\system32\mjiwave.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:49 2005 => File O:\WINDOWS\system32\nhwrsit.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:49 2005 => File O:\WINDOWS\system32\nktui1.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:50 2005 => File O:\WINDOWS\system32\nphwvid.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:26:12 2005 => File O:\WINDOWS\system32\otethk32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:26:32 2005 => File O:\WINDOWS\system32\sqripto.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "offending" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fri Oct 14 06:19:25 2005 => Offending value found in HKLM\Software\Licenses: {i56b3cf0d9ab991e1} !!! Fri Oct 14 06:19:25 2005 => Offending value found in HKLM\Software\Licenses: {056b3cf0d9ab991e1} !!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fri Oct 14 11:27:07 2005 => Total Virus(es) Found: 29 Fri Oct 14 11:27:07 2005 => Total Errors: 35 Fri Oct 14 11:27:07 2005 => Time Elapsed: 05:03:17 Fri Oct 14 11:27:07 2005 => Total Objects Scanned: 170652 Fri Oct 14 06:18:08 2005 => Virus Database Date: 2005/10/13 Fri Oct 14 11:27:07 2005 => Virus Database Date: 2005/10/13 Fri Oct 14 15:26:29 2005 => Virus Database Date: 2005/10/13 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ © Haui ;-) ~~~~~~~ ~~~~~~~ Dank an Cidre ~~~~~~~ |
|
16.10.2005, 23:30
| #10 |
| | Internet Explorer öffnet einfach Seiten k habe ich getan, werde dir nun erstma den escan log geben und danach den anderen: eScan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "infected" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun Oct 16 17:30:10 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken. Sun Oct 16 17:30:10 2005 => System found infected with cws.loadadv.400 Browser Hijacker ({5e2121ee-0300-11d4-8d3b-444553540000})! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Sun Oct 16 17:53:23 2005 => Scanning Folder: F:\Programme\AVPersonal\INFECTED\*.* Sun Oct 16 18:29:33 2005 => Scanning File F:\Programme\Return to Castle Wolfenstein\Main\main\maps\infected.bsp Sun Oct 16 19:04:24 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 02 - Over My Head.mp3 Sun Oct 16 19:04:24 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 05 - Asshole.mp3 Sun Oct 16 19:04:24 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 06 - Yesterday.Com.mp3 Sun Oct 16 20:24:52 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 02 - Over My Head.mp3.xml Sun Oct 16 20:24:52 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 05 - Asshole.mp3.xml Sun Oct 16 20:24:52 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 06 - Yesterday.Com.mp3.xml Sun Oct 16 20:25:00 2005 => Scanning File H:\Programme\Shareaza\Incomplete\COAU5WOOJJMOIR6VUYLUE3UXDJT6MVTE ALBUM Sum41 - Does This Look Infected .zip.mp3 [**] Sun Oct 16 20:25:00 2005 => Scanning File H:\Programme\Shareaza\Incomplete\COAU5WOOJJMOIR6VUYLUE3UXDJT6MVTE ALBUM Sum41 - Does This Look Infected .zip.mp3.sd Sun Oct 16 21:38:46 2005 => Scanning File J:\Downloads\Return to Castle Wolfenstein\Maps\Infected.zip Sun Oct 16 21:40:17 2005 => Scanning File J:\Downloads\Return to Castle Wolfenstein\Maps\Maps\main\maps\infected.bsp Sun Oct 16 22:39:05 2005 => Total Disinfected Files: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "tagged" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun Oct 16 18:54:08 2005 => File F:\SIERRA\Half-Life\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Sun Oct 16 18:58:50 2005 => File F:\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Sun Oct 16 20:53:44 2005 => File J:\Downloads\HL CS\HL\HL updates\g(erman)11091110.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Sun Oct 16 20:53:56 2005 => File J:\Downloads\HL CS\HL\HL updates\11091110(US).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Sun Oct 16 20:55:30 2005 => File J:\Downloads\HL CS\CS\CS updates\cs1005(englisch).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Sun Oct 16 21:20:35 2005 => File J:\Downloads\Mirc\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Sun Oct 16 21:57:55 2005 => File J:\Sierra\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.601. No Action Taken. Sun Oct 16 22:00:11 2005 => File O:\Dokumente und Einstellungen\Enduro\Desktop\BSINSTALLDE.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.z". Action Taken: No Action Taken. Sun Oct 16 22:32:49 2005 => File O:\WINDOWS\system32\ckyptext.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:32:55 2005 => File O:\WINDOWS\system32\cpbjmon.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:32:56 2005 => File O:\WINDOWS\system32\cuwmdm.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:33:01 2005 => File O:\WINDOWS\system32\dbnput.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:33:11 2005 => File O:\WINDOWS\system32\djrgres.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:08 2005 => File O:\WINDOWS\system32\dwvx_xx11.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:09 2005 => File O:\WINDOWS\system32\dywsock.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:13 2005 => File O:\WINDOWS\system32\gtu32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:17 2005 => File O:\WINDOWS\system32\iFspolcy.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:21 2005 => File O:\WINDOWS\system32\isrtprio.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:25 2005 => File O:\WINDOWS\system32\kddfi.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:31 2005 => File O:\WINDOWS\system32\mjiwave.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:32 2005 => File O:\WINDOWS\system32\mnvcr71.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:46 2005 => File O:\WINDOWS\system32\nhwrsit.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:46 2005 => File O:\WINDOWS\system32\nktui1.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:47 2005 => File O:\WINDOWS\system32\nphwvid.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:38:09 2005 => File O:\WINDOWS\system32\otethk32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:38:30 2005 => File O:\WINDOWS\system32\sqripto.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "offending" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun Oct 16 17:30:12 2005 => Offending value found in HKLM\Software\Licenses: {i56b3cf0d9ab991e1} !!! Sun Oct 16 17:30:12 2005 => Offending value found in HKLM\Software\Licenses: {056b3cf0d9ab991e1} !!! Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\8967wden\adsend[1].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\khmv4bc7\adswrapper[1].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\yt2nyxkt\show_ads[2].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\8967wden\adsend[1].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\khmv4bc7\adswrapper[1].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\yt2nyxkt\show_ads[2].js ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun Oct 16 22:39:05 2005 => Total Virus(es) Found: 36 Sun Oct 16 22:39:05 2005 => Total Errors: 35 Sun Oct 16 22:39:05 2005 => Time Elapsed: 05:04:47 Sun Oct 16 22:39:05 2005 => Total Objects Scanned: 171544 Sun Oct 16 22:39:05 2005 => Virus Database Date: 2005/10/13 Mon Oct 17 00:21:15 2005 => Virus Database Date: 2005/10/13 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ © Haui ;-) ~~~~~~~ ~~~~~~~ Dank an Cidre ~~~~~~~ ________________________________________________________________ silentrunners: "Silent Runners.vbs", revision 41, h**p://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Steam" = (empty string) "MSMSGS" = ""O:\Programme\Messenger\msmsgs.exe" /background" [MS] "CTFMON.EXE" = "O:\WINDOWS\System32\ctfmon.exe" [MS] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "ICQ Lite" = "F:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE O:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "tcmonitor" = "F:\Programme\The Cleaner\tcm.exe" ["MooSoft Development"] "tcactive" = "F:\Programme\The Cleaner\tca.exe" ["MooSoft Development"] "SpySweeper" = ""F:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE O:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS] "ICQ Lite" = "f:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."] "EM_EXEC" = "O:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "] "DAEMON Tools-1033" = ""F:\Programme\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"] "AVGCtrl" = "F:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"] "AnyDVD" = ""F:\Programme\SlySoft\AnyDVD\AnyDVD.exe"" ["SlySoft, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\Audiodev.dll" [MS] "{36533DA5-8FB6-4D67-BAA9-7DD407FE32D5}" = (no title provided) -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\system32\vbmdbg.dll" [null data] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! policies\DLLName = "O:\WINDOWS\system32\jt0q07d5e.dll" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "O:\WINDOWS\web\wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "O:\WINDOWS\System32\logon.scr" [MS] Startup items in "Enduro" & "All Users" startup folders: -------------------------------------------------------- O:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Reader - Schnellstart" -> shortcut to: "I:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Logitech Desktop Messenger" -> shortcut to: "O:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" [empty string] "VIA RAID TOOL" -> shortcut to: "O:\Programme\VIA\RAID\raid_tool.exe" ["VIA Technologies"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {522696DF-119E-49B5-A82E-03667D741489}\ "ButtonText" = "Klicke hier um das Projekt xp-AntiSpy zu unterstützen" "MenuText" = "Unterstützung für xp-AntiSpy" "Exec" = "f:\Programme\xp-AntiSpy\sponsoring\sponsor.html" [null data] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\ "ButtonText" = "Spyware Doctor" "CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "f:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, "F:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""F:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] NVIDIA Display Driver Service, NVSvc, "O:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] Webroot Spy Sweeper Engine, svcWRSSSDK, "F:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."] Windows User Mode Driver Framework, UMWdf, "O:\WINDOWS\System32\wdfmgr.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 31 seconds, including 6 seconds for message boxes) |
|
16.10.2005, 23:56
| #11 | |||
  | Internet Explorer öffnet einfach Seiten Lade ClearProg herunter. Starte den PC im abgesicherten Modus und lösche alle Temp-Files von Windows und vom Internet Explorer mit ClearProg. Lösche diese Dateien, z.B. mit Killbox (eine hab' ich dir mal hervorgehoben, damit du weißt, was ich meine) Zitat:
O:\WINDOWS\system32\vbmdbg.dll O:\WINDOWS\system32\jt0q07d5e.dll (Diese Datei heißt nach dem Neustart anders. Wenn du ein neues Silentrunners-Log erstellst, steht sie aber ander gleichen Stelle, z.b. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! policies\DLLName = "O:\WINDOWS\system32\sjd73487df.dll" [null data]. Alternativ erscheint sie auch als O20-Eintrag in HjT) Fixe außerdem den zufällig erstellten O20-Eintrag in HjT Navigiere in der Registry (Start-> Ausführen-> regedit -> [Enter]) zum Schlüssel Zitat:
Zitat:
Neustart. Neues SilentRunners-Log und die ewido-Ergebnisse posten. |
|
14.11.2005, 17:39
| #12 |
| | Internet Explorer öffnet einfach Seiten Hallo Leute, ich bin schon etwas verzweifelt, da mein PC die selben Symptome (spyspotter popups) aufweist. Leider komme ich aber mit der angepriesenen Säuberungssoftware "l2mfix" nicht zurecht. Ich bitte um Eure Hilfe, da die Erklärungen im Programm äußerst dürftig bis schlecht sind. DANKE für jede Hilfe im voraus!! Hier mein l2mfix report log (das hab ich noch geschafft gg): L2MFIX find log 1.04a These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read VORDEFINIERT\Benutzer (ID-IO) ALLOW Read VORDEFINIERT\Benutzer (ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer (ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren (ID-IO) ALLOW Full access ERSTELLER-BESITZER ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Eigenschaften fr Multimediadatei" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite fr Dokumente" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen fr Freigaben" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Grafikkarten" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Bildschirme" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Anzeigeverschiebung" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung fr Datentr„gerkopien" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen fr Microsoft Windows-Netzwerkobjekte" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen fr die Dateikomprimierung" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung fr Webdrucker" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen fr die Verschlsselung" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung fr HyperTerminal-Icons" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen fr Freigaben" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen fr Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverknpfung" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausfhren..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst" "{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begráungsbildschirm" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abzgen ber das Internet" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverknpfung" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webordner" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension" "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension" "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aý Context Menu Shell Extension" "{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universelle Plug & Play-Ger„te" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx" "{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension" "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ bassmod.dll Sat 22 Oct 2005 14:41:26 A.... 34.308 33,50 K browseui.dll Sat 3 Sep 2005 0:53:20 A.... 1.019.904 996,00 K cdfview.dll Sat 3 Sep 2005 0:53:20 A.... 152.064 148,50 K cdosys.dll Sat 10 Sep 2005 2:54:28 A.... 2.067.968 1,97 M danim.dll Sat 3 Sep 2005 0:53:20 A.... 1.055.744 1,00 M dpl100.dll Sun 18 Sep 2005 18:48:04 A.... 86.016 84,00 K dxtrans.dll Sat 3 Sep 2005 0:53:22 A.... 205.312 200,50 K extmgr.dll Sat 3 Sep 2005 0:53:22 ..... 55.808 54,50 K gdi32.dll Thu 6 Oct 2005 4:18:12 A.... 280.064 273,50 K iepeers.dll Sat 3 Sep 2005 0:53:22 A.... 251.392 245,50 K inseng.dll Sat 3 Sep 2005 0:53:22 A.... 96.768 94,50 K linkinfo.dll Thu 1 Sep 2005 2:44:42 A.... 19.968 19,50 K mshtml.dll Tue 4 Oct 2005 16:26:02 A.... 3.013.120 2,87 M mshtmled.dll Sat 3 Sep 2005 0:53:22 A.... 448.512 438,00 K msmpide.dll Mon 19 Sep 2005 9:41:44 A.... 23.552 23,00 K msrating.dll Sat 3 Sep 2005 0:53:22 A.... 146.432 143,00 K mstime.dll Sat 3 Sep 2005 0:53:22 A.... 530.432 518,00 K netman.dll Mon 22 Aug 2005 19:31:48 A.... 197.632 193,00 K pngfilt.dll Sat 3 Sep 2005 0:53:22 A.... 39.424 38,50 K ps5ui.dll Mon 19 Sep 2005 9:41:32 A.... 130.560 127,50 K pscript5.dll Mon 19 Sep 2005 9:41:32 A.... 455.168 444,50 K quartz.dll Tue 30 Aug 2005 4:55:36 A.... 1.292.800 1,23 M shdocvw.dll Sat 3 Sep 2005 0:53:22 A.... 1.484.288 1,41 M shell32.dll Fri 23 Sep 2005 4:06:22 A.... 8.491.520 8,10 M shlwapi.dll Sat 3 Sep 2005 0:53:22 A.... 474.112 463,00 K umpnpmgr.dll Tue 23 Aug 2005 4:39:58 A.... 124.416 121,50 K urlmon.dll Sat 3 Sep 2005 0:53:22 A.... 605.696 591,50 K vbxml.dll Mon 19 Sep 2005 9:42:10 A.... 225.280 220,00 K vbxmlrpc.dll Mon 19 Sep 2005 9:42:10 A.... 147.456 144,00 K wininet.dll Sat 3 Sep 2005 0:53:22 A.... 664.064 648,50 K winsrv.dll Thu 1 Sep 2005 2:44:44 A.... 292.352 285,50 K 31 items found: 31 files, 0 directories. Total of file sizes: 24.112.132 bytes 22,99 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Datentr„ger in Laufwerk C: ist WINXP Volumeseriennummer: E474-0ACE Verzeichnis von C:\WINDOWS\System32 22.10.2005 12:44 <DIR> dllcache 08.08.2005 16:04 6.144 access.ctl 11.12.2003 18:58 <DIR> Microsoft 30.09.1999 18:21 166.672 mstext35.dll 28.09.1999 20:42 1.050.896 msjet35.dll 09.09.1999 21:06 168.720 msltus35.dll 09.09.1999 21:06 252.688 msexcl35.dll 25.08.1999 13:57 415.504 msrepl35.dll 07.06.1999 17:59 250.128 mspdox35.dll 25.04.1999 16:00 368.912 Vbar332.dll 25.04.1999 16:00 287.504 Msxbse35.dll 9 Datei(en) 2.967.168 Bytes 2 Verzeichnis(se), 19.943.682.048 Bytes frei |
|
14.11.2005, 17:44
| #13 |
| | Internet Explorer öffnet einfach Seiten Hallo, eröffne ein neues Thema mit deinem HijackThis Logfile, ich kann in deinem Log keinen Hinweis auf look2me finden. Grüße Wildone |
|
| Themen zu Internet Explorer öffnet einfach Seiten |
| ad-aware, adobe, adobe reader, adware, avg, danke, desktop, dll, einstellungen, explorer, hijack, hijack this, hijackthis, hilfe!!, icqtoolbar, internet, internet explorer, nvidia, rundll, scan, seiten, software, spyware, system, urlsearchhook, webroot, windows, windows xp, öffnet |
Hybrid-Darstellung
