intell32.exe + sywsvcs.exe + msupdate32.dll+ Winhound |
||
---|---|---|
#0
| ||
29.11.2005, 11:00
Member
Beiträge: 15 |
||
|
||
29.11.2005, 11:02
Ehrenmitglied
Themenstarter Beiträge: 29434 |
#17
o.k. ...nun kopiere das log vom WinPfind hier
http://virus-protect.org/winpfind.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
29.11.2005, 12:15
Member
Beiträge: 15 |
#18
Hi!!
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding. If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly. »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600 Internet Explorer Version: 6.0.2900.2180 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... UPX! 16.02.2005 11:06:16 218112 C:\HijackThis.exe Checking %ProgramFilesDir% folder... Checking %WinDir% folder... Items found in C:\WINDOWS\HOSTS Checking %System% folder... PEC2 18.08.2001 11:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc PTech 12.07.2005 17:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll aspack 04.08.2004 00:57:10 733696 C:\WINDOWS\SYSTEM32\ntdll.dll Umonitor 04.08.2004 00:57:34 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll winsync 18.08.2001 11:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu Checking %System%\Drivers folder and sub-folders... PTech 03.08.2004 22:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 29.11.2005 07:00:16 S 2048 C:\WINDOWS\bootstat.dat 28.11.2005 12:02:30 RHS 333502 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab 29.11.2005 09:21:06 H 1024 C:\WINDOWS\system32\config\default.LOG 29.11.2005 10:14:02 H 1024 C:\WINDOWS\system32\config\SAM.LOG 29.11.2005 07:02:26 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG 29.11.2005 11:17:12 H 1024 C:\WINDOWS\system32\config\software.LOG 29.11.2005 09:21:06 H 1024 C:\WINDOWS\system32\config\system.LOG 16.11.2005 17:43:46 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\930b738a-ba44-4354-a040-1c4f2c67cafd 16.11.2005 17:43:46 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred 29.11.2005 07:00:18 H 6 C:\WINDOWS\Tasks\SA.DAT 29.11.2005 07:14:38 H 348 C:\WINDOWS\Tasks\{26C83DFA-BF63-4EFA-9B3B-B3941E7734B0}_KEINER_konf.job 29.11.2005 09:00:04 H 348 C:\WINDOWS\Tasks\{C651642A-5DFA-4B40-9A7E-0C68562A69B9}_KEINER_konf.job 29.11.2005 07:14:38 H 348 C:\WINDOWS\Tasks\{F5B24B0D-F1DA-4A2D-8025-EB59A95BA281}_KEINER_konf.job 28.11.2005 15:45:14 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini 28.11.2005 15:45:14 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2PUDMPW1\desktop.ini 28.11.2005 15:45:14 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\E54NK585\desktop.ini 28.11.2005 15:45:14 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G5U9KDCX\desktop.ini 28.11.2005 15:45:14 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Q1UDIBAL\desktop.ini 28.11.2005 15:45:14 HS 113 C:\WINDOWS\Temp\Verlauf\History.IE5\desktop.ini Checking for CPL files... Microsoft Corporation 04.08.2004 00:58:24 70656 C:\WINDOWS\SYSTEM32\access.cpl Realtek Semiconductor Corp. 18.06.2004 09:32:34 15684608 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL Microsoft Corporation 04.08.2004 00:58:24 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl 26.10.1998 05:01:00 184832 C:\WINDOWS\SYSTEM32\BDEADMIN.CPL Microsoft Corporation 04.08.2004 00:58:24 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl Microsoft Corporation 04.08.2004 00:58:24 138240 C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation 04.08.2004 00:58:24 80384 C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation 04.08.2004 00:58:24 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl Microsoft Corporation 04.08.2004 00:58:24 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl Hummingbird Communications Ltd.26.08.1996 13:48:56 13312 C:\WINDOWS\SYSTEM32\INETD32.CPL Microsoft Corporation 04.08.2004 00:58:24 133120 C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation 04.08.2004 00:58:24 381440 C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation 04.08.2004 00:58:24 69632 C:\WINDOWS\SYSTEM32\joy.cpl Microsoft Corporation 18.08.2001 11:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl AvantGo, Inc. 22.12.2003 08:28:12 69632 C:\WINDOWS\SYSTEM32\mbllnk.cpl Microsoft Corporation 04.08.2004 00:58:24 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation 18.08.2001 11:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl Ahead Software AG 29.11.2002 00:00:32 57344 C:\WINDOWS\SYSTEM32\NeroBurnRights.cpl Microsoft Corporation 04.08.2004 00:58:24 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation 04.08.2004 00:58:24 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl NVIDIA Corporation 29.10.2004 16:50:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl Microsoft Corporation 18.08.2001 11:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl Microsoft Corporation 04.08.2004 00:58:24 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl Autodesk, Inc. 26.02.2004 17:32:56 207960 C:\WINDOWS\SYSTEM32\plotman.cpl Microsoft Corporation 04.08.2004 00:58:24 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl Apple Computer, Inc. 06.07.2001 10:44:42 288768 C:\WINDOWS\SYSTEM32\QuickTime.cpl Autodesk, Inc. 26.02.2004 17:33:14 207960 C:\WINDOWS\SYSTEM32\styleman.cpl Microsoft Corporation 04.08.2004 00:58:24 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation 18.08.2001 11:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl Microsoft Corporation 04.08.2004 00:58:24 94208 C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation 04.08.2004 00:58:24 148480 C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation 26.05.2005 03:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation 18.08.2001 11:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl Microsoft Corporation 18.08.2001 11:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl Microsoft Corporation 18.08.2001 11:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl Microsoft Corporation 18.08.2001 11:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl NVIDIA Corporation 06.06.2002 11:33:00 R 118784 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\nvtuicpl.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 16.08.2005 21:06:34 1865 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\ATI CATALYST System Tray.lnk 28.11.2002 22:45:24 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini Checking files in %ALLUSERSPROFILE%\Application Data folder... 28.11.2002 22:34:24 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini Checking files in %USERPROFILE%\Startup folder... 28.11.2002 22:45:24 HS 84 C:\Dokumente und Einstellungen\konf\Startmenü\Programme\Autostart\desktop.ini Checking files in %USERPROFILE%\Application Data folder... 28.11.2002 22:34:24 HS 62 C:\Dokumente und Einstellungen\konf\Anwendungsdaten\desktop.ini 08.11.2005 09:07:20 62840 C:\Dokumente und Einstellungen\konf\Anwendungsdaten\GDIPFONTCACHEV1.DAT »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] SV1 = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win {a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programme\ewido\security suite\context.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Panda Antivirus {65756541-C65C-11CD-0000-4B656E696100} = C:\Programme\Panda Software\AVTC\ShellTit.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Programme\WinAce\arcext.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win {a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Panda Antivirus {65756541-C65C-11CD-0000-4B656E696100} = C:\Programme\Panda Software\AVTC\ShellTit.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programme\ewido\security suite\context.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Programme\WinAce\arcext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\PROGRA~1\SPYBOT~1\SDHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} = HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC} = HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C333CF63-767F-4831-94AC-E683D962C63C} = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} ButtonText = Mobilen Favoriten erstellen : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} MenuText = Mobilen Favoriten erstellen... : C:\Programme\Microsoft ActiveSync\inetrepl.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD} ButtonText = Messenger : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38} Search Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD} &Yahoo! Messenger = C:\Programme\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} Favorites Band = %SystemRoot%\System32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} History Band = %SystemRoot%\System32\shdocvw.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer-Band = %SystemRoot%\System32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup nwiz nwiz.exe /install NVCLOCK rundll32 nvclock.dll,fnNvclock APVXDWIN "C:\Programme\Panda Software\AVTC\ClShield.exe" NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit IntelliPoint "C:\Programme\Microsoft IntelliPoint\point32.exe" SoundMan SOUNDMAN.EXE ATICCC "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime ATIPTA "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" intell32.exe C:\WINDOWS\System32\intell32.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] RunAlert C:\Programme\MSI\PC Alert III\AService.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe SpybotSD TeaTimer C:\Programme\Spybot - Search & Destroy\TeaTimer.exe H/PC Connection Agent "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^AutoCAD-Startbeschleuniger.lnk path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\AutoCAD-Startbeschleuniger.lnk backup C:\WINDOWS\pss\AutoCAD-Startbeschleuniger.lnkCommon Startup location Common Startup command C:\PROGRA~1\GEMEIN~1\AUTODE~1\ACSTAR~1.EXE item AutoCAD-Startbeschleuniger path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\AutoCAD-Startbeschleuniger.lnk backup C:\WINDOWS\pss\AutoCAD-Startbeschleuniger.lnkCommon Startup location Common Startup command C:\PROGRA~1\GEMEIN~1\AUTODE~1\ACSTAR~1.EXE item AutoCAD-Startbeschleuniger HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^VIA RAID TOOL.lnk path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VIA RAID TOOL.lnk backup C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup location Common Startup command C:\PROGRA~1\VIA\RAID\RAID_T~1.EXE item VIA RAID TOOL path C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VIA RAID TOOL.lnk backup C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup location Common Startup command C:\PROGRA~1\VIA\RAID\RAID_T~1.EXE item VIA RAID TOOL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ClearCookies key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item cc hkey HKCU command C:\WINDOWS\cc.exe inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item cc hkey HKCU command C:\WINDOWS\cc.exe inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\links key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item links hkey HKLM command links.exe inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item links hkey HKLM command links.exe inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroCheck key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item NeroCheck hkey HKLM command C:\WINDOWS\system32\NeroCheck.exe inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item NeroCheck hkey HKLM command C:\WINDOWS\system32\NeroCheck.exe inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PC Booster key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item pcbooster hkey HKLM command C:\Programme\inKline Global\PC Booster\pcbooster.exe inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item pcbooster hkey HKLM command C:\Programme\inKline Global\PC Booster\pcbooster.exe inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\sp key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item se hkey HKLM command rundll32 C:\DOKUME~1\konf\LOKALE~1\Temp\se.dll,DllInstall inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item se hkey HKLM command rundll32 C:\DOKUME~1\konf\LOKALE~1\Temp\se.dll,DllInstall inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinHound key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item WinHound hkey HKLM command C:\Programme\WinHound\WinHound.exe inimapping 0 key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item WinHound hkey HKLM command C:\Programme\WinHound\WinHound.exe inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state system.ini 0 win.ini 0 bootini 0 services 0 startup 2 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 145 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent = Ati2evxx.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 29.11.2005 11:21:18 |
|
|
||
29.11.2005, 12:29
Ehrenmitglied
Themenstarter Beiträge: 29434 |
#19
smitRem TOOL (Entfernungstool)
http://noahdfear.geekstogo.com/ öffne smitRem folder,Doppelklick: RunThis.bat warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal) suche smitfiles.txt und poste die Textdatei in den Thread __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
29.11.2005, 12:45
Member
Beiträge: 15 |
#20
Hi
~~~ Upon reboot ~~~ wininet.old not present! oleadm.dll not present! oleext.dll not present! ~~~ Upon completion ~~~ wininet.old not present! oleadm.dll not present! oleext.dll not present! ~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~ ~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~ ~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~ ~~~~ dllcache\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~ ~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~ ~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~ ~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~ ~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~ ~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~ ~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~ ~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~ ~~~ Upon reboot ~~~ wininet.old not present! oleadm.dll not present! oleext.dll not present! ~~~ Upon completion ~~~ wininet.old not present! oleadm.dll not present! oleext.dll not present! ~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~ ~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~ ~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~ ~~~~ dllcache\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~ ~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~ ~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~ ~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~ ~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~ ~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~ ~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~ ~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~ ~~~ Upon reboot ~~~ wininet.old not present! oleadm.dll not present! oleext.dll not present! ~~~ Upon completion ~~~ wininet.old not present! oleadm.dll not present! oleext.dll not present! ~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~ ~~~~ C:\WINDOWS\system32\wininet.dll Infected! ~~~~ ~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~ ~~~~ dllcache\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~ ~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~ ~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~ ~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~ ~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~ ~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~ ~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~ ~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~ ~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~ ~~~~ dllcache\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~ ~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~ ~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~ ~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~ ~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~ ~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~ ~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~ ~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~ ~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~ |
|
|
||
29.11.2005, 12:54
Ehrenmitglied
Themenstarter Beiträge: 29434 |
#21
Zitat Sabina postete __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
30.11.2005, 17:42
Member
Beiträge: 15 |
||
|
||
30.11.2005, 17:48
Ehrenmitglied
Themenstarter Beiträge: 29434 |
#23
du warst fuer mich der erste User mit Winhound,...also noch keine Erfahrung.... deshalb bitte ich dich, noch um folgendes:
http://virus-protect.org/artikel/spyware/winhound.html Download Registry Search by Bobbi Flekman und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) WINHOUND in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. http://www.bleepingcomputer.com/files/regsearch.php __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
01.12.2005, 07:12
Member
Beiträge: 15 |
#24
hi!!
Das habe ichnun wirklich nicht verstanden... du warst fuer mich der erste User mit Winhound,...also noch keine Erfahrung.... deshalb bitte ich dich, noch um folgendes: http://virus-protect.org/artikel/spyware/winhound.html Download Registry Search by Bobbi Flekman und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) |
|
|
||
01.12.2005, 09:54
Ehrenmitglied
Themenstarter Beiträge: 29434 |
#25
Zitat Download Registry Search by Bobbi Flekman __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
01.12.2005, 10:05
Ehrenmitglied
Beiträge: 6028 |
||
|
||
01.12.2005, 10:43
Member
Beiträge: 15 |
#27
hi!!
REGEDIT4 ; Registry Search by Bobbi Flekman ; Version: 1.0.2.1 ; Results at 01.12.2005 10:21:53 for strings: ; 'winhound' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com] [HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound] [HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound] "RegistrationUrl"="http://www.winhound.com/register/37.0.2" [HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound] @="C:\\Programme\\WinHound" [HKEY_LOCAL_MACHINE\SOFTWARE\WinHound.com\WinHound\WinHound] ; End Of The Log... :-)[/url] |
|
|
||
01.12.2005, 12:16
Ehrenmitglied
Themenstarter Beiträge: 29434 |
#28
Download Registry Search by Bobbi Flekman
http://www.bleepingcomputer.com/files/regsearch.php und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) ClearCookies in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. ------------------------------------------------------------------------------------- Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als win.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "win.reg" auf dem Desktop doppelklicken Zitat REGEDIT4dann scanne mit Counterspy ...am besten auch gleich im abgesicherten Modus....und poste den scanbericht http://virus-protect.org/counterspy.html nach dem Scan muss man sich entscheiden für: *Ignore *Remove *Quarantaine wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab und ins Sicherheitsforum) __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
01.12.2005, 14:20
Member
Beiträge: 15 |
#29
Hi!!
REGEDIT4 ; Registry Search by Bobbi Flekman ; Version: 1.0.2.1 ; Results at 01.12.2005 12:31:43 for strings: ; 'clearcookies' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... Spyware Scan Details Start Date: 01.12.2005 12:53:25 End Date: 01.12.2005 13:54:25 Total Time: 1 hrs 60 secs Detected spyware BeamCrack Trojan more information... Status: Deleted Infected files detected C:\Dokumente und Einstellungen\admin\Desktop\_palm_\palm_soft\beamcrack\BeamCrack.prc C:\Dokumente und Einstellungen\admin\Desktop\_palm_\palm_soft\beamcrack\BeamCrack.txt C:\Dokumente und Einstellungen\guru\Desktop\_palm_\palm_soft\beamcrack\BeamCrack.prc C:\Dokumente und Einstellungen\guru\Desktop\_palm_\palm_soft\beamcrack\BeamCrack.txt Trojan.Desktophijack Trojan more information... Details: Trojan.Desktophijack modifies the home page and desktop settings on a compromised computer. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main Display Inline Images yes Adw.PSGuard Adware more information... Details: PSGuard is a fraudulent anti-spyware program which uses desktop advertising to scare users into paying for the product. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main Display Inline Images yes HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057E242F-2947-4e0a-8E61-A11345D97EA6} BS.Serving-Sys Cookie more information... Status: Deleted Infected cookies detected c:\dokumente und einstellungen\konf\cookies\konf@bs.serving-sys[1].txt c:\dokumente und einstellungen\konf\cookies\konf@serving-sys[2].txt MetriWeb Cookie more information... Status: Deleted Infected cookies detected c:\dokumente und einstellungen\konf\cookies\konf@metriweb[2].txt Emilio |
|
|
||
01.12.2005, 14:41
Ehrenmitglied
Themenstarter Beiträge: 29434 |
#30
Download Registry Search by Bobbi Flekman
http://www.bleepingcomputer.com/files/regsearch.php und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) ClearCookies in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NVCLOCK" = "rundll32 nvclock.dll,fnNvclock" [MS]
"APVXDWIN" = ""C:\Programme\Panda Software\AVTC\ClShield.exe"" ["Panda Software International"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\point32.exe"" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"ATICCC" = ""C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"ATIPTA" = ""C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"intell32.exe" = "C:\WINDOWS\System32\intell32.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nikon\NkView6\NkvDropExt.dll" ["Nikon Corporation"]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Panda Software\AVTC\ShellTit.dll" ["Panda Software International"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Symbol-Overlay-Steuerprogramm für AutoCAD Digitale Signaturen"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\AcSignIcon.dll" ["Autodesk"]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{34F4B935-17DC-4885-8BC9-CCD1ADF42F93}" = "Record ISO Image to CD"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Alex Feinman\ISO Recorder\ISORecorder.dll" ["Alex Feinman"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}" = "st3"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q403984.dll" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"]
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Panda Software\AVTC\ShellTit.dll" ["Panda Software International"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Panda Software\AVTC\ShellTit.dll" ["Panda Software International"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Active Desktop web content:
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = ""
"SubscribedURL" = ""
Startup items in "konf" & "All Users" startup folders:
------------------------------------------------------
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"ATI CATALYST System Tray" -> shortcut to: "C:\Programme\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
Enabled Scheduled Tasks:
------------------------
"{26C83DFA-BF63-4EFA-9B3B-B3941E7734B0}_KEINER_konf" -> launches: "mobsync.exe /Schedule="{26C83DFA-BF63-4EFA-9B3B-B3941E7734B0}_KEINER_konf"" [MS]
"{C651642A-5DFA-4B40-9A7E-0C68562A69B9}_KEINER_konf" -> launches: "mobsync.exe /Schedule="{C651642A-5DFA-4B40-9A7E-0C68562A69B9}_KEINER_konf"" [MS]
"{F5B24B0D-F1DA-4A2D-8025-EB59A95BA281}_KEINER_konf" -> launches: "mobsync.exe /Schedule="{F5B24B0D-F1DA-4A2D-8025-EB59A95BA281}_KEINER_konf"" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll" ["Yahoo! Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Mobilen Favoriten erstellen"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Modules\messmod3\v4\yhexbmes.dll" ["Yahoo! Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido security suite control, ewido security suite control, "C:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Panda AdminSecure Communications Agent, PAVAGENTE, "C:\Programme\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe" ["Panda Software"]
Panda AdminSecure Scheduler, PavAtScheduler, "C:\Programme\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe" ["Panda Software"]
Panda ClientShield, PAVSRV, "C:\Programme\Panda Software\AVTC\pavsrv51.exe" ["Panda Software"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
FaxWare Monitor\Driver = "faxwarmo.dll" [MS]
PDF Port\Driver = "C:\WINDOWS\System32\pdfports.dll" ["Adobe Systems Incorporated."]
Tobit Color Monitor\Driver = "IMGMSGMO.dll" [null data]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 33 seconds, including 5 seconds for message boxes)