Backdoor/Ciadoor 13, Sytemwiederherstellung geht nicht... :(

#16 1.
looesche:
C:\avenger\backup.zip

warum ignorierst du, was der ewido loeschen will ????????
scanne noch mal und lasse alles loeschen

2.
Gehe in die registry
Start - Ausfuehren - regedit

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\
"DisableSR" dword:00000001 -> in 0 aendern

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"algchk.exe" -> loeschen

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"svhost" --> loeschen
"winupdates" --> loeschen

pc neustarten

Zitat

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 49 domain names to IP addresses,
48 of the IP addresses are *not* localhost!

3.
Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.
__________
MfG Sabina

rund um die PC-Sicherheit

#17 ZU ewido:
Ich habe wie in der Anleitung beschrieben "Alle Aktionen ausführen" (oder so) gemacht.... Keine Ahnung....


OK. Aktionen sind ausgeführt.

So. Bei der Systemwiederherstellung steht jetzt das hier:

"Die Systemwiederherstellung kann den Computer nicht sichern. STarten sie den Computer neu, und führen sie die Systemwiederherstellung erneut aus."

Hab jetzt schon 2 mal neugestartet. Steht immer das gleich da.


Das mit dem Hosts kam zustande weil ich mal mein eigenes Intranet erstellt habe (wegen PHP programmieren). Also nicht wundern. Und dort waren alle meine Informatik-Kurskameraden enthalten.

Ist alles bereineigt? Kommt jetzt noch was? Oder ist jetzt alles wieder in Ordnung?

_________________________________________________________________

P.S: Ich bin echt über dein Wissen erstaunt! Ich hab zwar Ahnung, aber du toppst alles. Ich könnt nie irgendjemanden bei JEDEM Virus helfen...

Also echt fettes Lob von mir bis hier erstmal...

#18 Um die Diensteverwaltung explizit aufzurufen, gebe ein unter
Start - Ausführen: services.msc
Nun werden alle laufenden Dienste angezeigt.

Systemwiederherstellungsdienst -> ueberpruefe, ob der Dienst gestartet ist und berichte

Startarten: Manuell, automatisch, deaktiviert
Standard-Einstellung: Automatisch

----------------------------------------------------------------------------

1.
poste noch mal das log vom silentrunner

2.
log von winpfind
http://virus-protect.org/winpfind.html

3.
poste dieses log (als Anhang)..siehe unten
http://virus-protect.org/registry_stuff.html
__________
MfG Sabina

rund um die PC-Sicherheit

#19 Wenn ich auf starten klicke denn kommt das hier:

"Der Dienst "Systemwiederherstellungsdienst" auf "Lokaler Computer" konnte nicht gestartet werden.
Fehler 2: Das System kann die angegebene Datei nicht finden"

_________________________________________________________________
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"CloneCDTray" = ""C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_07\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Acrobat Assistant 7.0" = ""C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "URLLink"
\InProcServer32\(Default) = "C:\Programme\NewDotNet\newdotnet7_22.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{FF393560-C2A7-11CF-BFF4-444553540000}" = "Verlauf"
-> {HKCU...CLSID} = "Verlauf"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "Internet"
-> {HKCU...CLSID} = "Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{88C6C381-2E85-11D0-94DE-444553540000}" = "ActiveX-Cacheordner"
-> {HKCU...CLSID} = "ActiveX-Cacheordner"
\InProcServer32\(Default) = "C:\WINDOWS\System32\occache.dll" [MS]
"{F5175861-2688-11d0-9C5E-00AA00A45957}" = "Subscription Folder"
-> {HKCU...CLSID} = "Subscription Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Apps\RecordNow\shlext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Group Policies [Description]:
-----------------------------

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\
HIJACK WARNING! "DisableConfig"=dword:00000001
[disables options on Control Panel|System|System Restore (tab)]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp"


Startup items in "Marcel Raven" & "All Users" startup folders:
--------------------------------------------------------------

C:\Dokumente und Einstellungen\Marcel Raven\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "batfilename.bat" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Acrobat - Schnellstart" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data]
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office OneNote 2003 Schnellstart" -> shortcut to: "C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr" [MS]


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 27 - 28


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{0277056B-9702-436A-B8EA-651414F62F17}\
"MenuText" = "Add to Local Website Archive"
"Exec" = "C:\Programme\Local Website Archive\wsarc_add.exe" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."]

{77912BE8-16E7-49F9-BDC2-694EAE680A96}\
"ButtonText" = "LWA - Add"
"Exec" = "C:\Programme\Local Website Archive\wsarc_add.exe" [file not found]

{7FE73B85-A552-4082-AFA6-46B9D6A0509C}\
"ButtonText" = "LWA - Load"
"Exec" = "C:\Programme\Local Website Archive\wsarc.exe" [file not found]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.freenet.de

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Adobe Active File Monitor V4, AdobeActiveFileMonitor4.0, "C:\Programme\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe" [null data]
AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
IPv6-Hilfsdienst, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
RIP-Überwachung, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
SmartLinkService, SLService, "slserv.exe" [" "]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Canon BJ Language Monitor i560\Driver = "CNMLM58.DLL" ["CANON INC."]
FPP2:\Driver = "fppmon2.dll" ["FinePrint Software, LLC"]
LPR Port\Driver = "lprmon.dll" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 148 seconds, including 4 seconds for message boxes)
_________________________________________________________________


Der Rest folgt....

#20 ja klar...du hast den reg-Schluessel nicht auf 0 gestellt:

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\ "DisableConfig"=dword:00000001
__________
MfG Sabina

rund um die PC-Sicherheit

#21 So. Hab's geändert. Steht aber immer noch das gleich da... Ich weiß auch nicht.

So hier der Rest von WinPFind und Find stuff:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 18.03.2005 18:19:58 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 26.05.2005 16:34:52 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 22.07.2005 20:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
PEC2 02.04.2003 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 19.04.2006 22:09:20 619156 C:\WINDOWS\SYSTEM32\divx.dll
PECompact2 19.04.2006 22:09:20 619156 C:\WINDOWS\SYSTEM32\divx.dll
aspack 30.01.2006 16:17:48 69632 C:\WINDOWS\SYSTEM32\dspel.dll
UPX! 24.11.2001 19:28:14 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax
PTech 19.06.2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 07.07.2006 03:21:46 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2004 00:57:10 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04.08.2004 00:57:34 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 23.07.2001 09:29:32 552960 C:\WINDOWS\SYSTEM32\saxzip.ocx
UPX! 30.01.2006 16:17:48 202752 C:\WINDOWS\SYSTEM32\stg32.isd
UPX! 19.12.2004 23:00:00 111104 C:\WINDOWS\SYSTEM32\uharc.exe
UPX! 29.10.2000 16:34:26 64512 C:\WINDOWS\SYSTEM32\Unzip32.dll
aspack 28.01.2006 21:35:14 101888 C:\WINDOWS\SYSTEM32\Vb6stkit.dll
winsync 02.04.2003 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 19.06.2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe
aspack 18.06.2006 12:33:40 H 818176 C:\WINDOWS\SYSTEM32\wodfamoh.dll
UPX! 29.10.2000 16:33:22 65536 C:\WINDOWS\SYSTEM32\Zip32.dll

Checking %System%\Drivers folder and sub-folders...
PTech 21.01.2003 16:25:16 1290312 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
17.07.2006 14:17:46 S 2048 C:\WINDOWS\bootstat.dat
16.07.2006 19:01:30 HS 85504 C:\WINDOWS\Thumbs.db
02.07.2006 21:23:04 RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
02.07.2006 21:23:04 RH 0 C:\WINDOWS\assembly\pubpol1.dat
02.07.2006 22:04:38 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index26.dat
17.07.2006 01:41:04 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index37.dat
17.07.2006 01:41:08 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index38.dat
07.07.2006 10:39:10 HS 8192 C:\WINDOWS\Help\Thumbs.db
21.06.2006 17:34:00 H 0 C:\WINDOWS\inf\oem29.inf
14.07.2006 22:37:36 H 0 C:\WINDOWS\LastGood\INF\oem30.inf
14.07.2006 22:37:36 H 0 C:\WINDOWS\LastGood\INF\oem30.PNF
07.07.2006 10:56:22 H 0 C:\WINDOWS\LastGood.Tmp\INF\oem30.inf
07.07.2006 10:56:22 H 0 C:\WINDOWS\LastGood.Tmp\INF\oem30.PNF
21.06.2006 18:17:10 HS 34816 C:\WINDOWS\ServicePackFiles\i386\Thumbs.db
06.07.2006 19:11:50 HS 10752 C:\WINDOWS\ShellNew\Thumbs.db
07.07.2006 13:44:36 H 21 C:\WINDOWS\system32\routerinit.exe
07.07.2006 15:08:42 HS 36352 C:\WINDOWS\system32\Thumbs.db
18.06.2006 12:33:40 H 818176 C:\WINDOWS\system32\wodfamoh.dll
19.05.2006 17:53:42 S 16203 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914388.cat
29.05.2006 18:16:04 S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
01.06.2006 22:28:44 S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
19.06.2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
17.07.2006 14:18:10 H 40960 C:\WINDOWS\system32\config\DEFAULT.LOG
17.07.2006 14:17:50 H 1024 C:\WINDOWS\system32\config\SAM.LOG
17.07.2006 14:17:48 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
17.07.2006 14:25:16 H 651264 C:\WINDOWS\system32\config\SOFTWARE.LOG
17.07.2006 14:18:50 H 311296 C:\WINDOWS\system32\config\SYSTEM.LOG
14.07.2006 22:46:56 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
14.07.2006 22:56:18 S 4191 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70
14.07.2006 22:56:18 S 128 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70
19.05.2006 16:14:06 H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf
16.06.2006 22:38:36 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\c7d60385-452c-4681-9d93-9bbcbd2ecbc6
16.06.2006 22:38:36 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
04.07.2006 09:55:50 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3b9f83d2-4b48-4f4f-88df-52b10938d8f3
04.07.2006 09:55:50 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
17.07.2006 14:17:54 H 6 C:\WINDOWS\Tasks\SA.DAT
06.07.2006 23:16:18 HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\desktop.ini
06.07.2006 23:16:18 HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\4PQ7KPU7\desktop.ini
06.07.2006 23:16:18 HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\GFZS1COA\desktop.ini
06.07.2006 23:16:18 HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\NFJK27Q4\desktop.ini
06.07.2006 23:16:18 HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\WRL8HKE7\desktop.ini
06.07.2006 23:16:18 HS 113 C:\WINDOWS\TEMP\Verlauf\History.IE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 04.08.2004 00:58:24 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 00:58:24 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
10.05.2001 17:00:00 184832 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 04.08.2004 00:58:24 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 00:58:24 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 00:58:24 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 00:58:24 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 00:58:24 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 00:58:24 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 00:58:24 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 00:58:24 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03.05.2006 02:56:54 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 02.04.2003 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 00:58:24 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 02.04.2003 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 00:58:24 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 00:58:24 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04.08.2004 00:58:24 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 00:58:24 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
17.01.2003 02:55:36 397312 C:\WINDOWS\SYSTEM32\slcpappl.cpl
29.12.2002 01:14:38 81920 C:\WINDOWS\SYSTEM32\Startup.cpl
Microsoft Corporation 04.08.2004 00:58:24 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 02.04.2003 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 00:58:24 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 00:58:24 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04.08.2004 00:58:24 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04.08.2004 00:58:24 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
17.07.2006 14:18:22 2319 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Acrobat - Schnellstart.lnk
19.06.2006 14:21:04 1747 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
27.06.2003 19:29:00 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
20.10.2005 16:28:42 1784 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office OneNote 2003 Schnellstart.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
31.03.2006 19:07:50 305 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\addr_file.html
27.06.2003 19:21:00 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
26.06.2006 16:29:36 1012 C:\Dokumente und Einstellungen\Marcel Raven\Startmenü\Programme\Autostart\Adobe Gamma.lnk
28.05.2006 14:04:02 42 C:\Dokumente und Einstellungen\Marcel Raven\Startmenü\Programme\Autostart\batfilename.bat
06.03.2005 18:30:54 HS 169 C:\Dokumente und Einstellungen\Marcel Raven\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
27.06.2003 19:21:00 HS 62 C:\Dokumente und Einstellungen\Marcel Raven\Anwendungsdaten\desktop.ini
20.09.2005 22:51:34 246752 C:\Dokumente und Einstellungen\Marcel Raven\Anwendungsdaten\GDIPFONTCACHEV1.DAT
17.12.2004 22:24:46 41 C:\Dokumente und Einstellungen\Marcel Raven\Anwendungsdaten\sversion.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Copy To
Copy To =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programme\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programme\AntiVir PersonalEdition Classic\shlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Programme\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programme\AntiVir PersonalEdition Classic\shlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Programme\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Copy To
{C2FBB630-2971-11d1-A18C-00C04FD75D13} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programme\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
URLLink = C:\Programme\NewDotNet\newdotnet7_22.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion :
{E0E899AB-F487-11D5-8D29-0050BA6940E3} = :
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole : C:\Programme\Java\jre1.5.0_07\bin\npjpi150_07.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{77912BE8-16E7-49F9-BDC2-694EAE680A96}
ButtonText = LWA - Add : C:\Programme\Local Website Archive\wsarc_add.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{7FE73B85-A552-4082-AFA6-46B9D6A0509C}
ButtonText = LWA - Load : C:\Programme\Local Website Archive\wsarc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B205A35E-1FC4-4CE3-818B-899DBBB3388C}
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
ButtonText = ICQ Lite : C:\Programme\ICQLite\ICQLite.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion :
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
CloneCDTray "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
TkBellExe "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
avgnt "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
SunJavaUpdateSched C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
Acrobat Assistant 7.0 "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
washindex C:\Program Files\Washer\washidx.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
ICQ Lite C:\Programme\ICQLite\ICQLite.exe -trayboot

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Photo Downloader
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item apdproxy
hkey HKLM
command "C:\Programme\Adobe\Photoshop Elements 4.0\apdproxy.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item apdproxy
hkey HKLM
command "C:\Programme\Adobe\Photoshop Elements 4.0\apdproxy.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ICQ Lite
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQLite
hkey HKLM
command "C:\Programme\ICQLite\ICQLite.exe" -minimize
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQLite
hkey HKLM
command "C:\Programme\ICQLite\ICQLite.exe" -minimize
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Programme\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Programme\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 2
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoSharedDocuments 0
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
NoInternetOpenWith 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun ‘
NoDrives
ClearRecentDocsOnExit 1
NoDesktop 0
NoNetHood 0
NoInternetIcon 0
NoSharedDocuments
NoRecentDocsHistory 1
NoCDBurning 0
FoFileAssociate 0
StartMenuLogoff 0
NoShellSearchButton 1
NoLowDiskSpaceChecks 0
HideClock 0
NoRecentDocsMenu 0
NoFolderOptions 0
NoUserNameInStartMenu 0
NoRecentDocsNetHood 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 17.07.2006 14:27:50


Hier Find stuff:

doesn't exist HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

#22 1.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools <--loeschen

2.
bearbeiten - suchen - new.net (alles loeschen, was du findest)

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\new.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\New.net
HKEY_LOCAL_MACHINE\software\new.net
HKEY_CURRENT_USER\Software\New.net

usw. usw....

3.
bearbeiten - suchen - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}

loesche ebenfalls alles, was du findest.

4.
PC neustarten

--------------------------------------------------------------------------

5.
das faellt mit dem verseuchungsdatum zusammen
19.05.2006 16:14:06 H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf

19.05.2006 15:15 292.864 svhost.exe
19.05.2006 15:15 6.144 svhost.007
19.05.2006 15:15 5.120 svhost.006

ueberpruefe mal mit rechtsklick die Eigenschaften und berichte, wozu es gehoert.

C:\WINDOWS\system32\drivers\umdf

schreibe auch, ob eine .sys existiert mit diesem Driver.

6.
ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren

7.
virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\routerinit.exe
C:\WINDOWS\system32\wodfamoh.dll
C:\WINDOWS\system32\drivers\umdf.sys





«
__________
MfG Sabina

rund um die PC-Sicherheit

#23 So.

Wie meinst du das mit den Eigentschaften? In diesem Ordner befindet sich nur noch eine .dll-Datei.
_________________________________________________________________

Hier ServiceFilter:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jul 17, 2006 19:01:24


---> Begin Service Listing <---

Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: AdobeLM ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 2
Service Name: AdobeActiveFileMonitor4.0
Display Name: Adobe Active File Monitor V4
Start Mode: Auto
Start Name: LocalSystem
Description: Verfolgt Dateien, die von Adobe Photoshop Elements verwaltet ...
Service Type: Own Process
Path: c:\programme\adobe\photoshop elements 4.0\photoshopelementsfileagent.exe
State: Running
Process ID: 1900
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 3
Service Name: AntiVirScheduler
Display Name: AntiVir Scheduler
Start Mode: Auto
Start Name: LocalSystem
Description: Dienst zur Planung und Steuerung von Prüf- und Updateaufgaben der AntiVir PersonalEdition ...
Service Type: Own Process
Path: c:\programme\antivir personaledition classic\sched.exe
State: Running
Process ID: 1932
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 4
Service Name: AntiVirService
Display Name: AntiVir PersonalEdition Classic Service
Start Mode: Auto
Start Name: LocalSystem
Description: Echtzeit Virenschutz durch H+BEDV AntiVir ...
Service Type: Own Process
Path: c:\programme\antivir personaledition classic\avguard.exe
State: Running
Process ID: 1952
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #5
Service Name: aspnet_state
Display Name: ASP.NET State Service
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Provides support for out-of-process session states for ASP.NET. If this service is stopped, ...
Service Type: Own Process
Path: c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 6
Service Name: clr_optimization_v2.0.50727_32
Display Name: .NET Runtime Optimization Service v2.0.50727_X86
Start Mode: Manual
Start Name: LocalSystem
Description: Microsoft .NET Framework ...
Service Type: Own Process
Path: c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 7
Service Name: de_serv
Display Name: AVM FRITZ!web Routing Service
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\gemeinsame dateien\avm\de_serv.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 8
Service Name: ewido anti-spyware 4.0 guard
Display Name: ewido anti-spyware 4.0 guard
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\ewido anti-spyware 4.0\guard.exe
State: Running
Process ID: 200
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 9
Service Name: FileZilla Server
Display Name: FileZilla Server FTP server
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\xampp\filezillaftp\filezillaserver.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 10
Service Name: IDriverT
Display Name: InstallDriver Table Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Provides support for the Running Object Table for InstallShield ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\installshield\driver\1050\intel 32\idrivert.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 11
Service Name: LogoMedia TranslateDotNet Server
Display Name: LogoMedia TranslateDotNet Server
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\power translator\logomedia translatedotnet server.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 12
Service Name: LPDSVC
Display Name: TCP/IP-Druckserver
Start Mode: Manual
Start Name: LocalSystem
Description: Bietet einen TCP/IP-basierten Druckdienst, der das 'Line Printer'-Protokoll ...
Service Type: Share Process
Path: c:\windows\system32\tcpsvcs.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #13
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Unterstützt lokales und remotes Debuggen für Visual Studio- und Skript-Debugger. Wenn dieser ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 300
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #14
Service Name: Nla
Display Name: NLA (Network Location Awareness)
Start Mode: Boot
Start Name: LocalSystem
Description: Sammelt und speichert Netzwerkkonfigurations- und Standortinformationen und benachrichtigt ...
Service Type: Share Process
Path: \systemroot\c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1208
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 15
Service Name: odserv
Display Name: Microsoft Office Diagnostics Service
Start Mode: Manual
Start Name: LocalSystem
Description: Run portions of Microsoft Office ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\microsoft shared\office12\odserv.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #16
Service Name: ose
Display Name: Office Source Engine
Start Mode: Manual
Start Name: LocalSystem
Description: Speichert Installationsdateien, die für Updates und Reparieren verwendet werden, und ist zum ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\microsoft shared\source engine\ose.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 17
Service Name: p2pgasvc
Display Name: Peernetzwerk-Gruppenauthentifizierung
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Bietet Netzwerkauthentifizierung für ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k p2psvc
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 18
Service Name: p2pimsvc
Display Name: Peernetzwerkidentitäts-Manager
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Bietet einen Identitätendienst für ein ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k p2psvc
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 19
Service Name: p2psvc
Display Name: Peernetzwerk
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Bietet ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k p2psvc
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 20
Service Name: PNRPSvc
Display Name: Peer Name Resolution-Protokoll
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Aktiviert serverlose Peer Name Resolution über das ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k p2psvc
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #21
Service Name: SLService
Display Name: SmartLinkService
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: slserv.exe
State: Running
Process ID: 544
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #22
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{2c3ebb88-abd5-4c5f-8214-4f801a532610}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 23
Service Name: TUWinStylerThemeSvc
Display Name: TuneUp WinStyler Theme Service
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\programme\tuneup utilities 2006\winstylerthemesvc.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 24
Service Name: WudfSvc
Display Name: Windows Driver Foundation - User-mode Driver Framework
Start Mode: Manual
Start Name: LocalSystem
Description: Manages user-mode driver host ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k wudfservicegroup
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 106 Win32 services on this machine.
24 were unrecognized.

Script Execution Time: 3,5625 seconds.
_________________________________________________________________

Nun die Virus-Scans:

Zu routerinit.exe muss ich sagen das ich sie mit dem Editor erstellt habe, weil er bei jedem Start von Windows danach gefragt hat und es nicht im system32-Ordner vorhanden war. Also hab ich es erstellt und einfach reinkopiert und seitdem is Ruhe.

STATUS: FINISHEDComplete scanning result of "wodfamoh.dll", received in VirusTotal at 07.17.2006, 19:07:00 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.21 07.17.2006 no virus found
Authentium 4.93.8 07.14.2006 no virus found
Avast 4.7.844.0 07.14.2006 no virus found
AVG 386 07.17.2006 no virus found
BitDefender 7.2 07.17.2006 no virus found
CAT-QuickHeal 8.00 07.17.2006 no virus found
ClamAV devel-20060426 07.15.2006 no virus found
DrWeb 4.33 07.17.2006 no virus found
eTrust-InoculateIT 23.72.70 07.16.2006 no virus found
eTrust-Vet 12.6.2298 07.17.2006 no virus found
Ewido 4.0 07.17.2006 no virus found
Fortinet 2.77.0.0 07.16.2006 no virus found
F-Prot 3.16f 07.17.2006 no virus found
F-Prot4 4.2.1.29 07.17.2006 no virus found
Ikarus 0.2.65.0 07.17.2006 no virus found
Kaspersky 4.0.2.24 07.17.2006 no virus found
McAfee 4808 07.17.2006 no virus found
Microsoft 1.1508 07.17.2006 no virus found
NOD32v2 1.1664 07.17.2006 no virus found
Norman 5.90.23 07.17.2006 no virus found
Panda 9.0.0.4 07.16.2006 no virus found
Sophos 4.07.0 07.17.2006 no virus found
Symantec 8.0 07.17.2006 no virus found
TheHacker 5.9.8.176 07.17.2006 no virus found
UNA 1.83 07.14.2006 no virus found
VBA32 3.11.0 07.17.2006 no virus found
VirusBuster 4.3.7:9 07.17.2006 no virus found


Aditional Information
File size: 818176 bytes
MD5: 40e2565fe24b345c99cf1b898c50c244
SHA1: a0824a2d71f174f3fbf4000526071d61cd510479
packers: Aspack



_________________________________________________________________



VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.


Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.


STATUS: FINISHEDComplete scanning result of "umdf.sys", received in VirusTotal at 07.17.2006, 19:10:00 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
Norman SandBox:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 7752 bytes.

[ Changes to system settings ]
* Enumerates RAS connections.
* Set dialer properties to dial () 5.
* Attempts to dial out.

#24

Zitat

Wie meinst du das mit den Eigentschaften? In diesem Ordner befindet sich nur noch eine .dll-Datei.

ist es die WudfSvc.dll ? oder wie heisst sie ?
lasse die dll mal von virustotal ueberpruefen
__________
MfG Sabina

rund um die PC-Sicherheit

#25 Nein es ist:

wpdmtpdr.dll

hier der Scan-Report.

STATUS: FINISHEDComplete scanning result of "wpdmtpdr.dll", received in VirusTotal at 07.17.2006, 20:36:35 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.21 07.17.2006 no virus found
Authentium 4.93.8 07.14.2006 no virus found
Avast 4.7.844.0 07.14.2006 no virus found
AVG 386 07.17.2006 no virus found
BitDefender 7.2 07.17.2006 no virus found
CAT-QuickHeal 8.00 07.17.2006 no virus found
ClamAV devel-20060426 07.15.2006 no virus found
DrWeb 4.33 07.17.2006 no virus found
eTrust-InoculateIT 23.72.70 07.16.2006 no virus found
eTrust-Vet 12.6.2298 07.17.2006 no virus found
Ewido 4.0 07.17.2006 no virus found
Fortinet 2.77.0.0 07.16.2006 no virus found
F-Prot 3.16f 07.17.2006 no virus found
F-Prot4 4.2.1.29 07.17.2006 no virus found
Ikarus 0.2.65.0 07.17.2006 no virus found
Kaspersky 4.0.2.24 07.17.2006 no virus found
McAfee 4808 07.17.2006 no virus found
Microsoft 1.1508 07.17.2006 no virus found
NOD32v2 1.1664 07.17.2006 no virus found
Norman 5.90.23 07.17.2006 no virus found
Panda 9.0.0.4 07.16.2006 no virus found
Sophos 4.07.0 07.17.2006 no virus found
Symantec 8.0 07.17.2006 no virus found
TheHacker 5.9.8.176 07.17.2006 no virus found
UNA 1.83 07.14.2006 no virus found
VBA32 3.11.0 07.17.2006 no virus found
VirusBuster 4.3.7:9 07.17.2006 no virus found


Aditional Information
File size: 646656 bytes
MD5: f3e7615bdece8072c46948128421353a
SHA1: dda5f777f03dee22b3559d63ac7fb446de7a889e
_________________________________________________________________


und die andere heißt ja wie bekannt: MsftWdf_user_01_00_00.Wdf

#26 scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#27 Was? Die .dll-Datei?

Dort erkennt er nichts.

The scan is complete.
No malware has been detected. The sections that have been scanned are CLEAN.



Ist denn alles soweit erstmal bereinigt?


Kommt jetzt keine Antwort mehr?

#28 Marsel

Zitat

Kommt jetzt keine Antwort mehr?

nun, du wirst mir doch zugestehen, dass ich auch noch anderes zu tun habe, als immer vor dem PC zu hocken

ich finde auch nichts mehr, nur der Treiber, der sich zeitgleich mit dem Virus installiert hat, irritiert.
Aber da ich nicht weiss, wozu er gehoert...........

Bitte nutze Gmer http://www.gmer.net/files.php . Starte es und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit nein beantworten, auf den Reiter rootkit gehen, wiederum die Frage mit nein beantworten und mit Hilfe von copy den Bericht hier einfuegen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. ist dieser Beendet, waehle Copy und fuege den bericht ein.
__________
MfG Sabina

rund um die PC-Sicherheit

#29 Hi,

vielleicht liegt die nicht laufende SWG an folgendem:

Bei mir musste ich neben den Reg-Schlüsseln (DisableSR, ...)noch folgenden Key "umschiessen":

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr
den Schlüssel "Start" (REG_WORD) von "4" auf "0" setzten und neu
booten...

Dann sollte sie wieder laufen, die Systemwiederherstellung :o)

Gruß,
Chris

#30 guter Tip

Zitat

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr
den Schlüssel "Start" (REG_WORD) von "4" auf "0" setzten und neu
booten...

+
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\

"DisableSR"=dword:00000001 -> 0
"DisableConfig"=dword:00000001 -> 0
__________
MfG Sabina

rund um die PC-Sicherheit