scvhost.exe (win32:ciadoor-21) u.a. Firewall und Registry ohne Funktion

#61 Hallo Sabina,

habe die Schritte allesamt durchgeführt.
Nach einem Neustart komme ich nun auch wieder in die Registry und der Arbeitsplatz öffnet sich auch nicht mehr.

Den Virus habe ich glaube ich aber immer noch.

Hier die Reports:

Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\crxabycd

*******************

Script file located at: \??\C:\jnninuwm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\ckl009.dat deleted successfully.
File C:\WINDOWS\system32\wsock32.sys deleted successfully.
File C:\WINDOWS\system32\scvhost.exe deleted successfully.
File C:\WINDOWS\system32\r15o922UXD.ini deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, April 26, 2006 7:30:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 26/04/2006
Kaspersky Anti-Virus database records: 178567
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 110514
Number of viruses found: 2
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:39:01

Infected Object Name / Virus Name / Last Action
C:\avenger\backup-26.04.2006-17.34.31,25.zip/avenger/r15o922UXD.ini Infected: Backdoor.Win32.Ciadoor.13 skipped
C:\avenger\backup-26.04.2006-17.34.31,25.zip/avenger/scvhost.exe Infected: Backdoor.Win32.Ciadoor.13 skipped
C:\avenger\backup-26.04.2006-17.34.31,25.zip/avenger/wsock32.sys Infected: Backdoor.Win32.Ciadoor.13 skipped
C:\avenger\backup-26.04.2006-17.34.31,25.zip ZIP: infected - 3 skipped
C:\Dokumente und Einstellungen\Daniel\Lokale Einstellungen\Anwendungsdaten\Identities\{C8DD835D-8E9A-458E-AF10-5A4F67DDF756}\Microsoft\Outlook Express\Gelöschte Objekte.dbx/[From Deutsche Telekom AG <Rechnung-Online@t-com.net>][Date Mon, 06 Feb 2006 07:27:46 -0500]/Rechnung.pdf.exe Infected: Trojan-Downloader.Win32.Small.cil skipped
C:\Dokumente und Einstellungen\Daniel\Lokale Einstellungen\Anwendungsdaten\Identities\{C8DD835D-8E9A-458E-AF10-5A4F67DDF756}\Microsoft\Outlook Express\Gelöschte Objekte.dbx Mail MS Outlook 5: infected - 1 skipped

Scan process completed.

#62 Daniel2k

1.
loesche die Backups vom Avenger
C:\avenger\backup

2.
loesche die verseuchten Mails

so kann man die Mail restlos aus der Inbox zu entfernen:
1. Mail aus Inbox löschen
2. Mülleimer leeren
3. Inbox komprimieren (Datei-Menü)

Hintergrund: Die gesamte Inbox ist auf der Festplatte als eine einzige Datei abgelegt. Darin stehen alle Mails untereinander, und auch die "gelöschten" Mails bleiben stehen (nur sind sie als gelöscht markiert). Erst durch das Komprimieren werden tatsächlich Teile aus der Datei entfernt.

3.
dann sollte wieder alles in Ordnung sein. (vergiss nicht, die Systemwiederherstellung wieder zu aktivieren)
__________
MfG Sabina

rund um die PC-Sicherheit

#63 Hallo Sabina,

ich bekomme es nicht hin die Systemwiederherstellung auszuschalten. Habe schon etliche Anleitungen versucht. Bin als Admin angemeldet und habe auch die normalen Admin Rechte. Auch im abges.Modus geht es nicht.

was kann ich tun?

#64

Zitat

nicht hin die Systemwiederherstellung auszuschalten

ausschalten oder aktivieren ?
__________
MfG Sabina

rund um die PC-Sicherheit

#65 sowohl als auch
hatte sie noch nicht deaktiviert bekommen

#66 systemrestore

Start - Ausfuehren - regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\systemrestore
DisableSR = "dword:00000001" --> diesen Eintrag in 0 aendern

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\systemrestore
DisableSR = "dword:00000001" --> diesen Eintrag in 0 aendern

PC neustarten und berichte
__________
MfG Sabina

rund um die PC-Sicherheit

#67 Hallo Sabina,
jetzt habe ich es hinbekommen. Danke.
Habe nochmals alle möglichen Schritte gemacht. Danach hab ich noch mal den online Scan mit KASPERSKY gemacht - es wurde nichts gefunden.
Auch in die FirewallEinstellungen komme ich ohne weiteres.

Habe nur noch eine Sache:
Ich habe ZoneAlarm jetzt laufen. Nach dem Systemstart fragt er mich noch immer ob ich dem "generic host process" zugriffsrechte für i-net geben will...
Ist das jetzt noch der Virus oder einfach nur ein Windows Prozess der laufen muss?

Gruß Daniel

#68 Daniel2k

"generic host process" ist der Virus....

Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

Generic Host Process

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

"Enter search strings" (reinschreiben oder reinkopieren)

scvhost


in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit

#69 hier die logs:

"generic host process"

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 29.04.2006 16:56:08 for strings:
; 'generic host process'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


"scvhost"

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 29.04.2006 16:58:10 for strings:
; 'scvhost'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

#70 poste bitte das neue Log vom HijackThis
+
das Log von Winpfind
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit

#71 Logfile of HijackThis v1.99.1
Scan saved at 17:40:31, on 30.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Medion Info Display\MdionLCM.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\system32\CmUCReye.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Software\[#Sonstige#]\Winpfind\WinPFind\winpfind.exe
C:\Software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.medion.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MedionVFD] "C:\Programme\Medion Info Display\MdionLCM.exe"
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [CmUCRRun] C:\WINDOWS\system32\CmUCReye.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: MedionShop - {A461BF3E-96B0-488F-9ACA-202335DDCC4B} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128778405937
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

^^^Winpfind^^

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 22.08.2004 18:04:56 69120 C:\WINDOWS\daemon.dll

Checking %System% folder...
aspack 18.03.2005 18:19:58 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 26.05.2005 16:34:52 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 22.07.2005 20:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
PEC2 04.08.2004 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 01.10.2004 20:23:10 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 01.10.2004 20:23:10 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 29.08.2005 13:27:12 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 06.04.2006 12:48:40 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 06.04.2006 12:48:40 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2004 14:00:00 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04.08.2004 14:00:00 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 04.08.2004 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
30.04.2006 17:28:14 S 2048 C:\WINDOWS\bootstat.dat
22.04.2006 14:53:20 H 4212 C:\WINDOWS\system32\zllictbl.dat
23.03.2006 01:17:22 S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
23.03.2006 08:15:46 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911562.cat
13.03.2006 17:08:34 S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
17.03.2006 11:24:30 S 12455 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567.cat
30.03.2006 12:03:42 S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat
30.04.2006 17:29:40 H 1024 C:\WINDOWS\system32\config\default.LOG
30.04.2006 17:28:18 H 1024 C:\WINDOWS\system32\config\SAM.LOG
30.04.2006 17:29:04 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
30.04.2006 17:40:38 H 1024 C:\WINDOWS\system32\config\software.LOG
30.04.2006 17:30:30 H 1024 C:\WINDOWS\system32\config\system.LOG
22.04.2006 13:00:52 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
08.04.2006 00:46:02 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c5e0ab0f-f5b6-43ac-a65f-feeae4b90d18
08.04.2006 00:46:02 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
30.04.2006 17:28:18 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04.08.2004 14:00:00 70656 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 22.06.2005 00:12:58 294912 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 04.08.2004 14:00:00 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 14:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
DataDesign AG 11.03.2005 16:04:26 692224 C:\WINDOWS\SYSTEM32\ddbaccpl.cpl
DataDesign AG 11.03.2005 15:43:54 196608 C:\WINDOWS\SYSTEM32\ddbacctm.cpl
Microsoft Corporation 04.08.2004 14:00:00 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 14:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 14:00:00 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 14:00:00 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 14:00:00 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 14:00:00 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 14:00:00 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03.06.2005 03:52:54 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 04.08.2004 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 14:00:00 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04.08.2004 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 14:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 14:00:00 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 23.09.2005 00:21:00 73728 C:\WINDOWS\SYSTEM32\nvcpl.cpl
23.09.2005 00:21:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 04.08.2004 14:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 14:00:00 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 16.04.2004 16:00:22 324608 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Realtek Semiconductor Corp. 26.05.2005 23:14:48 262144 C:\WINDOWS\SYSTEM32\RTSndMgr.CPL
Microsoft Corporation 04.08.2004 14:00:00 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04.08.2004 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 14:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 14:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04.08.2004 14:00:00 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04.08.2004 14:00:00 555008 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04.08.2004 14:00:00 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04.08.2004 14:00:00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04.08.2004 14:00:00 157184 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04.08.2004 14:00:00 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04.08.2004 14:00:00 133120 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04.08.2004 14:00:00 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 04.08.2004 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04.08.2004 14:00:00 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 04.08.2004 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04.08.2004 14:00:00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04.08.2004 14:00:00 260096 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 04.08.2004 14:00:00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04.08.2004 14:00:00 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04.08.2004 14:00:00 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04.08.2004 14:00:00 303104 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 04.08.2004 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04.08.2004 14:00:00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04.08.2004 14:00:00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
08.10.2005 22:58:00 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
21.04.2006 22:36:22 305 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\addr_file.html
08.10.2005 23:52:04 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini
07.01.2006 10:40:46 203 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hpzinstall.log

#72 Daniel2k

bei winpfind faehlt die Haelfte... poste es noch mal und komplett
+
Silentrunner
Die Option "Supplementary Searches" waehlen
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

#73 Hallo Sabina,
hier das log von SILENT RUNNERS:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\wcescomm.exe"" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"MedionVFD" = ""C:\Programme\Medion Info Display\MdionLCM.exe"" ["Dritek System Inc."]
"CHotkey" = "mHotkey.exe" [empty string]
"ledpointer" = "CNYHKey.exe" ["Chicony"]
"CmUCRRun" = "C:\WINDOWS\system32\CmUCReye.exe" [empty string]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["H+BEDV Datentechnik GmbH"]
"Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 DragDrop Shell Extension"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Property Sheet Shell Extension"
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobiles Gerät"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\Wcesview.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Group Policies [Description]:
-----------------------------

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\
HIJACK WARNING! "DisableSR"=dword:00000001
[removes Control Panel|System|System Restore (tab) and disables applet]

HIJACK WARNING! "DisableConfig"=dword:00000001
[disables options on Control Panel|System|System Restore (tab)]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Daniel Home\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"FRU Task #Hewlett-Packard#hp psc 1200 series#1136623341" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1136623341"" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 20 - 21


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{A461BF3E-96B0-488F-9ACA-202335DDCC4B}\
"ButtonText" = "MedionShop"
"Exec" = "http://www.medionshop.de/" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.aldi.com

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
CyberLink Background Capture Service (CBCS), CLCapSvc, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe"" [empty string]
CyberLink Media Library Service, CyberLink Media Library Service, ""C:\Programme\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe"" ["Cyberlink"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Programme\CyberLink\Shared Files\RichVideo.exe"" [empty string]
CyberLink Task Scheduler (CTS), CLSched, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe"" [empty string]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
StarWind iSCSI Service, StarWindService, "C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
UStorage Server Service, UStorage Server Service, "C:\WINDOWS\system32\UStorSrv.exe /Service" ["OTi"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 24 seconds, including 5 seconds for message boxes)




beim log von WinPFind krieg ich nicht mehr raus als ich habe. An der Stelle sagt er mir "cannot open file c:/dok.+einstel./daniel/anwendungsdaten/$_hpcst$.hpc.

#74 Daniel2k

gehe in die Registry
Start-Ausfuehren - regedit

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\"DisableSR"=dword:00000001 --> in 0 aendern

PC neustarten

poste noch mal die 4 logs von datfindbat (zum Ueberpruefen)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#75 hier die logs:

Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F845-9504

Verzeichnis von C:\WINDOWS\system32

01.05.2006 22:45 41.102 vsconfig.xml
01.05.2006 22:44 37.469 nvapps.xml
01.05.2006 22:11 2.206 wpa.dbl
22.04.2006 14:53 4.212 zllictbl.dat
22.04.2006 13:48 381.828 perfh009.dat
22.04.2006 13:48 53.572 perfc009.dat
22.04.2006 13:48 64.650 perfc007.dat
22.04.2006 13:48 392.842 perfh007.dat
21.04.2006 20:07 279.744 FNTCACHE.DAT
06.04.2006 12:48 5.143.456 MRT.exe
30.03.2006 11:26 1.492.480 shdocvw.dll
30.03.2006 03:16 18.944 xpsp3res.dll
26.03.2006 09:18 905.244 PerfStringBackup.INI
23.03.2006 22:34 3.074.560 mshtml.dll
18.03.2006 13:09 615.424 urlmon.dll
17.03.2006 11:11 679.424 inetcomm.dll
17.03.2006 06:03 8.493.056 shell32.dll
17.03.2006 02:38 28.672 verclsid.exe
16.03.2006 11:34 71.448 zlcommdb.dll
16.03.2006 11:34 79.640 zlcomm.dll
16.03.2006 11:33 100.120 vsxml.dll
16.03.2006 11:33 382.744 vsutil.dll
16.03.2006 11:33 71.448 vsregexp.dll
16.03.2006 11:33 227.096 vspubapi.dll
16.03.2006 11:33 104.216 vsmonapi.dll
16.03.2006 11:33 141.080 vsinit.dll
16.03.2006 11:33 372.824 vsdatant.sys
16.03.2006 11:32 83.736 vsdata.dll
16.03.2006 11:16 54.960 vsutil_loc0407.dll
10.03.2006 06:09 5.533.696 wmp.dll
04.03.2006 05:34 664.064 wininet.dll
04.03.2006 05:34 474.624 shlwapi.dll
04.03.2006 05:34 532.480 mstime.dll
04.03.2006 05:34 448.512 mshtmled.dll
04.03.2006 05:34 146.432 msrating.dll
04.03.2006 05:34 39.424 pngfilt.dll
04.03.2006 05:34 251.392 iepeers.dll
04.03.2006 05:34 1.056.256 danim.dll
04.03.2006 05:34 205.312 dxtrans.dll
04.03.2006 05:34 55.808 extmgr.dll
04.03.2006 05:34 96.768 inseng.dll
04.03.2006 05:34 152.064 cdfview.dll
04.03.2006 05:34 1.022.976 browseui.dll
18.02.2006 23:56 34.308 BASSMOD.dll
22.01.2006 11:23 98.304 CmdLineExt.dll
18.01.2006 13:05 57.344 avsda.dll
17.01.2006 23:36 69.632 ElbyCDIO.dll






2.

Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F845-9504

Verzeichnis von C:\DOKUME~1\DANIEL~2\LOKALE~1\Temp

01.05.2006 22:46 978 TmpICQMagic_{05736BBE-C20F-4F10-A6DE-4DB1E3564B0E}22521.html
01.05.2006 22:45 16.384 ~DFEF85.tmp
01.05.2006 22:45 16.384 ~DFDCA1.tmp
01.05.2006 22:45 512 ~DFDCAF.tmp
01.05.2006 22:45 256 ZLT003d8.TMP
01.05.2006 22:44 5.249 WCESLog.log
01.05.2006 22:44 375 WCESCOMM.LOG
29.04.2006 23:14 55.283 WCESMgr.log
29.04.2006 23:13 20.711 phatnotes_sync.log
29.04.2006 16:52 1.743 outstore.log
27.04.2006 20:13 144 WcesView.log
27.04.2006 16:52 797.676 IMT1F.xml
27.04.2006 16:52 426 IMT1E.xml
27.04.2006 16:52 2.036 IMT1D.xml
27.04.2006 16:44 16.384 ~DF5615.tmp
27.04.2006 16:44 16.384 ~DF4C39.tmp
16 Datei(en) 950.925 Bytes
0 Verzeichnis(se), 38.130.704.384 Bytes frei



3.




Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F845-9504

Verzeichnis von C:\WINDOWS

01.05.2006 22:44 0 0.log
01.05.2006 22:44 4.238 ModemLog_Creatix V.92 Data Fax Modem.txt
01.05.2006 22:44 1.112.768 WindowsUpdate.log
01.05.2006 22:44 159 wiadebug.log
01.05.2006 22:44 50 wiaservc.log
01.05.2006 22:44 2.048 bootstat.dat
01.05.2006 22:43 32.568 SchedLgU.Txt
29.04.2006 23:12 116 NeroDigital.ini
29.04.2006 10:31 2.347.418 ntbtlog.txt
28.04.2006 23:00 6.408 mozver.dat
27.04.2006 20:55 107.132 UninstallThunderbird.exe
27.04.2006 20:55 628 win.ini
27.04.2006 17:10 176 wininit.ini
27.04.2006 16:52 147.955 setupapi.log
26.04.2006 22:24 84.746 wmsetup.log
26.04.2006 22:24 460 wmsetup10.log
26.04.2006 22:16 227 system.ini
26.04.2006 20:39 2.554 OEWABLog.txt
26.04.2006 18:47 60.918 iis6.log
26.04.2006 18:47 136.000 comsetup.log
26.04.2006 18:47 81.711 ntdtcsetup.log
26.04.2006 18:47 1.374 imsins.log
26.04.2006 18:47 154.366 tsoc.log
26.04.2006 18:47 21.264 ocmsn.log
26.04.2006 18:47 11.258 KB900485.log
26.04.2006 18:47 195.188 ocgen.log
26.04.2006 18:47 19.289 msgsocm.log
26.04.2006 18:47 393.497 FaxSetup.log
16.04.2006 10:46 1.830 spupdsvc.log
16.04.2006 00:23 1.374 imsins.BAK
16.04.2006 00:23 16.093 KB908531.log
16.04.2006 00:23 24.215 updspapi.log
16.04.2006 00:23 15.397 KB911562.log
16.04.2006 00:23 18.170 KB912812.log
16.04.2006 00:22 16.792 KB911565.log
16.04.2006 00:22 10.848 KB911567.log
08.04.2006 00:20 0 PhotoNow.INI
07.04.2006 21:15 434 goldwave.ini
07.04.2006 20:58 6.592 gwpreset.ini
07.04.2006 20:58 3.362 express.eqx
20.03.2006 20:35 17.572 KB894476.log
20.03.2006 20:31 9.105 KB909394.log
17.03.2006 18:16 97.490 DirectX.log
11.03.2006 13:20 107.132 UninstallFirefox.exe
26.02.2006 19:34 796.672 GPInstall.exe
24.02.2006 18:44 290.816 Setup1.exe
18.02.2006 12:34 10.782 KB911927.log
18.02.2006 12:34 8.230 KB911564.log
18.02.2006 12:33 9.858 KB901190.log
18.02.2006 12:33 6.763 KB913446.log
29.01.2006 15:21 2.510 Microsoft.MIF
29.01.2006 15:20 1.098.616 setupapi.log.0.old
22.01.2006 22:58 74.752 ST6UNST.EXE
15.01.2006 22:02 210 BUHL.INI
15.01.2006 21:58 271 WISO.INI
11.01.2006 18:53 10.125 KB908519.log
10.01.2006 23:00 400 ODBC.INI
07.01.2006 10:40 20.454 hpoins01.dat
07.01.2006 10:33 4 msoffice.ini
07.01.2006 00:19 15.309 KB896424.log
07.01.2006 00:18 10.031 KB910437.log
07.01.2006 00:18 17.473 KB905915.log
07.01.2006 00:18 11.833 KB912919.log
06.01.2006 23:45 1.189.968 setuplog.txt
06.01.2006 23:44 231.489 setupact.log
06.01.2006 23:43 4.134 regopt.log
06.01.2006 23:41 5.741 sessmgr.setup.log
06.01.2006 23:41 641 DtcInstall.log




4.

Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F845-9504

Verzeichnis von C:\

01.05.2006 22:48 0 sys.txt
01.05.2006 22:48 10.795 system.txt
01.05.2006 22:47 1.075 systemtemp.txt
01.05.2006 22:46 108.355 system32.txt
01.05.2006 22:44 1.072.156.672 hiberfil.sys
01.05.2006 22:43 1.610.612.736 pagefile.sys
29.04.2006 23:14 3.660.033 WMDesktop.log
29.04.2006 18:24 519 hpfr3420.xml
29.04.2006 18:24 8.522 hpfr3425.log
29.04.2006 16:53 39.732 WmpPpcItnSync.log
27.04.2006 16:43 2.512 phatnotessynctable.dat
26.04.2006 22:16 211 boot.ini
26.04.2006 19:43 2.524 avenger.txt
24.04.2006 21:46 639 DirDPF.txt
24.04.2006 21:46 2 DirDPFCns.txt
12.10.2005 08:54 1.620 IPH.PH
09.10.2005 14:46 50 AUTOEXEC.BAT
08.10.2005 22:57 0 MSDOS.SYS
08.10.2005 22:57 0 IO.SYS
08.10.2005 22:57 0 CONFIG.SYS
04.08.2004 14:00 4.952 bootfont.bin
04.08.2004 14:00 47.564 NTDETECT.COM
04.08.2004 14:00 251.184 ntldr
23 Datei(en) 2.686.909.697 Bytes
0 Verzeichnis(se), 38.130.704.384 Bytes frei