Backdoor/Ciadoor 13, Sytemwiederherstellung geht nicht... :(

#1 Ich hatte mir diesen Backdoor-Virus irgendwo eingefangen.
Ich hab es einigermaßen wieder zum laufen gekriegt, sprich meine Registry, Eingabeaufforderung, Firewall und der Task-Manager gehen wieder.
Aber die Systemwiederherstellung kriege ich nicht mehr zum laufen. Hab ja schon diverse Tips ausprobiert (aus diesem Forum), keines davon geht aber.
Wie in vielen anderen Threads auch schon erwähnt kommt immer dieser Satz mit dem Domänenadministrator.

Kann mir da jemand helfen?

Meine Virus-Programme (AntiVir, Kaspersky) finden den Virus auch nicht mehr.

Ich will nicht Format:C anwenden... Würde das auch mit dem Reparatur-Tool von Windows gehen (da die betroffenen Dateien im system32-Ordner sind)?

Bitte um Hilfe

Des weiteren kommt neuerdings immer beim Autostart eine Meldung das "routerinit.exe" (im System32-Ordner) nicht gefunden werden konnte.
Hab schon diverse Autostart-Programme (TuneUp 2006, MSConfig) benutzt um das wegzukriegen, leider ist diese nirgendwo in der Liste.

Es nervt...

#2 arbeite das ab, ich schaue mal nach
http://board.protecus.de/t23188.htm
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Na denn ma los:

Logfile of HijackThis v1.99.1
Scan saved at 18:31:22, on 16.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programme\eMule\emule.exe
C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Dokumente und Einstellungen\Marcel Raven\Eigene Dateien\virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freenet.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programme\NewDotNet\newdotnet7_22.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [winupdates] C:\Programme\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [algchk.exe] C:\WINDOWS\system32\algchk.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: batfilename.bat
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Schnellstart.lnk = C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: Add to Local Website Archive - C:\Programme\Local Website Archive\iearc.htm
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: LWA - Add - {77912BE8-16E7-49F9-BDC2-694EAE680A96} - C:\Programme\Local Website Archive\wsarc_add.exe (file missing)
O9 - Extra button: LWA - Load - {7FE73B85-A552-4082-AFA6-46B9D6A0509C} - C:\Programme\Local Website Archive\wsarc.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {0277056B-9702-436A-B8EA-651414F62F17} - C:\Programme\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Add to Local Website Archive - {0277056B-9702-436A-B8EA-651414F62F17} - C:\Programme\Local Website Archive\wsarc_add.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (Steuerung des DownloadManager ) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123475936578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150901917750
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programme\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Programme\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LogoMedia TranslateDotNet Server - Unknown owner - C:\Programme\Power Translator\LogoMedia TranslateDotNet Server.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

_________________________________________________________________

Datentr„ger in Laufwerk C: ist Festplatte
Volumeseriennummer: 9C8C-C9B3

Verzeichnis von C:\WINDOWS\system32

16.07.2006 18:32 1.526 svhost.002
16.07.2006 18:32 4.963 svhost.005
16.07.2006 17:53 1.170 wpa.dbl
16.07.2006 05:28 2.124 svhost.001
14.07.2006 22:51 406.432 perfh009.dat
14.07.2006 22:51 65.032 perfc009.dat
14.07.2006 22:51 421.518 perfh007.dat
14.07.2006 22:51 78.484 perfc007.dat
14.07.2006 22:51 984.350 PerfStringBackup.INI
07.07.2006 15:08 36.352 Thumbs.db
07.07.2006 13:44 21 routerinit.exe
07.07.2006 10:35 1.174.512 FNTCACHE.DAT
07.07.2006 09:53 90 spupdwxp.log
07.07.2006 03:21 6.757.792 MRT.exe
02.07.2006 20:38 2.518 blindmansview20.log
02.07.2006 20:01 405.504 Px.dll
02.07.2006 20:01 56.832 pxcpya64.exe
02.07.2006 20:01 108.544 pxcpyi64.exe
02.07.2006 20:01 56.320 pxinsa64.exe
02.07.2006 20:01 109.568 pxinsi64.exe
02.07.2006 20:01 1.191.936 pxsfs.dll
02.07.2006 20:01 339.968 PxWave.dll
02.07.2006 20:01 172.032 PxMas.dll
02.07.2006 20:01 61.440 pxhpinst.exe
02.07.2006 20:01 434.176 pxdrv.dll
02.07.2006 20:01 28.672 VXBLOCK.dll
21.06.2006 23:15 525 mapisvc.inf
19.06.2006 16:20 702.768 WgaLogon.dll
19.06.2006 16:19 571.184 LegitCheckControl.dll
19.06.2006 16:19 304.944 WgaTray.exe
18.06.2006 12:33 818.176 wodfamoh.dll
16.06.2006 18:47 6.845 jupdate-1.5.0_07-b03.log
16.06.2006 18:37 6.948 jupdate-1.5.0_06-b05.log
15.06.2006 21:20 43.520 CmdLineExt03.dll
11.06.2006 04:55 57.384 avsda.dll
01.06.2006 21:45 3.082 affv9869p2now.sys
01.06.2006 20:47 163.840 jgdw400.dll
01.06.2006 20:47 27.648 jgpl400.dll
29.05.2006 17:30 1.494.016 shdocvw.dll
28.05.2006 14:04 110.080 routerinit.dll
22.05.2006 21:33 16.832 amcompat.tlb
22.05.2006 21:33 23.392 nscompat.tlb
21.05.2006 16:15 835.584 NCTAudioCDGrabber2.dll
21.05.2006 16:15 522.752 NCTAudioTransform2.dll
21.05.2006 16:15 348.160 NCTWMAFile2.dll
21.05.2006 16:15 479.232 NCTAudioVisualization2.dll
21.05.2006 16:15 634.880 NCTAudioEditor2.dll
21.05.2006 16:15 467.968 NCTAudioRecord2.dll
21.05.2006 16:15 877.568 NCTAudioFile2.dll
21.05.2006 16:15 966.144 NCTAudioInformation2.dll
21.05.2006 16:15 467.456 NCTAudioPlayer2.dll
19.05.2006 17:09 3.073.536 mshtml.dll
19.05.2006 15:15 292.864 svhost.exe
19.05.2006 15:15 6.144 svhost.007
19.05.2006 15:15 5.120 svhost.006
19.05.2006 15:09 95.744 iphlpapi.dll
19.05.2006 15:09 112.128 dhcpcsvc.dll
19.05.2006 15:09 148.480 dnsapi.dll
18.05.2006 07:36 450.560 jscript.dll



_____________________________________________________________

Fehlt noch was?

#4 Marsel

in datfindbat sind 4 logs enthalten ...bitte korrekt arbeiten !

1.Log Verzeichnis von C:\WINDOWS\system32
2.Log Verzeichnis von C:\DOKUME~1\Username\LOKALE~1\Temp
3.Log Verzeichnis von C:\WINDOWS
4.Log Verzeichnis von C:\

---------------------------------------------------------------------
2.
virustotal
Oben auf der Seite --> auf Durchsuchen klicken -->die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten -> Bericht hier posten !
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\svhost.exe



«
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Sorry...


Datentr„ger in Laufwerk C: ist Festplatte
Volumeseriennummer: 9C8C-C9B3

Verzeichnis von C:\DOKUME~1\MARCEL~1\LOKALE~1\Temp

16.07.2006 19:01 59.964 Adobelm_Cleanup.0001
16.07.2006 18:55 512 ~DF9663.tmp
16.07.2006 18:55 16.384 ~DF9670.tmp
16.07.2006 18:55 512 ~DF9678.tmp
16.07.2006 18:55 16.384 ~DF965A.tmp
16.07.2006 18:55 512 ~DF9652.tmp
16.07.2006 18:55 16.384 ~DF9637.tmp
16.07.2006 18:55 512 ~DF962F.tmp
16.07.2006 18:55 16.384 ~DF9627.tmp
16.07.2006 17:58 5.974 jusched.log
16.07.2006 17:54 16.384 ~DFA169.tmp
16.07.2006 17:54 512 ~DF9629.tmp
16.07.2006 17:54 16.384 ~DF9621.tmp
15.07.2006 16:41 1.097 TWAIN.LOG
15.07.2006 16:41 3 Twain001.Mtx
15.07.2006 16:41 156 Twunk001.MTX
14.07.2006 23:24 717 control.xml
14.07.2006 22:45 5.012 ASPNETSetup_00000.log
14.07.2006 22:41 201 VisioCA.log
14.07.2006 22:40 409 WGANotify.settings
09.07.2006 21:52 208 java_install_reg.log
07.07.2006 10:43 760.512 GuaE.tmp
07.07.2006 10:43 760.512 GuaA.tmp
06.07.2006 21:06 16.384 ~DFDEA2.tmp
06.07.2006 21:06 16.384 ~DFD7B9.tmp
06.07.2006 20:33 16.384 ~DFD53B.tmp
06.07.2006 20:33 16.384 ~DFCD91.tmp
06.07.2006 20:20 708.208 Gua9.tmp
06.07.2006 20:12 16.384 ~DF6F27.tmp
06.07.2006 20:12 16.384 ~DF52E8.tmp
06.07.2006 20:10 707.860 Gua1.tmp
06.07.2006 19:48 0 Twunk002.MTX
06.07.2006 19:13 700.474 GuaD.tmp
33 Datei(en) 3.910.475 Bytes
0 Verzeichnis(se), 29.919.477.760 Bytes frei
_______________________________________________________________

Datentr„ger in Laufwerk C: ist Festplatte
Volumeseriennummer: 9C8C-C9B3

Verzeichnis von C:\WINDOWS

16.07.2006 19:01 85.504 Thumbs.db
16.07.2006 17:54 1.441.185 WindowsUpdate.log
16.07.2006 17:53 0 0.log
16.07.2006 17:53 159 wiadebug.log
16.07.2006 17:53 51 wiaservc.log
16.07.2006 17:53 2.048 bootstat.dat
16.07.2006 05:28 32.574 SchedLgU.Txt
14.07.2006 23:24 422.066 wmsetup.log
14.07.2006 22:49 159.252 spupdsvc.log
14.07.2006 22:46 458.331 comsetup.log
14.07.2006 22:46 166.690 iis6.log
14.07.2006 22:46 1.374 imsins.log
14.07.2006 22:46 333.861 ntdtcsetup.log
14.07.2006 22:46 575.438 tsoc.log
14.07.2006 22:46 83.753 ocmsn.log
14.07.2006 22:46 14.014 KB917159.log
14.07.2006 22:46 1.066.550 ocgen.log
14.07.2006 22:46 77.683 msgsocm.log
14.07.2006 22:46 1.367.022 FaxSetup.log
14.07.2006 22:46 628.185 setupapi.log
14.07.2006 22:46 1.374 imsins.BAK
14.07.2006 22:46 15.585 KB914388.log
14.07.2006 22:46 58.474 updspapi.log
14.07.2006 22:40 12.459 KB916595.log
14.07.2006 22:40 30.358 WgaNotify.log
09.07.2006 22:53 1.438 win.ini
07.07.2006 15:07 250 accessdll.log
07.07.2006 15:05 322 accessdll1.log
07.07.2006 13:47 500 system.ini
07.07.2006 13:04 558.058 ntbtlog.txt
07.07.2006 09:53 12.365 setuplog.txt
07.07.2006 09:53 1.067 DtcInstall.log
07.07.2006 09:50 747.910 svcpack.log
07.07.2006 09:48 573 cmsetacl.log
07.07.2006 09:47 2.683 sessmgr.setup.log
07.07.2006 09:45 1.751 medctroc.Log
06.07.2006 22:12 29 standard.sta
06.07.2006 20:49 690 OEWABLog.txt
05.07.2006 15:07 116 NeroDigital.ini
04.07.2006 12:22 1.905 diagwrn.xml
04.07.2006 12:22 1.905 diagerr.xml
04.07.2006 12:22 956 setupact.log
04.07.2006 12:21 0 setuperr.log
02.07.2006 20:07 36.076 DirectX.log
02.07.2006 20:02 4.534 ODBCINST.INI
25.06.2006 20:00 427 WINWORD6.INI
25.06.2006 11:20 921 ULEAD32.INI
22.06.2006 06:58 50.390 KB873339.log
21.06.2006 23:10 41.611 ie7beta2Uninst.log
21.06.2006 22:49 43.778 ie7beta2_main.log
21.06.2006 22:48 152.619 ie7beta2.log
21.06.2006 22:46 12.478 KB915865.log
21.06.2006 19:47 63 vbaddin.ini
21.06.2006 17:10 845 Active Setup Log.txt
21.06.2006 17:06 988 Active Setup Log.BAK
19.06.2006 21:04 13.586 KB904942.log
14.06.2006 08:47 16.456 KB917734.log
14.06.2006 08:46 15.911 KB918439.log
14.06.2006 08:46 15.674 KB917344.log
14.06.2006 08:46 17.004 KB917953.log
14.06.2006 08:46 15.327 KB911280.log
14.06.2006 08:45 29.845 KB916281.log
14.06.2006 08:45 13.286 KB914389.log
11.06.2006 18:04 32 go
11.06.2006 13:49 6.678 mozver.dat
09.06.2006 14:15 24.339 WGA.log
06.06.2006 12:25 79 WININIT.INI
05.06.2006 11:24 4 win32t4.dll
01.06.2006 22:36 38 AviSplitter.INI
22.05.2006 22:05 378 wmsetup10.log
22.05.2006 21:29 11.677 wmp11Uninst.log
21.05.2006 17:04 18.288 ICQ 5.1 Smiley Changer Setup Log.txt
21.05.2006 17:04 3.770 ICQ 5.1 build 2573 - Banner remover & AD blocker Setup Log.txt
19.05.2006 16:15 31.359 wmp11.log
19.05.2006 16:14 15.886 Wudf01000Inst.log
19.05.2006 16:13 44.332 WMFDist11.log
19.05.2006 16:13 316.640 WMSysPr9.prx
17.05.2006 22:32 737.280 iun6002.exe
17.05.2006 01:02 12.018 ModemLog_Aztech CNR2900 V.92 Modem.txt
17.05.2006 00:46 380 frndial.log
16.05.2006 23:01 1.950 avmadd32.log
16.05.2006 22:31 107 avmsysnet.log
16.05.2006 21:43 2.307 avmadd321.log
16.05.2006 19:49 5.820 COM+.log
16.05.2006 19:09 24.619 KB913580.log
16.05.2006 19:09 20.082 KB908531.log
16.05.2006 19:08 20.175 KB911565.log
16.05.2006 19:08 18.996 KB911562.log
16.05.2006 19:07 27.856 KB912812.log
16.05.2006 19:07 14.363 KB911567.log
16.05.2006 19:07 7.669 KB913446.log
16.05.2006 19:07 13.999 KB911564.log
16.05.2006 19:06 12.702 KB901190.log
16.05.2006 19:06 13.203 KB911927.log
16.05.2006 18:15 76.118 _detmp.1
24.04.2006 19:11 67 Power Video Converter.INI
23.04.2006 19:45 253.952 Setup1.exe
23.04.2006 19:45 74.752 ST6UNST.EXE
02.04.2006 19:51 109 telephon.ini

_________________________________________________________________


Datentr„ger in Laufwerk C: ist Festplatte
Volumeseriennummer: 9C8C-C9B3

Verzeichnis von C:\

16.07.2006 19:07 0 sys.txt
16.07.2006 19:07 20.599 system.txt
16.07.2006 19:06 1.881 systemtemp.txt
16.07.2006 19:05 130.581 system32.txt
16.07.2006 17:52 536.399.872 hiberfil.sys
16.07.2006 17:52 804.495.360 pagefile.sys
07.07.2006 09:47 210 BOOT.INI
07.01.2006 23:56 5.632 Thumbs.db
09.05.2005 13:26 462 os466477.bin
27.02.2005 02:50 210 BOOT.BKK
11.10.2004 13:37 864 hjljaw3w.sys
30.08.2004 20:46 47.564 NTDETECT.COM
30.08.2004 20:46 251.184 ntldr
15.02.2004 20:38 0 IO.SYS
15.02.2004 20:38 0 MSDOS.SYS
09.01.2004 13:53 193 BOOT.BAK
02.04.2003 14:00 4.952 bootfont.bin
02.04.2003 14:00 248.096 cmldr
18 Datei(en) 1.341.607.660 Bytes
0 Verzeichnis(se), 29.919.526.912 Bytes frei
_________________________________________________________________


So, das müsste reichen....

#6 Marsel

virustotal
Oben auf der Seite --> auf Durchsuchen klicken -->die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten -> Bericht hier posten !
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\svhost.exe



«
__________
MfG Sabina

rund um die PC-Sicherheit

#7 STATUS: FINISHEDComplete scanning result of "svhost.exe", received in VirusTotal at 07.16.2006, 19:26:57 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.21 07.16.2006 HEUR/Backdoor.Generic
Authentium 4.93.8 07.14.2006 no virus found
Avast 4.7.844.0 07.14.2006 Win32:Ardamax-AH
AVG 386 07.14.2006 no virus found
BitDefender 7.2 07.16.2006 no virus found
CAT-QuickHeal 8.00 07.13.2006 no virus found
ClamAV devel-20060426 07.15.2006 no virus found
DrWeb 4.33 07.16.2006 no virus found
eTrust-InoculateIT 23.72.70 07.16.2006 no virus found
eTrust-Vet 12.6.2297 07.14.2006 no virus found
Ewido 4.0 07.16.2006 Not-A-Virus.Monitor.Win32.Ardamax.24
Fortinet 2.77.0.0 07.16.2006 Keylog/Ardamax!052
F-Prot 3.16f 07.14.2006 no virus found
F-Prot4 4.2.1.29 07.14.2006 no virus found
Ikarus 0.2.65.0 07.14.2006 no virus found
Kaspersky 4.0.2.24 07.16.2006 not-a-virus:Monitor.Win32.Ardamax.24
McAfee 4807 07.14.2006 New Malware.b
Microsoft 1.1508 07.16.2006 no virus found
NOD32v2 1.1663 07.16.2006 a variant of Win32/KeyLogger.Ardamax
Norman 5.90.23 07.14.2006 W32/Ardamax.RM
Panda 9.0.0.4 07.16.2006 Suspicious file
Sophos 4.07.0 07.16.2006 no virus found
Symantec 8.0 07.16.2006 no virus found
TheHacker 5.9.8.176 07.15.2006 Aplicacion/Ardamax.24
UNA 1.83 07.14.2006 no virus found
VBA32 3.11.0 07.15.2006 no virus found
VirusBuster 4.3.7:9 07.15.2006 no virus found


Aditional Information
File size: 292864 bytes
MD5: 447eb9f057e8686bb60b15679dbf4785
SHA1: adec4e2c817b332dfcb766182c948922217332ed

_________________________________________________________________

Also ist der Backdoor-Virus noch vorhanden oder?

#8 Marsel

wie ware es mit formatieren ???? und zwar fix.............. oder willst du reinigen ???
ein keylogger zudem...zeichnet alles auf, was du eingibst und uebermittelt es an Dritte.. (Passworte, Keys, Onlinebanking.....)

und das seit Mai : 19.05.2006 15:15 292.864 svhost.exe
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Naja.... nicht unbedingt formatieren....

Kriegt man das nicht irgendwie wieder weg? Hab ziemlich viele Daten und die auf CD/DVD zu bannen, würde dauern...

Ich würde alles probieren bevor zu formatieren, aber wie?

Geht das mit dem Reparatur-Tool von der Windows XP-CD?

#10 Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

Files to delete:
C:\WINDOWS\system32\svhost.002
C:\WINDOWS\system32\svhost.005
C:\WINDOWS\system32\svhost.001
C:\WINDOWS\system32\svhost.exe
C:\WINDOWS\system32\svhost.007
C:\WINDOWS\system32\svhost.006

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten
poste das log vom avenger, was erscheint

2.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

3.
scanne mit ewido und poste den scanreport
http://virus-protect.org/ewido.html

4.
ueberpruefe mit virustotal:

C:\WINDOWS\system32\routerinit.exe
C:\WINDOWS\system32\iphlpapi.dll



«
__________
MfG Sabina

rund um die PC-Sicherheit

#11 So...

Hier Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\akosdyqk

*******************

Script file located at: \??\C:\Program Files\xdnfqwws.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\svhost.002 deleted successfully.
File C:\WINDOWS\system32\svhost.005 deleted successfully.
File C:\WINDOWS\system32\svhost.001 deleted successfully.
File C:\WINDOWS\system32\svhost.exe deleted successfully.
File C:\WINDOWS\system32\svhost.007 deleted successfully.
File C:\WINDOWS\system32\svhost.006 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

________________________________________________________________

Leider ist bei den Eigentschaften vom Arbeitsplatz kein Reiter "Systemwiederherstellung" sondern nur 6 andere Reiter.

Was sicherlich mit dem Backdoor/Ciadoor zu tun hat.
_______________________________________________________________

Der Rest folgt gleich...

#12 darum kuemmern wir uns spaeter...erst mal poste den scanreport vom ewido
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Gleich (Scan dauert noch):

Virustotal:

STATUS: SCANNINGFile "routerinit.exe" received on 07.16.2006 at 20:45:01 (CET) is being scanned by VirusTotal in this moment. Results will be shown as they're generated.

Antivirus Version Update Result
AntiVir 6.35.0.21 07.16.2006 no virus found
Authentium 4.93.8 07.14.2006 no virus found
Avast 4.7.844.0 07.14.2006 no virus found
AVG 386 07.14.2006 no virus found
BitDefender 7.2 07.16.2006 no virus found
CAT-QuickHeal 8.00 07.13.2006 no virus found
ClamAV devel-20060426 07.15.2006 no virus found
DrWeb 4.33 07.16.2006 no virus found
eTrust-InoculateIT 23.72.70 07.16.2006 no virus found
eTrust-Vet 12.6.2297 07.14.2006 no virus found
Ewido 4.0 07.16.2006 no virus found
Fortinet 2.77.0.0 07.16.2006 no virus found
F-Prot 3.16f 07.14.2006 no virus found
F-Prot4 4.2.1.29 07.14.2006 no virus found
Ikarus 0.2.65.0 07.14.2006 no virus found
Kaspersky 4.0.2.24 07.16.2006 no virus found
McAfee 4807 07.14.2006 no virus found
Microsoft 1.1508 07.16.2006 no virus found
NOD32v2 1.1663 07.16.2006 no virus found
Norman 5.90.23 07.14.2006 no virus found
Panda 9.0.0.4 07.16.2006 no virus found


Aditional Information
File size: 21 bytes
MD5: 730a256835722a2a270f07b3a7e2da4b
SHA1: faf21ffb0ddb70db3d608f24610fecf2fcb66460

_________________________________________________________________

STATUS: FINISHEDComplete scanning result of "iphlpapi.dll", received in VirusTotal at 07.16.2006, 20:48:59 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.21 07.16.2006 no virus found
Authentium 4.93.8 07.14.2006 no virus found
Avast 4.7.844.0 07.14.2006 no virus found
AVG 386 07.14.2006 no virus found
BitDefender 7.2 07.16.2006 no virus found
CAT-QuickHeal 8.00 07.13.2006 no virus found
ClamAV devel-20060426 07.15.2006 no virus found
DrWeb 4.33 07.16.2006 no virus found
eTrust-InoculateIT 23.72.70 07.16.2006 no virus found
eTrust-Vet 12.6.2297 07.14.2006 no virus found
Ewido 4.0 07.16.2006 no virus found
Fortinet 2.77.0.0 07.16.2006 no virus found
F-Prot 3.16f 07.14.2006 no virus found
F-Prot4 4.2.1.29 07.14.2006 no virus found
Ikarus 0.2.65.0 07.14.2006 no virus found
Kaspersky 4.0.2.24 07.16.2006 no virus found
McAfee 4807 07.14.2006 no virus found
Microsoft 1.1508 07.16.2006 no virus found
NOD32v2 1.1663 07.16.2006 no virus found
Norman 5.90.23 07.14.2006 no virus found
Panda 9.0.0.4 07.16.2006 no virus found
Sophos 4.07.0 07.16.2006 no virus found
Symantec 8.0 07.16.2006 no virus found
TheHacker 5.9.8.176 07.15.2006 no virus found
UNA 1.83 07.14.2006 no virus found
VBA32 3.11.0 07.15.2006 no virus found
VirusBuster 4.3.7:9 07.15.2006 no virus found


Aditional Information
File size: 95744 bytes
MD5: f8f192511c79e706f027f25ffe626ef3
SHA1: 70a2c54d7eaae3b0d2b6159dec62ebcd0fa8264c

#14 poste also den scanreport vom ewido:
+
das log vom silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

#15 Hat doch mehr Zeit in Anspruch genommen als ich dachte...

Aber hier ist das Werk.

---------------------------------------------------------
ewido anti-spyware - Scan-Bericht
---------------------------------------------------------

+ Erstellt um: 00:46:22 17.07.2006

+ Scan-Ergebnis:



C:\Programme\NewDotNet -> Adware.NewDotNet : Mit Backup gesäubert (unter Quarantäne gestellt).
C:\Programme\NewDotNet\readme.html -> Adware.NewDotNet : Mit Backup gesäubert (unter Quarantäne gestellt).
C:\Programme\NewDotNet\uninstall6_38.exe -> Adware.NewDotNet : Mit Backup gesäubert (unter Quarantäne gestellt).
C:\Programme\NewDotNet\uninstall7_22.exe -> Adware.NewDotNet : Mit Backup gesäubert (unter Quarantäne gestellt).
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Mit Backup gesäubert (unter Quarantäne gestellt).
C:\Dokumente und Einstellungen\Marcel Raven\Eigene Dateien\Meine Videos\Know\Ferien\Customize ICQ\www[1].STADTAUS.com_ICQ5.1_v12-GermanPatch-by-ven000m.exe -> Dropper.Agent.aqf : Mit Backup gesäubert (unter Quarantäne gestellt).
C:\Dokumente und Einstellungen\Marcel Raven\Eigene Dateien\Eigene Musik\FAD\JSO\323874103\PIMP_250781883\sOUND.exe -> Not-A-Virus.Hoax.Win32.ComputerSchock : Ignoriert.
C:\avenger\backup.zip/avenger/svhost.006 -> Not-A-Virus.Monitor.Win32.Ardamax.24 : Ignoriert.
C:\avenger\backup.zip/avenger/svhost.exe -> Not-A-Virus.Monitor.Win32.Ardamax.24 : Ignoriert.
C:\Dokumente und Einstellungen\Marcel Raven\Eigene Dateien\Meine Videos\Know\New\Downs\YetiSportsAIO.exe -> Not-A-Virus.Monitor.Win32.Ardamax.k : Ignoriert.
C:\avenger\backup.zip/avenger/svhost.007 -> Not-A-Virus.Monitor.Win32.Ardamax.k : Ignoriert.
C:\Dokumente und Einstellungen\Marcel Raven\Eigene Dateien\Micrografx\HTML\Sites\COMDRV32.exe -> Not-A-Virus.Monitor.Win32.OrvellMonitor : Ignoriert.
C:\Dokumente und Einstellungen\Marcel Raven\Cookies\marcel raven@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Gesäubert.
C:\Dokumente und Einstellungen\Marcel Raven\Cookies\marcel raven@www.etracker[1].txt -> TrackingCookie.Etracker : Gesäubert.
C:\Dokumente und Einstellungen\Marcel Raven\Cookies\marcel raven@ivwbox[1].txt -> TrackingCookie.Ivwbox : Gesäubert.
C:\Programme\winupdates\a.zip/Setup.exe -> Worm.VB.an : Mit Backup gesäubert (unter Quarantäne gestellt).


::Berichtende

_________________________________________________________________

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"algchk.exe" = "C:\WINDOWS\system32\algchk.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"CloneCDTray" = ""C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]
"winupdates" = "C:\Programme\winupdates\winupdates.exe /auto" [file not found]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_07\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Acrobat Assistant 7.0" = ""C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"svhost" = "C:\WINDOWS\system32\svhost.exe" [file not found]
"!ewido" = ""C:\Programme\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "URLLink"
\InProcServer32\(Default) = "C:\Programme\NewDotNet\newdotnet7_22.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{FF393560-C2A7-11CF-BFF4-444553540000}" = "Verlauf"
-> {HKCU...CLSID} = "Verlauf"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "Internet"
-> {HKCU...CLSID} = "Internet"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{88C6C381-2E85-11D0-94DE-444553540000}" = "ActiveX-Cacheordner"
-> {HKCU...CLSID} = "ActiveX-Cacheordner"
\InProcServer32\(Default) = "C:\WINDOWS\System32\occache.dll" [MS]
"{F5175861-2688-11d0-9C5E-00AA00A45957}" = "Subscription Folder"
-> {HKCU...CLSID} = "Subscription Folder"
\InProcServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Apps\RecordNow\shlext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Group Policies [Description]:
-----------------------------

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\
HIJACK WARNING! "DisableSR"=dword:00000001
[removes Control Panel|System|System Restore (tab) and disables applet]

HIJACK WARNING! "DisableConfig"=dword:00000001
[disables options on Control Panel|System|System Restore (tab)]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp"


Startup items in "Marcel Raven" & "All Users" startup folders:
--------------------------------------------------------------

C:\Dokumente und Einstellungen\Marcel Raven\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "batfilename.bat" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Acrobat - Schnellstart" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data]
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office OneNote 2003 Schnellstart" -> shortcut to: "C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr" [MS]


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 27 - 28


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{0277056B-9702-436A-B8EA-651414F62F17}\
"MenuText" = "Add to Local Website Archive"
"Exec" = "C:\Programme\Local Website Archive\wsarc_add.exe" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_07\bin\npjpi150_07.dll" ["Sun Microsystems, Inc."]

{77912BE8-16E7-49F9-BDC2-694EAE680A96}\
"ButtonText" = "LWA - Add"
"Exec" = "C:\Programme\Local Website Archive\wsarc_add.exe" [file not found]

{7FE73B85-A552-4082-AFA6-46B9D6A0509C}\
"ButtonText" = "LWA - Load"
"Exec" = "C:\Programme\Local Website Archive\wsarc.exe" [file not found]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.freenet.de

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 49 domain names to IP addresses,
48 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Adobe Active File Monitor V4, AdobeActiveFileMonitor4.0, "C:\Programme\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe" [null data]
AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
IPv6-Hilfsdienst, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
RIP-Überwachung, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
SmartLinkService, SLService, "slserv.exe" [" "]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Canon BJ Language Monitor i560\Driver = "CNMLM58.DLL" ["CANON INC."]
FPP2:\Driver = "fppmon2.dll" ["FinePrint Software, LLC"]
LPR Port\Driver = "lprmon.dll" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 104 seconds, including 18 seconds for message boxes)