Logfiles für HijackThis und CoolWebShredder

antares · 13.04.2004

Hallo!

Hab mir die beiden Tool gezogen, weil sich meine Startseite auch immer wieder ändert.....poste jetzt hier mal meine beiden Log-Files, weil ich net weiß, welche Dateien ich wirklich löschen darf und welche mein System benötigt.

Danke

Logfile of HijackThis v1.97.7
Scan saved at 16:31:52, on 13.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\services\services.exe
C:\software\tools\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\software\tools\dsl_fritz\Awatch.exe
C:\Programme\Lexmark X74-X75\lxbbbmgr.exe
C:\Programme\Lexmark X74-X75\lxbbbmon.exe
C:\software\tools\itools\iTunesHelper.exe
C:\Programme\AVWin\AVGNT.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Messenger\msmsgs.exe
C:\software\adobe\Acrobat\Distillr\AcroTray.exe
C:\Programme\AVWin\AVGUARD.EXE
C:\Programme\AVWin\AVWUPSRV.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Norton Internet Security\NISUM.EXE
D:\Veronika\privat\down\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http: //www.couldnotfind.com/search_page.html?&account_id=137837
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http: //www.couldnotfind.com/search_page.html?&account_id=137837
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http: //www.coolsearch.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http: //www.couldnotfind.com/search_page.html?&account_id=137837
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http: //4-counter.com/?a=2&b=cr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http: //4-counter.com/?a=2&b=cr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http: //4-counter.com/?a=2&b=cr
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http: //4-counter.com/?a=2&b=cr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http: //www.coolsearch.biz
F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - c:\software\tools\ws_ftp_pro\wsbho2K0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\software\office\WordPerfect Office 11\Programs\QFSCHD110.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\software\tools\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AWatch] c:\software\tools\dsl_fritz\Awatch.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] C:\Programme\Lexmark X74-X75\lxbbbmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\software\tools\quicktime\qttask.exe -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\software\tools\itools\iTunesHelper.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVWin\AVGNT.EXE /min
O4 - HKLM\..\Run: [AVWUpd32] C:\PROGRA~1\AVWin\Avwupd32.EXE /min
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Programme\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\software\adobe\Acrobat\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\software\office\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Recherchieren (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra->Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider->avsda.dll' missing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http:// w*w.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE37EAA9-A3C3-4462-9867-4CF3FBA9CED2}: NameServer = 192.168.122.252,192.168.122.253

CWShredder v1.56.2 scan only reportPlease understand that a CWShredder->Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Dokumente und Einstellungen\<User>\Anwendungsdaten
Username:

Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http:// 4-counter.com/?a=2&b=cr
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http:// w*w.couldnotfind.com/search_page.html?&account_id=137837
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http:// w*w.couldnotfind.com/search_page.html?&account_id=137837
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http:// 4-counter.com/?a=2&b=cr
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http:// 4-counter.com/?a=2&b=cr
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: http:// w*w.couldnotfind.com/search_page.html?&account_id=137837
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: http:// 4-counter.com/?a=2&b=cr
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL
Infected data: http:// 4-counter.com/?a=2&b=cr
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (55 bytes, A)
CWS.Yexe Registry value: HKCU\..\Run [xpsystem] C:\WINDOWS\System32\services\services.exe
CWS.Yexe Registry value: HKLM\..\Run [xpsystem] C:\WINDOWS\System32\services\services.exe
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found CWS.Olehelp file: C:\WINDOWS\system32\olehelp.exe (0 bytes, A)
Found CWS.Yexe file: C:\WINDOWS\system32\services\services.exe (47616 bytes, A, running)
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (550 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (296 bytes, A)
CWS.Yexe Registry key: HKLM\..\BHOs\{5321E378-FFAD-4999-8C62-03CA8155F0B3}

- END OF REPORT -

Links editiert

Flöckchen · 13.04.2004

Mein Rat an dich, laß CoolWebShredder erstmal machen und danach scannst du dein System nochmals mit HijackThis und postet das Log dann nochmals.
Sonst gibt das hier nur Kuddelmuddel.

antares · 13.04.2004

Ok, hab den CoolWebShredder mal machen lassen und jetzt nochmal den HiJackThis.

Die Datei, die nach Durchlauf vom WebShredder kam, hatte diesen Inhalt:

Done!
Removed from your system:
- CWS.Yexe
- 8 infected IE registry values

Windows XP (5.01.2600 SP1)
CWShredder v1.56.2
Written by Merijn - [email protected]

For any additional help with this program or removing CWS, visit:
http://forums.spywareinfo.com/

For information and documentation on the Coolwebsearch
trojan and its variants, visit:
http://www.spywareinfo.com/~merijn/cwschronicles.html

For donations to help support CWShredder, visit:
http://www.spywareinfo.com/~merijn/donate.html

Und hier ist das neue LogFile:

Logfile of HijackThis v1.97.7
Scan saved at 21:56:13, on 13.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\software\tools\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\software\tools\dsl_fritz\Awatch.exe
C:\Programme\Lexmark X74-X75\lxbbbmgr.exe
C:\software\tools\itools\iTunesHelper.exe
C:\Programme\AVWin\AVGNT.EXE
C:\Programme\Lexmark X74-X75\lxbbbmon.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Messenger\msmsgs.exe
C:\software\adobe\Acrobat\Distillr\AcroTray.exe
C:\Programme\AVWin\AVGUARD.EXE
C:\Programme\AVWin\AVWUPSRV.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Norton Internet Security\NISUM.EXE
D:\Veronika\privat\down\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http: //www.coolsearch.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http: //www.coolsearch.biz
F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - c:\software\tools\ws_ftp_pro\wsbho2K0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\software\office\WordPerfect Office 11\Programs\QFSCHD110.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\software\tools\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AWatch] c:\software\tools\dsl_fritz\Awatch.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] C:\Programme\Lexmark X74-X75\lxbbbmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\software\tools\quicktime\qttask.exe -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\software\tools\itools\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVWin\AVGNT.EXE /min
O4 - HKLM\..\Run: [AVWUpd32] C:\PROGRA~1\AVWin\Avwupd32.EXE /min
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Programme\Messenger\msmsgs.exe /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\software\adobe\Acrobat\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\software\office\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Recherchieren (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra->Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider->avsda.dll' missing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http:// w*w.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE37EAA9-A3C3-4462-9867-4CF3FBA9CED2}: NameServer = 192.168.122.252,192.168.122.253

Links editiert

PCDpan_fee · 13.04.2004

antares schrieb:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http: //www.coolsearch.biz

fixen

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http: //www.coolsearch.biz

fixen

F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe

ist mir nicht geheuer ???

O10 - Broken Internet access because of LSP provider->avsda.dll' missing

fixen

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe

Dialer

O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http:// w*w.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

TrojanDownloader

pan_fee

antares · 13.04.2004

So hier das neue Logfile vom HiJack, nachdem ich die Dateien gelöscht hab:

Logfile of HijackThis v1.97.7
Scan saved at 22:27:39, on 13.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\AVWin\AVGUARD.EXE
C:\Programme\AVWin\AVWUPSRV.EXE
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\software\tools\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\software\tools\dsl_fritz\Awatch.exe
C:\Programme\Lexmark X74-X75\lxbbbmgr.exe
C:\Programme\Lexmark X74-X75\lxbbbmon.exe
C:\software\tools\itools\iTunesHelper.exe
C:\Programme\AVWin\AVGNT.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Messenger\msmsgs.exe
C:\software\adobe\Acrobat\Distillr\AcroTray.exe
C:\Programme\SpywareGuard\sgmain.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\SpywareGuard\sgbhp.exe
D:\Veronika\privat\down\HijackThis.exe

F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - c:\software\tools\ws_ftp_pro\wsbho2K0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\software\office\WordPerfect Office 11\Programs\QFSCHD110.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\software\tools\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AWatch] c:\software\tools\dsl_fritz\Awatch.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] C:\Programme\Lexmark X74-X75\lxbbbmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\software\tools\quicktime\qttask.exe -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\software\tools\itools\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVWin\AVGNT.EXE /min
O4 - HKLM\..\Run: [AVWUpd32] C:\PROGRA~1\AVWin\Avwupd32.EXE /min
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Programme\Messenger\msmsgs.exe /background
O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\software\adobe\Acrobat\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\software\office\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Recherchieren (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra->Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE37EAA9-A3C3-4462-9867-4CF3FBA9CED2}: NameServer = 192.168.122.252,192.168.122.253

antares · 13.04.2004

Und hier nochmal das Logfile von adaware (auf zwei Teile, weil es zu lang ist)

Lavasoft Ad-aware Personal Build 6.181
Logfile created on

ienstag, 13. April 2004 22:15:37
Created with Ad-aware Personal, free for private use.
Using reference-file :01R217 08.09.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry

13.04.2004 22:15:37 - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 13.04.2004 19:19:19
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 13.04.2004 19:19:22
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 13.04.2004 19:19:22
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Anwendung f
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Betriebssystem Microsoft
Created on : 29.08.2002 12:00:00
Last accessed : 13.04.2004 19:16:20
Last modified : 29.08.2002 12:00:00

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 13.04.2004 19:19:22
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 29.08.2002 12:00:00
Last accessed : 13.04.2004 20:15:37
Last modified : 29.08.2002 12:00:00

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 13.04.2004 19:19:23
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 29.08.2002 12:00:00
Last accessed : 13.04.2004 19:21:59
Last modified : 29.08.2002 12:00:00

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 13.04.2004 19:19:23
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 29.08.2002 12:00:00
Last accessed : 13.04.2004 19:21:59
Last modified : 29.08.2002 12:00:00

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 13.04.2004 19:19:24
BasePriority : Normal
FileSize : 296 KB
FileVersion : 7.4
ProductVersion : 7.4
Copyright : (C) 1993 - 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 14.10.2002 20:03:18
Last accessed : 13.04.2004 20:15:37
Last modified : 14.10.2002 20:03:18

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 13.04.2004 19:19:24
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 29.08.2002 12:00:00
Last accessed : 13.04.2004 19:16:40
Last modified : 29.08.2002 12:00:00

#:9 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 13.04.2004 19:19:24
BasePriority : Normal
FileSize : 170 KB
FileVersion : 7.4
ProductVersion : 7.4
Copyright : (C) 1993 - 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 14.10.2002 20:00:41
Last accessed : 13.04.2004 19:23:17
Last modified : 14.10.2002 20:00:41

antares · 13.04.2004

2. Teil:

#:10 [ccevtmgr.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ThreadCreationTime : 13.04.2004 19:19:24
BasePriority : Normal
FileSize : 313 KB
FileVersion : 1.05.2
ProductVersion : 1.05.2
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 24.03.2003 14:10:14
Last accessed : 13.04.2004 19:17:11
Last modified : 24.03.2003 14:10:14

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 13.04.2004 19:19:34
BasePriority : Normal
FileSize : 983 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Betriebssystem Microsoft
Created on : 29.08.2002 12:00:00
Last accessed : 13.04.2004 20:10:04
Last modified : 29.08.2002 12:00:00

#:12 [em_exec.exe]
FilePath : C:\software\tools\MOUSEW~1\SYSTEM\
ThreadCreationTime : 13.04.2004 19:19:34
BasePriority : Normal
FileSize : 28 KB
FileVersion : 9.70.216
ProductVersion : 9.70
Copyright : Copyright
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 27.12.2003 12:53:40
Last accessed : 13.04.2004 19:19:18
Last modified : 01.07.2002 08:50:00

#:13 [awatch.exe]
FilePath : C:\software\tools\dsl_fritz\
ThreadCreationTime : 13.04.2004 19:19:34
BasePriority : Normal
FileSize : 496 KB
FileVersion : 3.04.04
ProductVersion : 3.04.04
Copyright : Copyright
CompanyName : AVM Berlin
FileDescription : ADSLWatch
InternalName : ADSLWatch
OriginalFilename : AWatch.EXE
ProductName : ADSLWatch
Created on : 05.02.2004 12:03:32
Last accessed : 13.04.2004 20:13:58
Last modified : 10.06.2003 14:52:12

#:14 [lxbbbmgr.exe]
FilePath : C:\Programme\Lexmark X74-X75\
ThreadCreationTime : 13.04.2004 19:19:35
BasePriority : Normal
FileSize : 56 KB
FileVersion : 1.0.6.0
ProductVersion : 1.0.6.0
Copyright : (C) 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X74-X75 Button Manager
InternalName : lxbbbmgr.exe
OriginalFilename : lxbbbmgr.exe
ProductName : Button Manager Executable
Created on : 14.10.2002 20:12:33
Last accessed : 13.04.2004 19:19:18
Last modified : 14.10.2002 20:12:33

#:15 [ituneshelper.exe]
FilePath : C:\software\tools\itools\
ThreadCreationTime : 13.04.2004 19:19:35
BasePriority : Normal
FileSize : 224 KB
FileVersion : 4.2.0.72
ProductVersion : 4.2.0.72
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
OriginalFilename : iTunesHelper.exe
ProductName : iTunes
Created on : 23.12.2003 19:14:32
Last accessed : 13.04.2004 19:19:18
Last modified : 23.12.2003 19:14:32

#:16 [avgnt.exe]
FilePath : C:\Programme\AVWin\
ThreadCreationTime : 13.04.2004 19:19:35
BasePriority : Normal
FileSize : 144 KB
FileVersion : 6.24.02.00
ProductVersion : 6.24.02.00
Copyright : Copyright
CompanyName : H+BEDV Datentechnik GmbH
FileDescription : AntiVir Guard/XP Control Program
InternalName : AVGNT
OriginalFilename : AVGNT.EXE
ProductName : AntiVir Guard Control Program
Created on : 06.04.2004 12:39:16
Last accessed : 13.04.2004 19:19:35
Last modified : 06.04.2004 12:39:16

#:17 [lxbbbmon.exe]
FilePath : C:\Programme\Lexmark X74-X75\
ThreadCreationTime : 13.04.2004 19:19:35
BasePriority : Normal
FileSize : 48 KB
FileVersion : 1.0.6.0
ProductVersion : 1.0.6.0
Copyright : (C) 2002 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X74-X75 Button Monitor
InternalName : lxbbbmon.exe
OriginalFilename : lxbbbmon.exe
ProductName : Button Monitor Executable
Created on : 14.10.2002 20:22:04
Last accessed : 13.04.2004 19:19:18
Last modified : 14.10.2002 20:22:04

#:18 [ccapp.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ThreadCreationTime : 13.04.2004 19:19:35
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.9.002
ProductVersion : 1.0.9.002
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 11.04.2004 14:56:06
Last accessed : 13.04.2004 19:22:52
Last modified : 09.10.2003 08:26:52

#:19 [msmsgs.exe]
FilePath : C:\Programme\Messenger\
ThreadCreationTime : 13.04.2004 19:19:35
BasePriority : Normal
FileSize : 1476 KB
FileVersion : 4.7.0041
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2001
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 22.12.2003 18:04:55
Last accessed : 13.04.2004 19:22:50
Last modified : 20.08.2002 14:08:38

#:20 [acrotray.exe]
FilePath : C:\software\adobe\Acrobat\Distillr\
ThreadCreationTime : 13.04.2004 19:19:35
BasePriority : Normal
FileSize : 42 KB
Created on : 22.12.2003 19:53:07
Last accessed : 13.04.2004 19:19:18
Last modified : 24.03.1999 15:57:10

#:21 [avguard.exe]
FilePath : C:\Programme\AVWin\
ThreadCreationTime : 13.04.2004 19:21:35
BasePriority : Normal
FileSize : 204 KB
FileVersion : 6.24.02.00
ProductVersion : 6.24.02.00
Copyright : Copyright
CompanyName : H+BEDV Datentechnik GmbH
FileDescription : Antivirus Service for Windows XP/2000/NT
InternalName : NTGuard
OriginalFilename : Guard.exe
ProductName : Windows XP/2000/XP Guard Service
Created on : 11.03.2004 12:06:58
Last accessed : 13.04.2004 19:21:35
Last modified : 11.03.2004 12:06:58

#:22 [avwupsrv.exe]
FilePath : C:\Programme\AVWin\
ThreadCreationTime : 13.04.2004 19:21:36
BasePriority : Normal
FileSize : 28 KB
FileVersion : 6.23.01.00
ProductVersion : 6.23.01.00
Copyright : Copyright
CompanyName : H+BEDV Datentechnik GmbH, Germany
FileDescription : AntiVir Software Update Service for Windows
InternalName : AntiVir Update Service
OriginalFilename : AVWUpSrv.exe
ProductName : AntiVir Update Service for Windows NT
Created on : 09.04.2004 19:29:51
Last accessed : 13.04.2004 19:21:36
Last modified : 19.11.2003 11:39:50

#:23 [gearsec.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 13.04.2004 19:21:36
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1, 0, 0, 6
ProductVersion : 1, 0, 0, 6
Copyright : Copyright
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
OriginalFilename : gearsec.exe
ProductName : gearsec
Created on : 03.11.2003 11:47:08
Last accessed : 13.04.2004 20:15:38
Last modified : 03.11.2003 11:47:08

#:24 [navapsvc.exe]
FilePath : C:\Programme\Norton AntiVirus\
ThreadCreationTime : 13.04.2004 19:21:36
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.10.1003
ProductVersion : 9.10.1003
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 25.03.2003 11:43:14
Last accessed : 13.04.2004 19:17:07
Last modified : 25.03.2003 11:43:14

#:25 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 13.04.2004 19:21:36
BasePriority : Normal
FileSize : 80 KB
FileVersion : 6.14.10.5214
ProductVersion : 6.14.10.5214
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.14
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 52.14
Created on : 22.12.2003 18:25:06
Last accessed : 13.04.2004 19:15:55
Last modified : 24.09.2003 17:32:00

#:26 [slserv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 13.04.2004 19:21:40
BasePriority : Normal
FileSize : 44 KB
FileVersion : 2.80.00(24Apr2000)
ProductVersion : 2.80.00
Copyright : Copyright
FileDescription : User-Level Modem Service
InternalName : slserv
OriginalFilename : slserv.exe
ProductName : Modem
Created on : 17.01.2003 00:02:38
Last accessed : 13.04.2004 19:16:24
Last modified : 17.01.2003 00:02:38

#:27 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 13.04.2004 19:21:40
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 29.08.2002 12:00:00
Last accessed : 13.04.2004 19:21:59
Last modified : 29.08.2002 12:00:00

#:28 [ipodservice.exe]
FilePath : C:\Programme\iPod\bin\
ThreadCreationTime : 13.04.2004 19:21:54
BasePriority : Normal
FileSize : 408 KB
FileVersion : 4.2.0.72
ProductVersion : 4.2.0.72
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
OriginalFilename : iPodService.exe
ProductName : iTunes
Created on : 23.12.2003 19:14:32
Last accessed : 13.04.2004 19:18:14
Last modified : 23.12.2003 19:14:32

#:29 [nisum.exe]
FilePath : C:\Programme\Norton Internet Security\
ThreadCreationTime : 13.04.2004 19:22:41
BasePriority : Normal
FileSize : 137 KB
FileVersion : 6.02.2003
ProductVersion : 6.02.2003
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security NISUM
InternalName : NISUM
OriginalFilename : NISUM.exe
ProductName : Norton Internet Security
Created on : 24.03.2003 14:11:28
Last accessed : 13.04.2004 19:19:18
Last modified : 24.03.2003 14:11:28

#:30 [sgmain.exe]
FilePath : C:\Programme\SpywareGuard\
ThreadCreationTime : 13.04.2004 20:13:08
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 29.08.2003 17:05:35
Last accessed : 13.04.2004 20:13:57
Last modified : 29.08.2003 17:05:35

#:31 [sgbhp.exe]
FilePath : C:\Programme\SpywareGuard\
ThreadCreationTime : 13.04.2004 20:13:08
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 29.08.2003 09:14:56
Last accessed : 13.04.2004 20:12:58
Last modified : 29.08.2003 09:14:56

#:32 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-aware 6\
ThreadCreationTime : 13.04.2004 20:15:10
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 13.04.2004 20:14:52
Last accessed : 13.04.2004 20:15:10
Last modified : 12.07.2003 20:00:20

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : ISTactivex.Installer

istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\IST

Alexa Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 4
Objects found so far: 4

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : {EF86873F-04C2-4A95-A373-5703C08EFC7B} (http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab)

Possible Browser Hijack attempt Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{EF86873F-04C2-4A95-A373-5703C08EFC7B}

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 5

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep scanning and examining files (C

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

istbar Object recognized!
Type : File
Data : istactivex.dll
Object : c:\windows\downloaded program files\
FileSize : 15 KB
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
Copyright : Copyright 2003
FileDescription : 1STactivex Module
InternalName : 1STactive_x
OriginalFilename : ISTact1vex.DLL
ProductName : ISTactivex Module
Created on : 22.03.2004 11:42:48
Last accessed : 13.04.2004 19:45:28
Last modified : 22.03.2004 11:42:48

istbar Object recognized!
Type : File
Data : istactivex.inf
Object : c:\windows\downloaded program files\

Created on : 17.03.2004 15:18:18
Last accessed : 13.04.2004 20:17:13
Last modified : 17.03.2004 15:18:18

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 7

22:17:14 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:01:36:78
Objects scanned :36716
Objects identified :7
Objects ignored :0
New objects :7

antares · 13.04.2004

So und hier zum Abschluss noch der Link zum Screenshot vom Pestpatrol:
http://www.virtualvroni.de/dateien/pestpatrol/pestpatrol.html

PCDpan_fee · 13.04.2004

antares schrieb:
F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe

ist mir immer noch suspekt :

Alexa Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

kannst du auch löschen, siehe hier:
http://www.wintotal.de/Tipps/Eintrag.php?TID=384

istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : ISTactivex.Installer

istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\IST

ISTBAR TrojanDownloader:
http://www.pestpatrol.com/pestinfo/i/istbar.asp
weg damit

Possible browser hijack attempt : {EF86873F-04C2-4A95-A373-5703C08EFC7B} (http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab)

Possible Browser Hijack attempt Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{EF86873F-04C2-4A95-A373-5703C08EFC7B}

gehört zum TrojanDownloader (siehe oben), lösche in der Registry die Werte.

istbar Object recognized!
Type : File
Data : istactivex.dll
Object : c:\windows\downloaded program files\
FileSize : 15 KB
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
Copyright : Copyright 2003
FileDescription : 1STactivex Module
InternalName : 1STactive_x
OriginalFilename : ISTact1vex.DLL
ProductName : ISTactivex Module
Created on : 22.03.2004 11:42:48
Last accessed : 13.04.2004 19:45:28
Last modified : 22.03.2004 11:42:48

istbar Object recognized!
Type : File
Data : istactivex.inf
Object : c:\windows\downloaded program files\

Created on : 17.03.2004 15:18:18
Last accessed : 13.04.2004 20:17:13
Last modified : 17.03.2004 15:18:18

Istbar ist noch im Ordner »Downloaded Program Files« (C:\WINDOWS\Downloaded Program Files), löschen und suche nach der istactivex.dll und/oder ISTact1vex.dll und istactivex.inf, ebenfalls löschen.

pan_fee

PCDpan_fee · 13.04.2004

antares schrieb:
So und hier zum Abschluss noch der Link zum Screenshot vom Pestpatrol:
http://www.virtualvroni.de/dateien/pestpatrol/pestpatrol.html

ist in Antwort #8 schon von mir beantwortet..... alles löschen.

generell kann man alles mit Adaware gefundene Dateien löschen

pan_fee

mav1976 · 14.04.2004

hi antares,

PCDpan_fee schrieb:
antares schrieb:

F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe

Zum Vergrößern anklicken....

ist mir immer noch suspekt :

öffne die win.ini und entferne diesen eintrag, sonst hilft das fixen nichts.

alles andere hat dir pan_fee schon geschrieben.

dieser eintrag gehört zu der kategorie adware

suche auf deinem system auch nach einer .dll die ungefähr so heißt: 1.01.00.dll

for more information, look here: http://sarc.com/avcenter/venc/data/adware.replace.html or here: http://www.kephyr.com/filedb/index.php?viewtopic=SERVICES.EXE and here: http://www.kephyr.com/spywarescanner/library/coolwebsearch.xpsystem/index.phtml

mav1976 · 16.04.2004

wir holen mal den thread wieder hoch, da ich doch was editiert habe.

Logfiles für HijackThis und CoolWebShredder

antares

Flöckchen

antares

PCDpan_fee

antares

antares

antares

antares

PCDpan_fee

PCDpan_fee

mav1976

mav1976

Logfiles für HijackThis und CoolWebShredder

ANGEBOTE & SPONSOREN

Neueste Themen

Statistik des Forums