backdoor win 32 ciadoor 13 wie bekomme ich den komplett wieder los ?

...neu hier

Beiträge: 4

#61 Hallo

ich habe das selbe prob!! hab auch schon alles gemacht was da stand aber bei mir ist immernoch was :
Backdoor.CIADoor.13 HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39} Hoch
Backdoor.CIADoor.13 HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}## Hoch
Backdoor.CIADoor.13 HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid Hoch
Backdoor.CIADoor.13 HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid## Hoch
Backdoor.CIADoor.13 HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32 Hoch
Backdoor.CIADoor.13 HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32## Hoch
Backdoor.CIADoor.13 HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib Hoch
Backdoor.CIADoor.13 HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib## Hoch
Backdoor.CIADoor.13 HKCR\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib##Version Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3} Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}## Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0 Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0## Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0 Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0## Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32 Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32## Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS## Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR Hoch
Backdoor.CIADoor.13 HKCR\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR## Hoch
Backdoor.CIADoor.13 HKCR\N.Cs4 Hoch
Backdoor.CIADoor.13 HKCR\N.Cs4## Hoch
Backdoor.CIADoor.13 HKCR\N.Cs4\Clsid Hoch
Backdoor.CIADoor.13 HKCR\N.Cs4\Clsid##

19.05.2006, 23:50

Ehrenmitglied

Beiträge: 29434

#62 kjio

ich moechte gern noch mal alle logs sehen, dann helfe ich dir, die Registry zu reinigen

1.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

2.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

3.
Hijackthis
http://computercops.biz/zx/Merijn/hijackthis.zip
http://virus-protect.org/hjtkurz.html
Lade/entpacke HijackThis in einem Ordner
--> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit

20.05.2006, 00:06

...neu hier

Beiträge: 4

#63 Datentr„ger in Laufwerk C: ist WinXp
Volumeseriennummer: 20D1-C3F9

Verzeichnis von C:\WINDOWS\system32

19.05.2006 16:38 20.436 ikhcore.log
19.05.2006 02:20 27.949 nvapps.xml
19.05.2006 02:12 2.206 wpa.dbl
19.05.2006 01:39 65.750 _21girl_.jpg
23.04.2006 18:47 1.077.344 MSCOMCTL.OCX
04.04.2006 16:26 128.504 FNTCACHE.DAT
27.03.2006 04:23 311.604 perfh009.dat
27.03.2006 04:23 39.992 perfc009.dat
27.03.2006 04:23 316.594 perfh007.dat
27.03.2006 04:23 48.156 perfc007.dat
27.03.2006 04:23 723.744 PerfStringBackup.INI
20.01.2006 02:28 22 sec171119.lmp

2046 Datei(en) 385.503.860 Bytes
0 Verzeichnis(se), 1.132.208.128 Bytes frei

2-------------------------

Datentr„ger in Laufwerk C: ist WinXp
Volumeseriennummer: 20D1-C3F9

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp

19.05.2006 16:52 16.384 ~DFD4EC.tmp
1 Datei(en) 16.384 Bytes
0 Verzeichnis(se), 1.132.204.032 Bytes frei

3-------------------------

Datentr„ger in Laufwerk C: ist WinXp
Volumeseriennummer: 20D1-C3F9

Verzeichnis von C:\WINDOWS

05.04.2275 03:57 3.120 MF_C420.lfa
05.04.2275 03:57 3.120 MF_C421.lfa
19.05.2006 17:29 1.409 QTFont.for
19.05.2006 17:29 54.156 QTFont.qfn
19.05.2006 16:39 0 0.log
19.05.2006 16:38 2.048 bootstat.dat
19.05.2006 16:37 32.638 SchedLgU.Txt
19.05.2006 16:37 69.353 WindowsUpdate.log
19.05.2006 15:25 528 win.ini
19.05.2006 15:25 256 system.ini
19.05.2006 04:05 825.680 setupapi.log
19.05.2006 02:20 1.174 OEWABLog.txt
19.05.2006 02:20 87.380 wmsetup.log
19.05.2006 02:12 107.190 ntbtlog.txt
19.05.2006 02:00 50 wiaservc.log
19.05.2006 02:00 404 wiadebug.log
19.05.2006 00:58 202 NeroDigital.ini
11.05.2006 14:07 1.609 RefreshLock.ini
23.04.2006 18:47 249.856 Setup1.exe
23.04.2006 18:47 73.216 temp.000
20.04.2006 23:28 186.975 setupact.log
30.03.2006 16:54 400 ODBC.INI
03.01.2006 22:46 192 winamp.ini
03.01.2006 21:44 69.632 uinst001.exe

20.11.1617 00:57 3.120 MF_C425.lfa
147 Datei(en) 14.553.089 Bytes
0 Verzeichnis(se), 1.132.191.744 Bytes frei

4---------------------------------------
Datentr„ger in Laufwerk C: ist WinXp
Volumeseriennummer: 20D1-C3F9

Verzeichnis von C:\

20.05.2006 00:04 0 sys.txt
20.05.2006 00:03 7.514 system.txt
20.05.2006 00:03 287 systemtemp.txt
20.05.2006 00:02 99.868 system32.txt
19.05.2006 16:38 536.444.928 hiberfil.sys
19.05.2006 16:38 402.653.184 pagefile.sys
19.05.2006 15:25 211 boot.ini
19.05.2006 15:24 2.242 avenger.txt
19.05.2006 01:42 410.112 ProRat.exe
28.04.2006 14:50 45 TEST.XML
05.04.2006 14:35 164 DevList.txt

20 Datei(en) 939.924.023 Bytes
0 Verzeichnis(se), 1.132.199.936 Bytes frei

Und Hijack

Logfile of HijackThis v1.99.1
Scan saved at 00:09:58, on 20.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\PROGRA~2\Symantec\SYMANT~1\NSCTOP.EXE
C:\Programme\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\SLEE11.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
D:\Programme\BitComet\BitComet.exe
C:\Programme\iTunes\iTunes.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http:///
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\Programme\vmntoolbar\vmntoolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\Programme\vmntoolbar\vmntoolbar.dll
O4 - HKLM\..\Run: [avgnt] "E:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [IncrediMail] C:\Programme\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - E:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Symantec System Center Discovery-Dienst (NSCTOP) - Symantec Corporation - E:\PROGRA~2\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Programme\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programme\Spyware Doctor\sdhelp.exe
O23 - Service: Steganos Live Encryption Engine 11 [Service] (SLEE_11_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE11.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Programme\Symantec AntiVirus\Rtvscan.exe

DAnke !!

20.05.2006, 01:10

Member

Beiträge: 12

#64 Hallo,

also hier scheinen echte Profis am werk zu sein und die sind offensichtlich auch noch wirklich hilfsbereit. Respekt.

Wäre klasse, wenn Ihr auch mir helfen könntet.

Ich habe mir auch diesen unsäglichen Backdoor eingefangen, habe es aber zum Glück gleich gemerkt, daß da was nicht stimmt und die Verbindung gekappt.

Bevor ich das Board hier gefunden habe, habe ich im abgesichtern Modus schon mal die scvhost.exe gelöscht und ie Verweise in der Registry darauf manuell gesucht und gelöscht. Ich habe auch Hijackthis drüber lauefen lassen und ein paar Einträeg gefixt.

Trotzdem habe ich noch das Problem, daß ich nicht auf Taskmanager, Eingabeaufforderung udn Systemwiederherstellung zugreifen kann (vielleicht auch noch andere Dinge, das habe ich dann aber noch nicht gemerkt).

Köntt Ihr mir bitte auch Anletung posten, was nun zu tun ist um den Rest zu fixen?

Übrigens haeb ich allerlei Schauermärchen in anderen Boards gelesen, daß man das Ding eigentlich gar nicht mehr losbekommt, ohne das System komplett neu aufzusetzen und dann sogar noch vorsichtig mit den zu sichernden Dateien sein muß. Stimmt das?

Danke für Eure Hilfe im Voraus.

Sebastian

20.05.2006, 01:40

...neu hier

Beiträge: 4

#65 guck ma auf seite 1 !! da steht wie du das machen musst hat bei mir auch funktioniert

mfg

20.05.2006, 02:05

Member

Beiträge: 12

#66 OK, hier sind die 4 Textfiels und auch noch eine aktuelles Hijack log.

Was kommt nun dran?

Logfile of HijackThis v1.99.1
Scan saved at 02:02:29, on 20.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Microsoft IntelliPoint\ipoint.exe
C:\Programme\Microsoft IntelliType Pro\itype.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programme\Webshots\webshots.scr
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOKUME~1\Admin\LOKALE~1\Temp\Adobelm_Cleanup.0001
C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOKUME~1\Admin\LOKALE~1\Temp\Adobelm_Cleanup.0001
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Admin\LOKALE~1\Temp\Rar$EX00.719\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webshots.com/
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Webshots.lnk = C:\Programme\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145142166171
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFFC13D1-DC10-4898-80BA-F71E6492DAD3}: NameServer = 217.237.150.188 217.237.151.161
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe

Verzeichnis von C:\WINDOWS\system32

18.05.2006 22:48 2.206 wpa.dbl
13.05.2006 14:08 383.254 perfh009.dat
13.05.2006 14:08 394.500 perfh007.dat
13.05.2006 14:08 64.598 perfc007.dat
13.05.2006 14:08 53.608 perfc009.dat
13.05.2006 14:08 904.198 PerfStringBackup.INI
17.04.2006 12:34 3.147 qtplugin.log
17.04.2006 12:31 3.207 jupdate-1.4.2_05-b04.log
16.04.2006 22:48 190.592 FNTCACHE.DAT
16.04.2006 15:15 100 LuResult.txt
16.04.2006 01:05 15.360 BASSMOD.dll
16.04.2006 00:39 269 spupdwxp.log
15.04.2006 23:28 0 h323log.txt
15.04.2006 22:34 25.065 wmpscheme.xml
15.04.2006 22:32 386 $winnt$.inf
15.04.2006 22:31 2.951 CONFIG.NT
15.04.2006 22:31 16.832 amcompat.tlb
15.04.2006 22:31 23.392 nscompat.tlb
15.04.2006 22:30 488 WindowsLogon.manifest
15.04.2006 22:30 488 logonui.exe.manifest
15.04.2006 22:30 749 ncpa.cpl.manifest
15.04.2006 22:30 749 sapi.cpl.manifest
15.04.2006 22:30 749 wuaucpl.cpl.manifest
15.04.2006 22:30 749 nwc.cpl.manifest
15.04.2006 22:30 749 cdplayer.exe.manifest
15.04.2006 22:28 21.740 emptyregdb.dat
11.04.2006 21:09 219.136 uxtheme.dll
11.04.2006 21:09 131.712 HAL.DLL
11.04.2006 21:09 49.152 wdigest.dll
11.04.2006 21:09 61.440 mmcshext.dll
11.04.2006 21:09 33.792 mmcperf.exe
11.04.2006 21:09 1.916.928 mmcndmgr.dll
11.04.2006 21:09 106.496 mmcfxcommon.dll
11.04.2006 21:09 397.312 mmcex.dll
11.04.2006 21:09 169.984 mmcbase.dll
11.04.2006 21:09 184.320 microsoft.managementconsole.dll
11.04.2006 21:09 1.354.240 mmc.exe
11.04.2006 21:09 148.480 cic.dll
11.04.2006 21:08 669.184 wininet.dll
11.04.2006 21:08 616.448 urlmon.dll
11.04.2006 21:08 25.600 xpsp3res.dll
11.04.2006 21:08 474.624 shlwapi.dll
11.04.2006 21:08 1.495.040 shdocvw.dll
11.04.2006 21:08 3.076.608 mshtml.dll
11.04.2006 21:08 1.022.976 browseui.dll
11.04.2006 21:08 270.848 oakley.dll
22.03.2006 05:56 257.536 ati2dvag.dll
22.03.2006 05:50 114.688 atipdlxx.dll
22.03.2006 05:50 77.824 Oemdspif.dll
22.03.2006 05:50 26.112 Ati2mdxx.exe
22.03.2006 05:50 41.984 ati2edxx.dll
22.03.2006 05:50 61.440 ati2evxx.dll
22.03.2006 05:48 405.504 ati2evxx.exe
22.03.2006 05:48 53.248 ATIDDC.DLL
22.03.2006 05:42 307.200 atiiiexx.dll
22.03.2006 05:40 2.662.688 ati3duag.dll
22.03.2006 05:33 1.130.752 ativvaxx.dll
22.03.2006 05:33 6.684.672 atioglx1.dll
22.03.2006 05:24 5.025.792 atioglxx.dll
22.03.2006 05:18 151.552 atikvmag.dll
22.03.2006 05:17 17.408 atitvo32.dll
22.03.2006 05:12 258.048 ati2cqag.dll
22.03.2006 04:38 286.720 ATIDEMGR.dll
20.03.2006 17:03 540.178 x264vfw.dll
17.03.2006 15:37 520.192 ati2sgag.exe
17.03.2006 11:11 679.424 inetcomm.dll
17.03.2006 06:03 8.493.056 shell32.dll
17.03.2006 02:38 28.672 verclsid.exe
04.03.2006 06:00 532.480 mstime.dll
04.03.2006 06:00 39.424 pngfilt.dll
04.03.2006 06:00 448.512 mshtmled.dll
04.03.2006 06:00 146.432 msrating.dll
04.03.2006 06:00 96.768 inseng.dll
04.03.2006 06:00 251.904 iepeers.dll
04.03.2006 06:00 152.064 cdfview.dll
04.03.2006 06:00 205.312 dxtrans.dll
04.03.2006 06:00 55.808 extmgr.dll
04.03.2006 06:00 1.056.256 danim.dll
23.02.2006 21:32 348.160 msvcr71.dll
23.02.2006 21:32 499.712 msvcp71.dll
23.02.2006 21:32 1.047.552 mfc71u.dll
23.02.2006 21:32 1.060.864 mfc71.dll
23.02.2006 21:32 608.448 comctl32.ocx
23.02.2006 21:32 89.088 atl71.dll
23.02.2006 21:31 416.304 mpg4c32.bkp
14.02.2006 09:20 550.120 LegitCheckControl.dll
13.02.2006 22:29 121.995 atiicdxx.dat

Verzeichnis von C:\DOKUME~1\Admin\LOKALE~1\Temp

20.05.2006 02:02 16.384 ~DF5EB4.tmp
20.05.2006 01:29 59.964 Adobelm_Cleanup.0001
20.05.2006 01:16 16.384 Perflib_Perfdata_7f0.dat
20.05.2006 01:16 16.384 Perflib_Perfdata_6f8.dat
20.05.2006 01:16 16.384 Perflib_Perfdata_83c.dat
20.05.2006 01:16 286 WCESLog.log
6 Datei(en) 125.786 Bytes
0 Verzeichnis(se), 18.056.687.616 Bytes frei

Verzeichnis von C:\WINDOWS

20.05.2006 01:16 0 0.log
20.05.2006 01:16 307.282 WindowsUpdate.log
20.05.2006 01:16 50 wiaservc.log
20.05.2006 01:16 157 wiadebug.log
20.05.2006 01:14 2.048 bootstat.dat
20.05.2006 01:13 32.510 SchedLgU.Txt
19.05.2006 19:44 473.364 ntbtlog.txt
18.05.2006 07:22 307.010 setupapi.log
16.05.2006 22:30 116 NeroDigital.ini
13.05.2006 14:12 918 nsw.log
13.05.2006 14:08 118.785 ntdtcsetup.log
13.05.2006 14:08 195.551 comsetup.log
13.05.2006 14:08 696.206 iis6.log
13.05.2006 14:08 266.362 tsoc.log
13.05.2006 14:08 4.696 imsins.log
13.05.2006 14:08 30.831 ocmsn.log
13.05.2006 14:08 28.839 tabletoc.log
13.05.2006 14:08 39.367 medctroc.Log
13.05.2006 14:08 292.548 ocgen.log
13.05.2006 14:08 28.883 msgsocm.log
13.05.2006 14:08 559.156 FaxSetup.log
13.05.2006 14:08 99.167 netfxocm.log
13.05.2006 14:07 188.504 msmqinst.log
13.05.2006 11:05 249 accessdll.log
13.05.2006 11:05 107 avmsysnet.log
12.05.2006 23:08 1.943 avmadd32.log
12.05.2006 22:53 322 accessdll1.log
29.04.2006 17:32 3.038 tm.ini
29.04.2006 17:24 35 tdf.dii
24.04.2006 20:10 122 setup.log
17.04.2006 15:23 184.411 setupact.log
17.04.2006 14:58 772 hpinfo.lnk
17.04.2006 12:12 30.763 spupdsvc.log
16.04.2006 23:59 42.231 basecsp.log
16.04.2006 23:59 1.374 imsins.BAK
16.04.2006 23:58 296 wmsetup.log
16.04.2006 23:58 316.640 WMSysPr9.prx
16.04.2006 23:58 22.528 updspapi.log
16.04.2006 23:28 41.502 KB904412.log
16.04.2006 22:52 1.450 LUINSTALL.LOG
16.04.2006 13:19 400 ODBC.INI
16.04.2006 13:18 583 win.ini
16.04.2006 01:06 4.544 WGA.log
16.04.2006 01:02 1.588 DirectX.log
16.04.2006 00:58 1.454 COM+.log
16.04.2006 00:48 14.808 KB899588.log
16.04.2006 00:47 15.105 KB894391.log
16.04.2006 00:46 12.554 KB893086.log
16.04.2006 00:46 10.113 KB885523.log
16.04.2006 00:46 8.918 KB893066.log
16.04.2006 00:46 9.271 KB873333.log
16.04.2006 00:45 7.154 KB890047.log
16.04.2006 00:45 6.050 KB890175.log
16.04.2006 00:45 6.318 KB886185.log
16.04.2006 00:45 4.370 KB884020.log
16.04.2006 00:40 360 DtcInstall.log
16.04.2006 00:40 1.174 OEWABLog.txt
16.04.2006 00:39 810.712 setuplog.txt
16.04.2006 00:25 434.722 svcpack.log
16.04.2006 00:25 195.798 KB909394.log
16.04.2006 00:24 1.118.664 setupapi.log.0.old
16.04.2006 00:23 200 cmsetacl.log
16.04.2006 00:23 1.330 sessmgr.setup.log
15.04.2006 23:27 2.492 regopt.log
15.04.2006 23:26 0 Sti_Trace.log
15.04.2006 23:24 231 system.ini
15.04.2006 23:23 0 setuperr.log
15.04.2006 23:10 572 xpsp1hfm.log
15.04.2006 23:10 7.108 KB824146.log
15.04.2006 22:45 1.948 Windows Update.log
15.04.2006 22:44 3.611 Ascd_tmp.ini
15.04.2006 22:34 8.192 REGLOCS.OLD
15.04.2006 22:31 0 control.ini
15.04.2006 22:31 299.552 WMSysPrx.prx
15.04.2006 22:31 4.161 ODBCINST.INI
15.04.2006 22:30 749 WindowsShell.Manifest
15.04.2006 22:28 36 vb.ini
15.04.2006 22:28 37 vbaddin.ini
27.05.2005 01:22 10.752 hh.exe

Verzeichnis von C:\

20.05.2006 02:06 0 sys.txt
20.05.2006 02:06 5.878 system.txt
20.05.2006 02:05 585 systemtemp.txt
20.05.2006 02:05 100.604 system32.txt
20.05.2006 01:55 586 DirDPF.txt
20.05.2006 01:55 2 DirDPFCns.txt
20.05.2006 01:14 2.147.483.648 pagefile.sys
13.05.2006 21:32 4.451 hpfr5550.log
13.05.2006 21:32 527 hpfr5550.xml
16.04.2006 00:23 211 boot.ini
16.04.2006 00:18 47.564 NTDETECT.COM
16.04.2006 00:18 251.184 ntldr
15.04.2006 22:58 334 errlgr.txt
15.04.2006 22:31 0 IO.SYS
15.04.2006 22:31 0 MSDOS.SYS
15.04.2006 22:31 0 CONFIG.SYS
15.04.2006 22:31 0 AUTOEXEC.BAT
18.08.2001 14:00 4.952 bootfont.bin
18 Datei(en) 2.147.900.526 Bytes
0 Verzeichnis(se), 18.056.687.616 Bytes frei

und hier noch der ServiceFiler Log

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2
Mai 20, 2006 02:29:22

===> Begin Service Listing <===

Unknown Service #1
Service Name: AcrSch2Svc
Display Name: Acronis Scheduler2 Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\acronis\schedule2\schedul2.exe"
State: Running
Process ID: 1436
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 2
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: AdobeLM ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\adobe systems shared\service\adobelmsvc.exe"
State: Running
Process ID: 3680
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 3
Service Name: AVM IGD CTRL Service
Display Name: AVM IGD CTRL Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\fritz!dsl\igdctrl.exe
State: Running
Process ID: 1612
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #4
Service Name: ccEvtMgr
Display Name: Symantec Event Manager
Start Mode: Boot
Start Name: LocalSystem
Description: Event propagation and logging ...
Service Type: Own Process
Path: \systemroot\"c:\programme\gemeinsame dateien\symantec shared\ccevtmgr.exe"
State: Running
Process ID: 1088
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #5
Service Name: ccProxy
Display Name: Symantec Network Proxy
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec Proxy ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\symantec shared\ccproxy.exe"
State: Running
Process ID: 1944
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #6
Service Name: ccPwdSvc
Display Name: Symantec Password Validation
Start Mode: Manual
Start Name: LocalSystem
Description: User account management ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\symantec shared\ccpwdsvc.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #7
Service Name: ccSetMgr
Display Name: Symantec Settings Manager
Start Mode: Boot
Start Name: LocalSystem
Description: Settings storage and management ...
Service Type: Own Process
Path: \systemroot\"c:\programme\gemeinsame dateien\symantec shared\ccsetmgr.exe"
State: Running
Process ID: 900
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 8
Service Name: de_serv
Display Name: AVM FRITZ!web Routing Service
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\gemeinsame dateien\avm\de_serv.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 9
Service Name: ISSVC
Display Name: ISSvc
Start Mode: Auto
Start Name: LocalSystem
Description: Internet Security ...
Service Type: Own Process
Path: "c:\programme\norton internet security\issvc.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1066
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #10
Service Name: navapsvc
Display Name: Norton AntiVirus Auto-Protect-Dienst
Start Mode: Boot
Start Name: LocalSystem
Description: Verarbeitet Norton AntiVirus ...
Service Type: Own Process
Path: \systemroot\"c:\programme\norton internet security\norton antivirus\navapsvc.exe"
State: Running
Process ID: 3952
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #11
Service Name: Nla
Display Name: NLA (Network Location Awareness)
Start Mode: Boot
Start Name: LocalSystem
Description: Sammelt und speichert Netzwerkkonfigurations- und Standortinformationen und benachrichtigt ...
Service Type: Share Process
Path: \systemroot\c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1692
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #12
Service Name: ose
Display Name: Office Source Engine
Start Mode: Manual
Start Name: LocalSystem
Description: Speichert Installationsdateien, die für Updates und Reparieren verwendet werden, und ist für den ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\microsoft shared\source engine\ose.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #13
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Manual
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: "c:\programme\norton internet security\norton antivirus\savscan.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #14
Service Name: SBService
Display Name: ScriptBlocking Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\gemein~1\symant~1\script~1\sbserv.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #15
Service Name: SENS
Display Name: Systemereignisbenachrichtigung
Start Mode: Boot
Start Name: LocalSystem
Description: Verfolgt Systemereignisse wie Windows-Anmeldungen sowie Netzwerk- und Stromversorgungsereignisse. ...
Service Type: Share Process
Path: \systemroot\c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1692
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #16
Service Name: SharedAccess
Display Name: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung
Start Mode: Boot
Start Name: LocalSystem
Description: Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die ...
Service Type: Share Process
Path: \systemroot\c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #17
Service Name: SNDSrvc
Display Name: Symantec Network Drivers Service
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec Network Drivers ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\symantec shared\sndsrvc.exe"
State: Running
Process ID: 332
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 18
Service Name: SPBBCSvc
Display Name: Symantec SPBBCSvc
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\symantec shared\spbbc\spbbcsvc.exe"
State: Running
Process ID: 448
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #19
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{b3a5d8d9-59b3-4ecd-8c2a-19bf4a45ab36}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #20
Service Name: Symantec Core LC
Display Name: Symantec Core LC
Start Mode: Boot
Start Name: LocalSystem
Description: Symantec Core ...
Service Type: Own Process
Path: \systemroot\"c:\programme\gemeinsame dateien\symantec shared\ccpd-lc\symlcsvc.exe"
State: Running
Process ID: 2576
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

---> End Service Listing <---

There are 99 Win32 services on this machine.
20 were unrecognized.

Script Execution Time: 3,875 seconds.

Ich hoffe ich habe die jetzigen Sachen in der richtigen Reihenfolge gemacht oder ist das egal?

Dieser Beitrag wurde am 20.05.2006 um 02:31 Uhr von Scottyy editiert.

20.05.2006, 16:03

Ehrenmitglied

Beiträge: 29434

#67 kjio

Avenger
http://virus-protect.org/artikel/tools/avenger.html

kopiere rein:

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}
HKEY_CURRENT_USER\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}
HKEY_CURRENT_USER\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}
HKEY_CURRENT_USER\N.Cs4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C}

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

------

poste den report vom Avenger
__________
MfG Sabina

rund um die PC-Sicherheit

20.05.2006, 16:08

Ehrenmitglied

Beiträge: 29434

#68 Scottyy

1.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}]
[-HKEY_CURRENT_USER\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}]
[-HKEY_CURRENT_USER\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}]
[-HKEY_CURRENT_USER\N.Cs4]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"Generic Host Process"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SHAREDACCESS\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken

---------------
2.
Die XP-Firewall wieder aktivieren [Windows-Firewall/Gemeinsame Nutzung der Internetverbindung]

http://www.wintotal.de/Tipps/Eintrag.php?TID=1157

----------------

3.
scanne mit Kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

21.05.2006, 13:04

Member

Beiträge: 12

#69 Hallo SABINA

die Fixme.reg habe ich ausgeführt.

Hier der Kaspersky Report:

Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 21/05/2006
Kaspersky Anti-Virus database records: 183587
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Z:\

Scan Statistics:
Total number of scanned objects: 70704
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 5
Duration of the scan process: 01:08:11

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\archive.pst/Archivordner/Gesendete Objekte/02 Dec 2001 22:21 to 'Bettina Nickel':AW: From Familie Bock - Ha.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\archive.pst Mail MS Mail: suspicious - 1 skipped
D:\P2P\BitComet\Downloads\400.Winamp.Plugins.by.neonic\400.Winamp.Plugins.by.neonic\Winamp Plugins\General\FZLyrics.exe/data0001/EXE-file Suspicious: Type_Win32 skipped
D:\P2P\BitComet\Downloads\400.Winamp.Plugins.by.neonic\400.Winamp.Plugins.by.neonic\Winamp Plugins\General\FZLyrics.exe/data0001 Suspicious: Type_Win32 skipped
D:\P2P\BitComet\Downloads\400.Winamp.Plugins.by.neonic\400.Winamp.Plugins.by.neonic\Winamp Plugins\General\FZLyrics.exe Inno: suspicious - 2 skipped
D:\P2P\E-Mule\Incoming\Application Java Pour Telephone Mobile.zip/[0] Multimedia Converter from AVI or DiVX to 3GP for UMTS mobile video phone NEC 616, 606 or any NOKIA.zip/Nokia N-Gage - Crash Nitro Kart (Cracked)(1).rar/Nokia N-Gage - Crash Nitro Kart (Cracked).exe Infected: Trojan-Dropper.Win32.Juntador.c skipped
D:\P2P\E-Mule\Incoming\Application Java Pour Telephone Mobile.zip/[0] Multimedia Converter from AVI or DiVX to 3GP for UMTS mobile video phone NEC 616, 606 or any NOKIA.zip/Nokia N-Gage - Crash Nitro Kart (Cracked)(1).rar Infected: Trojan-Dropper.Win32.Juntador.c skipped
D:\P2P\E-Mule\Incoming\Application Java Pour Telephone Mobile.zip/[0] Multimedia Converter from AVI or DiVX to 3GP for UMTS mobile video phone NEC 616, 606 or any NOKIA.zip Infected: Trojan-Dropper.Win32.Juntador.c skipped
D:\P2P\E-Mule\Incoming\Application Java Pour Telephone Mobile.zip ZIP: infected - 3 skipped

Scan process completed.

21.05.2006, 13:52

Ehrenmitglied

Beiträge: 29434

#70 Scottyy

funktioniert die Firewall ?
der Wurm ist geloescht...was du nun von den anderen Dingen loeschst, bleibt dir ueberlassen, abhaengig, wie sauber du deinen Rechner wuenscht...
__________
MfG Sabina

rund um die PC-Sicherheit

21.05.2006, 13:58

Member

Beiträge: 12

#71 SABINA

ich habe die Windows Firewall grundsätzlich deaktiviert. Ich benutze NPF.

Mein Taskamanger, Internetverbindungsfreigabe, Systemwiederherstellung funktioniert auf jeden Fall noch nicht.

Wie bekomme ich das denn wieder lauffähig?

Außerdem habe ich einen Hänger von ca. 1 Minute beim booten und zwar dann, wenn das Desktophintergrundbild schon zu sehen ist. Taskleiste, Icons, ets. lassen dann ca. 1 Minute auf sich warten.

21.05.2006, 14:40

Ehrenmitglied

Beiträge: 29434

#72 Scottyy

poste dieses Log
http://virus-protect.org/registry_stuff.html
+
das log vom Silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

21.05.2006, 14:49

Member

Beiträge: 12

#73 SABINA

hier schon mal das Log vom Silent Runner.

die find_stuff.bat kann ich wieder nur im abgesichtern Modus als Administrator starten. Poste ich dann am Montag, da ich jetzt weg muß.

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\wcescomm.exe"" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\ipoint.exe"" [MS]
"itype" = ""C:\Programme\Microsoft IntelliType Pro\itype.exe"" [MS]
"ATICCC" = ""C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"NVMixerTray" = ""C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
"TrueImageMonitor.exe" = "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe" ["Acronis"]
"Acronis Scheduler2 Service" = ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"" ["Acronis"]
"Acrobat Assistant 7.0" = ""C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"(Default)" = (empty string)
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"RemoteControl" = "C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" ["Cyberlink Corp."]
"SunJavaUpdateSched" = "C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe" [null data]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" ["HP"]
"wcmdmgr" = "C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch" ["WildTangent, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {HKLM...CLSID} = "CNisExtBho Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobiles Gerät"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Wcesview.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Schnurlose Eigenschaften"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Scrollrad-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Aktivitäten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Tasten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Programme\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Programme\Ipswitch\WS_FTP Professional\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\
HIJACK WARNING! "DisableSR"=dword:00000001
[removes Control Panel|System|System Restore (tab) and disables applet]
{Computer Configuration|Administrative Templates|System|System Restore|
Turn off System Restore}

HIJACK WARNING! "DisableConfig"=dword:00000001
[disables options on Control Panel|System|System Restore (tab)]
{Computer Configuration|Administrative Templates|System|System Restore|
Turn off Configuration}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp"

Startup items in "Admin" & "All Users" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\Admin\Startmenü\Programme\Autostart
"Webshots" -> shortcut to: "C:\Programme\Webshots\Launcher.exe /t" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Acrobat - Schnellstart" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data]
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Meinen Computer prüfen - Admin" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {HKLM...CLSID} = "Norton Internet Security"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {HKLM...CLSID} = "Norton Internet Security"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\INetRepl.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVM IGD CTRL Service, AVM IGD CTRL Service, "C:\Programme\FRITZ!DSL\IGDCTRL.EXE" ["AVM Berlin"]
Norton AntiVirus Auto-Protect-Dienst, navapsvc, "\SystemRoot\"C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" [file not found]
Symantec Core LC, Symantec Core LC, "\SystemRoot\"C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe"" [file not found]
Symantec Event Manager, ccEvtMgr, "\SystemRoot\"C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" [file not found]
Symantec Network Drivers Service, SNDSrvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, "\SystemRoot\"C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" [file not found]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
avm:\Driver = "avmprmon.dll" ["AVM Berlin GmbH"]
hpzlnt07\Driver = "hpzlnt07.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 41 seconds, including 18 seconds for message boxes)

21.05.2006, 15:41

Ehrenmitglied

Beiträge: 29434

#74 Scottyy

Gehe in die Registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore\

"DisableSR" =dword:00000001 -> auf 0 setzen
"DisableConfig" =dword:00000001 -> auf 0 setzen

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System

DisableTaskMgr = "dword:00000001" -> auf 0 setzen
DisableRegistryTools = "dword:00000001" -> auf 0 setzen

PC neustarten
__________
MfG Sabina

rund um die PC-Sicherheit

21.05.2006, 16:02