Ergebnis 1 bis 9 von 9

Thema: lästige popups

  1. #1
    Einsteiger
    Registriert seit
    05.02.2006
    Beiträge
    7

    lästige popups

    hallo. habe mir gestern irgeneinen trojaner eingefangen und mit av gelöscht. habe seitdem mit hunderten popups zu kämpfen obwohl av und spysweeper nichts mehr finden.
    darum, hier mein log-file...was kann ich tun???


    Logfile of HijackThis v1.99.1
    Scan saved at 20:20:32, on 05.02.2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\AntiVir PersonalEdition Classic\sched.exe
    C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Programme\DCPFLICS\DCPFLICS.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
    C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
    D:\Programme\Adobe Acrobat 6.0\Distillr\acrotray.exe
    C:\Programme\Java\jre1.5.0_05\bin\jucheck.exe
    C:\hijack\HijackThis.exe

    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Programme\Adobe Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programme\Gemeinsame Dateien\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Office 2000\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1111443859092
    O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\t8r8li9u18.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: DCPFLICS - Unknown owner - C:\Programme\DCPFLICS\DCPFLICS.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Programme\Network Monitor\netmon.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    thx.

  2. #2
    Ehrenmitglied Avatar von Speedy
    Registriert seit
    07.08.2004
    Ort
    Linz
    Beiträge
    23.583

    AW: lästige popups

    hi, wie verwenden derzeit 2 verschiedene remover für look2me

    führe zuerst bitte diesen remover aus, poste das logfile

    danach führst du diesen remover nach dieser anleitung aus

    lege einen neuen ordner an --> c:\look2mefix
    download von l2mfix.exe(look2me-fix) in diesen ordner
    entpacke das programm in diesem ordner.
    wähle aus dem neuen ordner c:\look2mefix\l2mfix\ die datei l2mfix.bat (oder stapelverarbeitungsdatei für ms-dos) öffne sie mit einem doppelklick.
    ein dos fenster wird geöffnet, warte, bis sich keine veränderungen ergeben und drücke dann irgend eine taste.
    nun wird das auswahlmenü geöffnet, drücke bitte die 1, das system wird gescannt und ein logfile erstellt, dieses bitte posten.(Achtung: verwende keine datei aus dem ordner c:\look2mefix ohne aufforderung)

    starte das programm neuerlich, beende alle anderen programme und wähle nun die 2, der rechner wird nun von dieser malware bereinigt, und neu gestartet (daher sollen alle programme geschlossen sein )

    poste dieses logfile

    starte das programm nun zum letzten mal, wähle nun die 4, poste auch dieses logfile.
    rückmeldungen erwünscht, hat der remover von simplytech schon alles entfernt, kamen danach noch popups, oder erst nach look2me ?
    poste danach ein neues hjt.logfile und
    downlaod den ccleaner, installieren, starten -> unter options settings -> german einstellen, nun bereinige damit dein system (windows, applications, registry) (quick-tour und screenshots), die temp. ordner überprüfen, notfalls im abgesicherten modus leeren, mistküble leeren
    downlaod von datfindbat, führe es nach anleitung aus und poste den inhalt der erstellten logfiles (das werden 4 stück, wobei von c:\windows\system32 nur die letzten 30 tage gepostet werden sollten)
    lg
    http://members.linzag.net/680262/ff.jpgwww.Speedyweb.at.tfhttp://members.linzag.net/680262/tb.jpg
    Die Durchführung meiner Tipps erfolgt auf eigene Verantwortung!
    HijackThis (Downloads und Anleitungen z.B. was ist fixen usw.)
    HijackThis-Chat oder willst du hier mitmachen Stellenausschreibung
    hilfestellung zur systembereinigung nur über das öffentliche Windows forum und keinesfalls über privatnachrichten oder email !!

  3. #3
    Einsteiger
    Registriert seit
    05.02.2006
    Beiträge
    7

    AW: lästige popups

    hallo. hab also look2me scannen lassen: hier das logfile:

    21:10:22 -> Start scanning procedures...
    21:10:22 -> Suspected Registry Key found. Key added to list.
    21:10:22 -> Start checking running tasks...
    21:10:51 -> Malware found in memory: t8r8li9u18.dll,guard.tmp, (belonging to category: Look2Me)
    21:11:15 -> End of the scan process. Now delete the keys found!!
    21:12:04 -> Infestation has been found. You have to delete the selected keys.

  4. #4
    Einsteiger
    Registriert seit
    05.02.2006
    Beiträge
    7

    AW: lästige popups

    und hier das erste logfile von look2mefix:

    L2MFIX find log 1.03
    These are the registry keys present
    ************************************************************ **********************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2 e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,7 4,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,7 9,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,7 9,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,7 9,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
    "Asynchronous"=dword:00000000
    "DllName"="WRLogonNTF.dll"
    "Impersonate"=dword:00000001
    "Lock"="WRLock"
    "StartScreenSaver"="WRStartScreenSaver"
    "StartShell"="WRStartShell"
    "Startup"="WRStartup"
    "StopScreenSaver"="WRStopScreenSaver"
    "Unlock"="WRUnlock"
    "Shutdown"="WRShutdown"
    "Logoff"="WRLogoff"
    "Logon"="WRLogon"

    ************************************************************ **********************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Internet Settings\User Agent\Post Platform]
    "{0220216E-3768-E675-B369-EBCB937C9F19}"=""

    ************************************************************ **********************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Eigenschaften f?r Multimediadatei"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite f?r Dokumente"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen f?r Freigaben"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f?r Grafikkarten"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f?r Bildschirme"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f?r Anzeigeverschiebung"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung f?r Datentr„gerkopien"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen f?r Microsoft Windows-Netzwerkobjekte"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen f?r die Dateikomprimierung"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung f?r Webdrucker"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen? f?r die Verschl?sselung"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung f?r HyperTerminal-Icons"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen f?r Freigaben"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen f?r Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverkn?pfung"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen?"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausf?hren..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begr?áungsbildschirm"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abz?gen ?ber das Internet"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverkn?pfung"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
    "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
    "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
    "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
    "{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
    "{36A21736-36C2-4C11-8ACB-D4136F2B57BD}"="AutoCAD Digital Signatures Icon Overlay Handler"
    "{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}"="Autodesk Drawing Preview"
    "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
    "{C81DCBCA-8AE2-41FC-9C39-78B160393210}"="RhinoShExt"
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
    "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
    "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
    "{6DEA92E9-8682-4b6a-97DE-354772FE5727}"="Autodesk DWF Preview"
    "{C56324E0-F41F-4E24-9502-CD85A5B3A9F1}"=""
    "{B2200816-890B-4F4A-A919-54131ECE44FF}"=""
    "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"="Shell Extension for Malware scanning"
    "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

    ************************************************************ **********************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{B2200816-890B-4F4A-A919-54131ECE44FF}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B2200816-890B-4F4A-A919-54131ECE44FF}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B2200816-890B-4F4A-A919-54131ECE44FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    ************************************************************ **********************

  5. #5
    Einsteiger
    Registriert seit
    05.02.2006
    Beiträge
    7

    AW: lästige popups

    und jetzt das logfile nr. 2:

    L2Mfix 1.03

    Running From:
    C:\l2mfix.exe\l2mfix



    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (ID-NI) ALLOW Read VORDEFINIERT\Benutzer
    (ID-IO) ALLOW Read VORDEFINIERT\Benutzer
    (ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
    (ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
    (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
    (ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
    (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (ID-IO) ALLOW Full access ERSTELLER-BESITZER



    Setting registry permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Denying C(CI) access for predefined group "Administrators"
    - adding new ACCESS DENY entry


    Registry Permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (CI) DENY --C------- VORDEFINIERT\Administratoren
    (NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (ID-NI) ALLOW Read VORDEFINIERT\Benutzer
    (ID-IO) ALLOW Read VORDEFINIERT\Benutzer
    (ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
    (ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
    (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
    (ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
    (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (ID-IO) ALLOW Full access ERSTELLER-BESITZER



    Setting up for Reboot


    Starting Reboot!

    C:\l2mfix.exe\l2mfix
    System Rebooted!

    Running From:
    C:\l2mfix.exe\l2mfix

    killing explorer and rundll32.exe

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 1776 'explorer.exe'
    Killing PID 1776 'explorer.exe'

    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
    Killing PID 244 'rundll32.exe'

    Scanning First Pass. Please Wait!

    First Pass Completed

    Second Pass Scanning

    Second pass Completed!
    Backing Up: C:\WINDOWS\system32\enn8l15u1.dll
    1 Datei(en) kopiert.
    Backing Up: C:\WINDOWS\system32\kfdazel.dll
    1 Datei(en) kopiert.
    Backing Up: C:\WINDOWS\system32\ksdmac.dll
    1 Datei(en) kopiert.
    Backing Up: C:\WINDOWS\system32\oibc16gt.dll
    1 Datei(en) kopiert.
    Backing Up: C:\WINDOWS\system32\qcartz.dll
    1 Datei(en) kopiert.
    Backing Up: C:\WINDOWS\system32\tlolhelp.dll
    1 Datei(en) kopiert.
    Backing Up: C:\WINDOWS\system32\guard.tmp
    1 Datei(en) kopiert.
    deleting: C:\WINDOWS\system32\enn8l15u1.dll
    Successfully Deleted: C:\WINDOWS\system32\enn8l15u1.dll
    deleting: C:\WINDOWS\system32\kfdazel.dll
    Successfully Deleted: C:\WINDOWS\system32\kfdazel.dll
    deleting: C:\WINDOWS\system32\ksdmac.dll
    Successfully Deleted: C:\WINDOWS\system32\ksdmac.dll
    deleting: C:\WINDOWS\system32\oibc16gt.dll
    Successfully Deleted: C:\WINDOWS\system32\oibc16gt.dll
    deleting: C:\WINDOWS\system32\qcartz.dll
    Successfully Deleted: C:\WINDOWS\system32\qcartz.dll
    deleting: C:\WINDOWS\system32\tlolhelp.dll
    Successfully Deleted: C:\WINDOWS\system32\tlolhelp.dll
    deleting: C:\WINDOWS\system32\guard.tmp
    Successfully Deleted: C:\WINDOWS\system32\guard.tmp


    Zipping up files for submission:
    adding: enn8l15u1.dll (188 bytes security) (deflated 4%)
    adding: kfdazel.dll (188 bytes security) (deflated 5%)
    adding: ksdmac.dll (188 bytes security) (deflated 4%)
    adding: oibc16gt.dll (188 bytes security) (deflated 5%)
    adding: qcartz.dll (188 bytes security) (deflated 4%)
    adding: tlolhelp.dll (188 bytes security) (deflated 4%)
    adding: guard.tmp (188 bytes security) (deflated 5%)
    adding: clear.reg (188 bytes security) (deflated 37%)
    adding: echo.reg (188 bytes security) (deflated 10%)
    adding: direct.txt (188 bytes security) (deflated 18%)
    adding: lo2.txt (188 bytes security) (deflated 78%)
    adding: readme.txt (188 bytes security) (deflated 49%)
    adding: report.txt (188 bytes security) (deflated 63%)
    adding: test.txt (188 bytes security) (deflated 66%)
    adding: test2.txt (188 bytes security) (deflated 17%)
    adding: test3.txt (188 bytes security) (deflated 17%)
    adding: test5.txt (188 bytes security) (deflated 17%)
    adding: xfind.txt (188 bytes security) (deflated 59%)
    adding: backregs/B2200816-890B-4F4A-A919-54131ECE44FF.reg (188 bytes security) (deflated 69%)
    adding: backregs/shell.reg (188 bytes security) (deflated 73%)

    Restoring Registry Permissions:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Revoking access for predefined group "Administrators"
    Inherited ACE can not be revoked here!
    Inherited ACE can not be revoked here!


    Registry permissions set too:

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
    (NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (ID-NI) ALLOW Read VORDEFINIERT\Benutzer
    (ID-IO) ALLOW Read VORDEFINIERT\Benutzer
    (ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer
    (ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer
    (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
    (ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
    (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
    (ID-IO) ALLOW Full access ERSTELLER-BESITZER


    Restoring Sedebugprivilege:

    Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

    deleting local copy: enn8l15u1.dll
    deleting local copy: kfdazel.dll
    deleting local copy: ksdmac.dll
    deleting local copy: oibc16gt.dll
    deleting local copy: qcartz.dll
    deleting local copy: tlolhelp.dll
    deleting local copy: guard.tmp

    The following Is the Current Export of the Winlogon notify key:
    ************************************************************ ****************
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2 e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,7 4,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,7 9,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,7 9,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,7 9,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
    "Asynchronous"=dword:00000000
    "DllName"="WRLogonNTF.dll"
    "Impersonate"=dword:00000001
    "Lock"="WRLock"
    "StartScreenSaver"="WRStartScreenSaver"
    "StartShell"="WRStartShell"
    "Startup"="WRStartup"
    "StopScreenSaver"="WRStopScreenSaver"
    "Unlock"="WRUnlock"
    "Shutdown"="WRShutdown"
    "Logoff"="WRLogoff"
    "Logon"="WRLogon"


    The following are the files found:
    ************************************************************ ****************
    C:\WINDOWS\system32\enn8l15u1.dll
    C:\WINDOWS\system32\kfdazel.dll
    C:\WINDOWS\system32\ksdmac.dll
    C:\WINDOWS\system32\oibc16gt.dll
    C:\WINDOWS\system32\qcartz.dll
    C:\WINDOWS\system32\tlolhelp.dll
    C:\WINDOWS\system32\guard.tmp

    Registry Entries that were Deleted:
    Please verify that the listing looks ok.
    If there was something deleted wrongly there are backups in the backreg folder.
    ************************************************************ ****************
    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Shell Extensions\Approved]
    "{C56324E0-F41F-4E24-9502-CD85A5B3A9F1}"=-
    "{B2200816-890B-4F4A-A919-54131ECE44FF}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{C56324E0-F41F-4E24-9502-CD85A5B3A9F1}]
    [-HKEY_CLASSES_ROOT\CLSID\{B2200816-890B-4F4A-A919-54131ECE44FF}]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Internet Settings\User Agent\Post Platform]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Internet Settings\User Agent\Post Platform]
    "SV1"=""
    ************************************************************ ****************
    Desktop.ini Contents:
    ************************************************************ ****************
    ************************************************************ ****************
    

  6. #6
    Einsteiger
    Registriert seit
    05.02.2006
    Beiträge
    7

    AW: lästige popups

    und jetzt das logfile nach dem ich 4 gedrückt hab:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2 e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,7 4,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,7 9,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,7 9,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,7 9,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
    "Asynchronous"=dword:00000000
    "DllName"="WRLogonNTF.dll"
    "Impersonate"=dword:00000001
    "Lock"="WRLock"
    "StartScreenSaver"="WRStartScreenSaver"
    "StartShell"="WRStartShell"
    "Startup"="WRStartup"
    "StopScreenSaver"="WRStopScreenSaver"
    "Unlock"="WRUnlock"
    "Shutdown"="WRShutdown"
    "Logoff"="WRLogoff"
    "Logon"="WRLogon"

  7. #7
    Einsteiger
    Registriert seit
    05.02.2006
    Beiträge
    7

    AW: lästige popups

    und das hijack log danach....

    Logfile of HijackThis v1.99.1
    Scan saved at 21:28:35, on 05.02.2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
    C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Programme\Java\jre1.5.0_05\bin\jucheck.exe
    C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
    D:\Programme\Adobe Acrobat 6.0\Distillr\acrotray.exe
    C:\Programme\AntiVir PersonalEdition Classic\sched.exe
    C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Programme\DCPFLICS\DCPFLICS.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Programme\Mozilla Firefox\firefox.exe
    C:\hijack\HijackThis.exe

    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Programme\Adobe Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programme\Gemeinsame Dateien\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Office 2000\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1111443859092
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: DCPFLICS - Unknown owner - C:\Programme\DCPFLICS\DCPFLICS.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Programme\Network Monitor\netmon.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

  8. #8
    Einsteiger
    Registriert seit
    05.02.2006
    Beiträge
    7

    AW: lästige popups

    momentan gibts keine pop ups mehr...juhui!
    hab allerdings bei datfindbat keine logfiles zusammengebracht...liegt wahrscheinlich daran, dass ich nicht weiss wie ichs ausführen soll.
    bei doppelklick tut sich nicht viel...

    naja. problem ist jedenfalls mal gelöst.
    dankeschön!

  9. #9
    Ehrenmitglied Avatar von Speedy
    Registriert seit
    07.08.2004
    Ort
    Linz
    Beiträge
    23.583

    AW: lästige popups

    hallo krümel

    downlaod von datfindbat, führe es nach anleitung aus und poste den inhalt der erstellten logfiles (das werden 4 stück, wobei von c:\windows\system32 nur die letzten 30 tage gepostet werden sollten).
    lg
    http://members.linzag.net/680262/ff.jpgwww.Speedyweb.at.tfhttp://members.linzag.net/680262/tb.jpg
    Die Durchführung meiner Tipps erfolgt auf eigene Verantwortung!
    HijackThis (Downloads und Anleitungen z.B. was ist fixen usw.)
    HijackThis-Chat oder willst du hier mitmachen Stellenausschreibung
    hilfestellung zur systembereinigung nur über das öffentliche Windows forum und keinesfalls über privatnachrichten oder email !!

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. Lästige Werbefenster
    Von pixelschubser im Forum Archiv
    Antworten: 21
    Letzter Beitrag: 07.12.2005, 20:53
  2. Brauche Hilfe \ lästige popups
    Von prosac im Forum Archiv
    Antworten: 25
    Letzter Beitrag: 28.10.2005, 08:39
  3. Lästige Popups
    Von cyro im Forum Archiv
    Antworten: 7
    Letzter Beitrag: 21.10.2005, 11:22
  4. Lästige werbungen!
    Von thomas von hedigi im Forum Archiv
    Antworten: 56
    Letzter Beitrag: 15.10.2005, 16:33
  5. Lästige Spyware
    Von Haegar im Forum Archiv
    Antworten: 12
    Letzter Beitrag: 07.10.2005, 15:21

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •