Spyware!Danger Antispywarebox

#1 Hallo allerseits
bin schon völlig fertig bekomme das Teil nicht weg.
Habe mich auch schon durchgelesen, ich bekomme es nicht hin...

Habe im abgesicherten Modus Antivir, Spy Sweeper, Adaware, Stinger
alles rüberlaufen lassen. Jetzt die runsrv32.exe in ein anderes Verzeichnis
verschoben(Stand im Forum) keine CHANCE


Jetzt habe ich das Tool hijackthis geladen und poste mal das Ergebnis
Vielleicht kann mir ja einer helfen oder muss ich alles neu aufsetzen?


Logfile of HijackThis v1.99.1
Scan saved at 16:38:31, on 08.06.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\DLR VPDN-Service\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Java\j2re1.4.2_06\bin\jucheck.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\SerExt.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\Gigaset DECT\capi\Tools\CALLTRAY.exe
C:\Programme\Gigaset DECT\talk&surf_6_0\semon21.exe
C:\Programme\Hardcopy\hardcopy.exe
C:\Programme\Gigaset DECT\talk&surf_6_0\xcontrolcom.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\users32.exe
H:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 53.122.34.60:80
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iSaverCtrl] C:\Programme\iSaver\iSaverCtrl.exe --startup
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SerExt] SerExt.exe /unplug
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ITPIPSetup] "H:\test\setupstb.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - Startup: Hardcopy.LNK = C:\Programme\Hardcopy\hardcopy.exe
O4 - Global Startup: DLR VPDN-Client.lnk = C:\Programme\DLR VPDN-Service\ipsecdialer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: CAPI - Monitor.lnk = C:\Programme\Gigaset DECT\capi\Tools\CALLTRAY.exe
O4 - Global Startup: talk&surf 6.0 - Monitor.lnk = C:\Programme\Gigaset DECT\talk&surf_6_0\semon21.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {EBC3DC38-530D-4455-B9D4-DE30BB4DFF8B} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {EBC3DC38-530D-4455-B9D4-DE30BB4DFF8B} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121507202084
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F23C575-3EAD-491E-B116-FF185A0631DC}: NameServer = 192.168.1.254
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Programme\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: pcAnywhere Host-Modul (awhost32) - Symantec Corporation - C:\Programme\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\DLR VPDN-Service\cvpnd.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: xControlCOM - Siemens - C:\Programme\Gigaset DECT\talk&surf_6_0\xcontrolcom.exe


Vielen Dank
Gruß icka

#2 Weisst du, wo du dir diese Malware eingefangen hast?
__________
MfG Ralf
SEO-Spam Hunter

#3 Nein, war beim Einschalten gestern da

#4 1.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

2.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

3.
poste das log von winpfind
http://virus-protect.org/winpfind.html

-------------------------------------------------------------
Info
http://virus-protect.org/artikel/spyware/antispywarebox.html
http://virus-protect.org/artikel/spyware/mirarsearch.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5

Zitat

Sabina postete
1.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

2.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

3.
poste das log von winpfind
http://virus-protect.org/winpfind.html

-------------------------------------------------------------
Info
http://virus-protect.org/artikel/spyware/antispywarebox.html
http://virus-protect.org/artikel/spyware/mirarsearch.html

Hallo, ich bin neu hier im Forum und habe auch dieses Problem mit "Your privacy is in Danger".

Leider habe ich keine ahnung wie ich das weg kriege. ich habs nach deiner Anleitung versucht, aber es trotzdem nicht hinbekommen.
ich hab echt keine Ahnung wie ich das wegkriege, kann mir jemand helfen?

#6 Ess4life

ganz einfach: wende die Combofix an ´und kopiere hier das Log
http://www.virus-protect.org/artikel/tools/combofix.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#7

Zitat

Pinguin postete
Ess4life

ganz einfach: wende die Combofix an ´und kopiere hier das Log
http://www.virus-protect.org/artikel/tools/combofix.html

ich hab das programm runtergeladen und ausgeführt aber es kam nichts.



Ich habe die 3 schritte von Sabina nochmal versucht und das kam dabei raus:



Verzeichnis von c:\

2008-01-26 12:42 0 dirdat.txt
2008-01-26 11:36 2,145,386,496 pagefile.sys
2008-01-26 11:30 2,828 rapport.txt
2007-12-30 18:01 223 boot.ini
2007-12-30 16:01 0 CONFIG.SYS
2007-12-30 16:01 0 IO.SYS
2007-12-30 16:01 0 MSDOS.SYS
2007-12-30 16:01 0 AUTOEXEC.BAT
2004-08-03 22:59 251,184 ntldr
2004-08-03 22:38 47,564 NTDETECT.COM
2001-08-23 15:00 4,952 bootfont.bin
11 Datei(en) 2,145,693,247 Bytes
0 Verzeichnis(se), 2,881,720,320 Bytes frei
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 48A1-A952

Verzeichnis von C:\WINDOWS\system32

2008-01-26 11:37 2,206 wpa.dbl
2008-01-26 11:37 0 nmp.log
2008-01-26 11:30 0 tmp.txt
2008-01-26 11:30 3,200 tmp.reg
2008-01-26 11:24 16,832 amcompat.tlb
2008-01-26 11:24 23,392 nscompat.tlb
2008-01-18 21:14 13,312 svxmhpz.dll
2008-01-15 19:02 109,401 nvapps.xml
2008-01-10 18:26 5,686 jupdate-1.6.0_03-b05.log
2008-01-02 19:21 17,642,616 MRT.exe
2008-01-01 12:58 386,010 perfh009.dat
2008-01-01 12:58 398,334 perfh007.dat
2008-01-01 12:58 56,364 perfc009.dat
2008-01-01 12:58 68,096 perfc007.dat
2008-01-01 12:58 919,948 PerfStringBackup.INI
2008-01-01 12:56 110,192 FNTCACHE.DAT
2008-01-01 01:38 138,558 TZLog.log
2007-12-31 13:18 188 MsiExec.exe.log
2007-12-31 13:07 3,534 jupdate-1.5.0_03-b07.log
2007-12-31 11:52 185,944 rmoc3260.dll
2007-12-31 11:51 5,632 pndx5032.dll
2007-12-31 11:51 6,656 pndx5016.dll
2007-12-31 11:51 348,160 msvcr71.dll
2007-12-31 11:51 499,712 msvcp71.dll
2007-12-31 11:51 278,528 pncrt.dll
2007-12-30 18:18 60,800 S32EVNT1.DLL
2007-12-30 16:03 996 $winnt$.inf

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 2005-03-18 17:19:58 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 2005-05-26 15:34:52 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 2005-12-05 18:09:18 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll
aspack 2006-03-31 12:40:58 2388176 C:\WINDOWS\SYSTEM32\d3dx9_30.dll
aspack 2006-11-29 13:06:18 3426072 C:\WINDOWS\SYSTEM32\d3dx9_32.dll
PEC2 2001-08-23 15:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 2007-10-11 14:12:48 1468968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 2008-01-02 19:21:36 17642616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2008-01-02 19:21:36 17642616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2004-08-04 00:57:10 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 2004-08-04 00:57:34 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 2000-08-31 08:00:00 156160 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 2000-08-31 08:00:00 136704 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 2001-08-23 15:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 2007-04-10 14:01:46 337280 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2008-01-26 11:36:42 S 2048 C:\WINDOWS\bootstat.dat
2007-12-30 16:00:36 RH 749 C:\WINDOWS\WindowsShell.Manifest
2007-12-31 13:39:44 RHS 227 C:\WINDOWS\assembly\Desktop.ini
2007-12-31 13:39:44 RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
2007-12-31 13:39:44 RH 0 C:\WINDOWS\assembly\pubpol1.dat
2008-01-01 16:50:28 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\indexa7.dat
2008-01-01 16:50:30 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\indexa8.dat
2007-12-30 16:00:40 H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
2007-12-30 16:01:10 HS 67 C:\WINDOWS\Fonts\desktop.ini
2007-12-30 19:23:16 H 0 C:\WINDOWS\inf\oem11.inf
2007-12-31 14:26:14 H 0 C:\WINDOWS\inf\oem14.inf
2007-12-30 16:00:40 H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
2007-12-30 16:00:54 RHS 765 C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab
2007-12-30 16:00:54 RHS 20242 C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab
2007-12-30 16:00:54 RHS 246379 C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab
2007-12-30 16:01:34 H 229376 C:\WINDOWS\repair\ntuser.dat
2008-01-23 16:08:26 H 0 C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT14.tmp
2007-12-30 16:00:36 RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
2007-12-30 16:00:40 RH 488 C:\WINDOWS\system32\logonui.exe.manifest
2007-12-30 16:00:36 RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
2007-12-30 16:00:36 RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
2007-12-30 16:00:36 RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-18 21:14:30 S 13312 C:\WINDOWS\system32\svxmhpz.dll
2007-12-30 16:00:40 RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
2007-12-30 16:00:36 RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
2007-12-19 03:01:22 S 10578 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB946627.cat
2008-01-26 12:45:54 H 1024 C:\WINDOWS\system32\config\default.LOG
2008-01-26 11:36:44 H 1024 C:\WINDOWS\system32\config\SAM.LOG
2008-01-26 11:37:20 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
2008-01-26 12:46:18 H 20480 C:\WINDOWS\system32\config\software.LOG
2008-01-26 12:40:42 H 1024 C:\WINDOWS\system32\config\system.LOG
2007-12-30 16:53:40 H 1024 C:\WINDOWS\system32\config\TempKey.LOG
2007-12-30 16:53:42 H 1024 C:\WINDOWS\system32\config\userdiff.LOG
2007-12-30 15:54:54 HS 62 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\desktop.ini
2008-01-21 10:33:20 S 18 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
2007-12-31 13:31:56 S 341 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8
2007-12-31 13:32:00 S 552 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D
2007-12-31 18:41:30 S 1071310 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\56BDEAABA957B2AEC25CCE688FEE4362
2007-12-31 18:41:26 S 758 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
2007-12-31 13:31:56 S 413 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165
2007-12-31 13:32:00 S 552 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
2007-12-31 13:37:12 S 616 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5
2007-12-30 19:22:38 S 25725 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
2007-12-31 13:41:38 S 558 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
2008-01-21 10:33:20 S 216 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
2007-12-31 13:31:56 S 126 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8
2007-12-31 13:32:00 S 132 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D
2007-12-31 18:41:30 S 136 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\56BDEAABA957B2AEC25CCE688FEE4362
2007-12-31 18:41:26 S 94 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
2007-12-31 13:31:56 S 98 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165
2007-12-31 13:32:00 S 132 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
2007-12-31 13:37:12 S 136 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5
2007-12-30 19:22:38 S 216 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
2007-12-31 13:41:38 S 146 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
2007-12-30 15:54:54 HS 62 C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\desktop.ini
2007-12-30 16:00:42 HS 187 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
2007-12-30 15:54:54 HS 62 C:\WINDOWS\system32\config\systemprofile\Startmenü\desktop.ini
2007-12-30 16:01:30 HS 150 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\desktop.ini
2007-12-30 16:01:30 HS 84 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Autostart\desktop.ini
2007-12-30 16:01:30 HS 495 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Zubehör\desktop.ini
2007-12-30 16:01:30 HS 303 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Zubehör\Eingabehilfen\desktop.ini
2007-12-30 16:01:30 HS 84 C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Zubehör\Unterhaltungsmedien\desktop.ini
2008-01-25 19:38:32 H 0 C:\WINDOWS\system32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
2008-01-25 20:56:40 H 81 C:\WINDOWS\system32\GroupPolicy\Adm\admfiles.ini
2008-01-01 12:59:06 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\5b449a84-37be-4c29-928c-3ef9b5c768d0
2008-01-01 12:59:06 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
2007-12-30 16:04:02 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\df42adf3-100c-4dd5-89a1-e2dcfb87aea0
2007-12-30 16:04:02 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2008-01-26 11:36:46 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 2004-08-04 00:58:24 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 2004-08-04 00:58:24 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 2004-08-04 00:58:24 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 2004-08-04 00:58:24 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 2004-08-04 00:58:24 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 2004-08-04 00:58:24 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 2004-08-04 00:58:24 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2004-08-04 00:58:24 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 2004-08-04 00:58:24 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Sun Microsystems, Inc. 2007-09-24 23:31:42 69632 C:\WINDOWS\SYSTEM32\javacpl.cpl
Microsoft Corporation 2004-08-04 00:58:24 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 2001-08-23 15:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 2004-08-04 00:58:24 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 2001-08-23 15:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 2004-08-04 00:58:24 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 2004-08-04 00:58:24 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 2006-12-21 11:29:00 69632 C:\WINDOWS\SYSTEM32\nvcpl.cpl
2006-12-21 11:29:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 2001-08-23 15:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 2004-08-04 00:58:24 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 2004-08-04 00:58:24 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 2004-08-04 00:58:24 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2001-08-23 15:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 2004-08-04 00:58:24 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 2004-08-04 00:58:24 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 2007-07-30 19:19:28 216408 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 2004-08-04 00:58:24 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 2004-08-04 00:58:24 555008 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 2004-08-04 00:58:24 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 2004-08-04 00:58:24 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 2004-08-04 00:58:24 157184 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 2004-08-04 00:58:24 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 2004-08-04 00:58:24 133120 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 2004-08-04 00:58:24 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 2001-08-23 15:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 2004-08-04 00:58:24 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 2001-08-23 15:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 2004-08-04 00:58:24 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 2004-08-04 00:58:24 260096 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 2001-08-23 15:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 2004-08-04 00:58:24 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 2004-08-04 00:58:24 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 2004-08-04 00:58:24 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 2004-08-04 00:58:24 303104 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 2001-08-23 15:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 2004-08-04 00:58:24 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 2004-08-04 00:58:24 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 2007-07-30 19:19:28 216408 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2007-12-30 16:01:30 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
2007-12-31 13:27:18 1710 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2007-12-30 15:54:54 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2007-12-30 16:01:30 HS 84 C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2007-12-30 15:54:54 HS 62 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\desktop.ini
2007-12-31 13:27:56 17144 C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
SIMBAR={A6F8AB2B-C7D4-4592-8770-BC7B921FE4E8} =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{06A2568A-CED6-4187-BB20-400B8C02BE5A} =
{00F33137-EE26-412F-8D71-F84E4C2C6625} = C:\Programme\Windows Live\Photo Gallery\PhotoViewerShim.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Cover Designer
{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} = C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ShellExtension
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = D:\PROGRA~1\NORTON~1\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{100BD527-7304-4b7f-BEE2-26D97B04EBA4}
= C:\Programme\Nero\Nero8\Nero BackItUp\NBShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = D:\PROGRA~1\NORTON~1\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{100BD527-7304-4b7f-BEE2-26D97B04EBA4}
= C:\Programme\Nero\Nero8\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ShellExtension
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = D:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A}
SWEETIE Class = C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}
RealPlayer Download and Record Plugin for Internet Explorer = C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}
= C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}
Symantec Intrusion Prevention = C:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
Windows Live Anmelde-Hilfsprogramm = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}
SXG Advisor = C:\WINDOWS\dpvtporsdq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = Norton-Symbolleiste anzeigen : C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
{BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} = SweetIM For Internet Explorer : C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll
{2B17973C-27AE-45AD-BDFF-C143F7DCB542} = elfwgps : C:\WINDOWS\elfwgps.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole : C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}
ButtonText = In Blog veröffentlichen :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E59EB121-F339-4851-A3BA-FE49C35617C2}
ButtonText = ICQ6 : C:\Programme\ICQ6\ICQ.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} = Norton-Symbolleiste anzeigen : C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} = SweetIM For Internet Explorer : C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
High Definition Audio Property Page Shortcut HDAShCut.exe
SoundMAXPnP C:\Programme\Analog Devices\Core\smax4pnp.exe
SoundMAX "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
T-Online Dialerschutz-Software "C:\Programme\T-Online\Dialerschutz-Software\Defender.exe"
ccApp "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
osCheck "D:\Programme\osCheck.exe"
TkBellExe "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
WinampAgent C:\Programme\Winamp\winampa.exe
SunJavaUpdateSched "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
NeroFilterCheck C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
NBKeyScan "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
SweetIM C:\Programme\Macrogaming\SweetIM\SweetIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
SweetIM C:\Programme\Macrogaming\SweetIM\SweetIM.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveAutoRun 67108863
NoDriveTypeAutoRun 255


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
aswmklt {6E3055BC-E6AB-4DE3-81F3-DFF8B232F3CF} = C:\WINDOWS\aswmklt.dll
bqxomdo {F9F50E48-D2F0-4238-AF7A-865E578C4F3F} = C:\WINDOWS\bqxomdo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2008-01-26 12:46:19

#8 Ess4life

1.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2B17973C-27AE-45AD-BDFF-C143F7DCB542}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2B17973C-27AE-45AD-BDFF-C143F7DCB542}]

Die Datei "fixme.reg" auf dem Desktop doppelklicken ~und der registry beifügen

»»
wende rvaxo. an « poste hier den Report
http://www.virus-protect.org/artikel/tools/rvaxo.html

--------------------------------------------------------------

Avenger
http://virus-protect.org/artikel/tools/avenger.html

Input script manually (anhaken)
die "Lupe" rechts anklicken - View/edit script (wird sich öffnen)

kopiere rein:

Zitat

Registry values to delete:
HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload|aswmklt
HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload|bqxomdo

Files to delete:
C:\WINDOWS\system32\svxmhpz.dll
C:\WINDOWS\dpvtporsdq.dll
C:\WINDOWS\elfwgps.dll
C:\WINDOWS\bqxomdo.dll
C:\WINDOWS\aswmklt.dll

- schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)
- Klicke die grüne Ampel
- das Script wird nun ausgeführt, dann wird der PC nach Bestätigung (yes) neustarten

--poste das log vom Avenger, was nach neustart erscheint

»»
poste das log vom hijackThis
http://www.virus-protect.org/hjtkurz.html

»»
wende smitfraudfix an
http://www.virus-protect.org/artikel/tools/smitfrautfix.html
poste hier beide logs

»»
dann wäre es hilfreich, wenn du von den datfindbat-Logs alle abkopieren würdest, nicht nur C:\WINDOWS\system32 - sondern auch all die anderen....
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#9 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vqqkotat

*******************

Script file located at: \??\C:\rtlwvtrk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\svxmhpz.dll deleted successfully.
File C:\WINDOWS\dpvtporsdq.dll deleted successfully.
File C:\WINDOWS\elfwgps.dll deleted successfully.
File C:\WINDOWS\bqxomdo.dll deleted successfully.
File C:\WINDOWS\aswmklt.dll deleted successfully.
Registry value HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload|aswmklt deleted successfully.
Registry value HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload|bqxomdo deleted successfully.

Completed script processing.

*******************

Finished! Terminate.







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:59, on 2008-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Programme\T-Online\Dialerschutz-Software\DFInject.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programme\Avant Browser\avant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\Temporäres Verzeichnis 1 für HiJackThis.zip\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SXG Advisor - {DDBDB732-01E7-4B56-A995-6AD36DF1E32B} - C:\WINDOWS\dpvtporsdq.dll (file missing)
O3 - Toolbar: Norton-Symbolleiste anzeigen - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [T-Online Dialerschutz-Software] "C:\Programme\T-Online\Dialerschutz-Software\Defender.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Programme\osCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Programme\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SweetIM] C:\Programme\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O22 - SharedTaskScheduler: esperantido - {67dc0736-075a-4647-95f5-d5421b838fed} - (no file)
O23 - Service: Automatisches LiveUpdate - Scheduler (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: T-Online Dialerschutz Dienst (DFSVC) - T-Systems Enterprise Services GmbH - C:\Programme\T-Online\Dialerschutz-Software\DFInject.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9071 bytes

#10 »»
wende rvaxo. an « poste hier den Report
http://www.virus-protect.org/artikel/tools/rvaxo.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#11

Zitat

Pinguin postete
»»
wende rvaxo. an « poste hier den Report
http://www.virus-protect.org/artikel/tools/rvaxo.html

---RVAXO.exe Updated: [color=red]2008-01-26[/color]---first run---
Files found:
C:\WINDOWS\fvqkfsp.exe

Uninstallers Rogue scanners:


Folders Found:


Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------

Files found:

Folders Found:

--------------RVAXO.exe finished----------------

#12 »»
wende smitfraudfix an
http://www.virus-protect.org/artikel/tools/smitfrautfix.html
poste hier beide logs
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#13 SmitFraudFix v2.274

Scan done at 14:20:51.25, 2008-01-26
Run from C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Programme\T-Online\Dialerschutz-Software\DFInject.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\Programme\T-Online\Dialerschutz-Software\Defender.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
C:\Programme\Avant Browser\avant.exe
C:\Programme\Winamp\winamp.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Symantec Network Security Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8D3AA285-0EF5-47A1-9E57-B3C3696C50A9}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D3AA285-0EF5-47A1-9E57-B3C3696C50A9}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8D3AA285-0EF5-47A1-9E57-B3C3696C50A9}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End






SmitFraudFix v2.274

Scan done at 14:25:23.43, 2008-01-26
Run from C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8D3AA285-0EF5-47A1-9E57-B3C3696C50A9}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D3AA285-0EF5-47A1-9E57-B3C3696C50A9}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8D3AA285-0EF5-47A1-9E57-B3C3696C50A9}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#14 ««
dann wäre es hilfreich, wenn du von den datfindbat-Logs alle abkopieren würdest, nicht nur C:\WINDOWS\system32 - sondern auch all die anderen....
http://virus-protect.org/datfindbat.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#15

Zitat

Pinguin postete
««
dann wäre es hilfreich, wenn du von den datfindbat-Logs alle abkopieren würdest, nicht nur C:\WINDOWS\system32 - sondern auch all die anderen....
http://virus-protect.org/datfindbat.html

wie kann ich denn die anderen logs erstellen?



Verzeichnis von C:\WINDOWS\system32

2008-01-26 14:29 2,206 wpa.dbl
2008-01-26 14:29 0 nmp.log
2008-01-26 14:25 3,200 tmp.reg
2008-01-26 14:25 0 tmp.txt
2008-01-26 14:00 632,584 RVAXO.bat
2008-01-26 11:24 16,832 amcompat.tlb
2008-01-26 11:24 23,392 nscompat.tlb
2008-01-15 19:02 109,401 nvapps.xml
2008-01-10 18:26 5,686 jupdate-1.6.0_03-b05.log
2008-01-03 19:47 49,152 VFind.exe
2008-01-02 19:21 17,642,616 MRT.exe

Verzeichnis von C:\WINDOWS

2008-01-26 14:30 1,625,553 WindowsUpdate.log
2008-01-26 14:29 0 0.log
2008-01-26 14:29 159 wiadebug.log
2008-01-26 14:29 50 wiaservc.log
2008-01-26 14:28 2,048 bootstat.dat
2008-01-26 14:28 419,684 ntbtlog.txt
2008-01-26 14:26 174,078 setupact.log
2008-01-26 14:23 18,246 SchedLgU.Txt
2008-01-26 13:21 227 system.ini
2008-01-26 11:24 96,413 spupdsvc.log
2008-01-26 11:24 316,640 WMSysPr9.prx
2008-01-26 11:24 78,160 wmsetup.log
2008-01-26 11:24 603 win.ini

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp

2008-01-26 15:22 15 wnd.tmp
2008-01-26 15:21 798,234 IMT13.xml
2008-01-26 15:21 426 IMT12.xml
2008-01-26 15:21 2,036 IMT11.xml
2008-01-26 15:05 367,112 WT10.tmp
2008-01-26 14:57 367,112 WTF.tmp
2008-01-26 14:48 28,672 DW2E.tmp
2008-01-26 14:48 49,152 DW2C.tmp
2008-01-26 14:48 473,920 ins8.tmp
2008-01-26 14:33 167 jusched.log
2008-01-26 14:30 691 dfupdate.ini
11 Datei(en) 2,087,537 Bytes
0 Verzeichnis(se), 2,865,442,816 Bytes frei





Verzeichnis von c:\

2008-01-26 15:22 0 dirdat.txt
2008-01-26 14:28 2,145,386,496 pagefile.sys
2008-01-26 14:26 1,901 rapport.txt
2008-01-26 14:06 13,287 RVAXO-Vfind.log
2008-01-26 14:06 393 RVAXO-results.log
2008-01-26 14:05 248 firstrun4.log
2008-01-26 13:55 1,958 avenger.txt
2007-12-30 18:01 223 boot.ini
2007-12-30 16:01 0 CONFIG.SYS
2007-12-30 16:01 0 MSDOS.SYS
2007-12-30 16:01 0 IO.SYS
2007-12-30 16:01 0 AUTOEXEC.BAT
2004-08-03 22:59 251,184 ntldr
2004-08-03 22:38 47,564 NTDETECT.COM
2001-08-23 15:00 4,952 bootfont.bin
15 Datei(en) 2,145,708,206 Bytes
0 Verzeichnis(se), 2,865,553,408 Bytes frei
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 48A1-A952


das istdas was ich bekomme. es fehlen mir die logs von

C:\WINDOWS\temp\
C:\WINDOWS\Downloaded Program Files

oder?