Problem mit C:\Windows\system32\scvhost.exe

#16 1.
virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\server3.exe

poste den bericht

2.
Start > Ausfuehren --> reinschreiben --> cmd.exe
und ok. kopiere rein und poste alles, was im Texteditor erscheint

dir /s /a "c:\scvhost*.*" > c:\find.txt & start notepad c:\find.txt

dir /s /a "c:\svchost*.*" > c:\find.txt & start notepad c:\find.txt

dir /s /a "c:\XPROTECTOR*.*" > c:\find.txt & start notepad c:\find.txt




+
__________
MfG Sabina

rund um die PC-Sicherheit

#17 So zum 1.

Bericht:

Complete scanning result of "server3.exe", received in VirusTotal at 07.20.2006, 10:44:42 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.21 07.20.2006 HEUR/Crypted
Authentium 4.93.8 07.19.2006 W32/Prorat.BY@bd
Avast 4.7.844.0 07.19.2006 no virus found
AVG 386 07.19.2006 no virus found
BitDefender 7.2 07.20.2006 BehavesLike:Win32.IRC-Backdoor
CAT-QuickHeal 8.00 07.19.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.20.2006 no virus found
DrWeb 4.33 07.20.2006 no virus found
eTrust-InoculateIT 23.72.73 07.20.2006 no virus found
eTrust-Vet 12.6.2303 07.20.2006 no virus found
Ewido 4.0 07.19.2006 no virus found
Fortinet 2.77.0.0 07.19.2006 suspicious
F-Prot 3.16f 07.19.2006 security risk named W32/Prorat.BY@bd
F-Prot4 4.2.1.29 07.19.2006 W32/Prorat.BY@bd
Ikarus 0.2.65.0 07.20.2006 no virus found
Kaspersky 4.0.2.24 07.20.2006 Backdoor.Win32.G_Spot.20
McAfee 4810 07.19.2006 New Malware.p
Microsoft 1.1508 07.20.2006 no virus found
NOD32v2 1.1668 07.19.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 07.20.2006 no virus found
Panda 9.0.0.4 07.20.2006 Suspicious file
Sophos 4.07.0 07.20.2006 no virus found
Symantec 8.0 07.20.2006 no virus found
TheHacker 5.9.8.178 07.19.2006 no virus found
UNA 1.83 07.19.2006 no virus found
VBA32 3.11.0 07.19.2006 suspected of Backdoor.xBot.15
VirusBuster 4.3.7:9 07.19.2006 no virus found

Aditional Information
File size: 97280 bytes
MD5: a7aabf19bb0f95a7314cc1edbe42f3eb
SHA1: 0a0010863fd28d9556d5c29bae6359742567aaf7


So zu Punkt 2

Beim 1.

Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 58CE-A961


Beim 2.

Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 58CE-A961

Verzeichnis von c:\mIRC\download

07.06.2006 22:42 97.280 svchost.exe
1 Datei(en) 97.280 Bytes

Verzeichnis von c:\WINDOWS\system32

04.08.2004 14:00 14.336 svchost.exe
1 Datei(en) 14.336 Bytes

Verzeichnis von c:\WINDOWS\system32\dllcache

04.08.2004 14:00 14.336 svchost.exe
1 Datei(en) 14.336 Bytes

Anzahl der angezeigten Dateien:
3 Datei(en) 125.952 Bytes
0 Verzeichnis(se), 136.899.207.168 Bytes frei


Beim 3.


Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 58CE-A961

Verzeichnis von c:\WINDOWS\system32\drivers

29.04.2006 16:58 40.448 Xprotector.sys
1 Datei(en) 40.448 Bytes

Anzahl der angezeigten Dateien:
1 Datei(en) 40.448 Bytes
0 Verzeichnis(se), 136.899.207.168 Bytes frei

#18 Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

Xprotector

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

server3.exe

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

wsock32

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit

#19 Okay^^

hier ist der 1.




REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 20.07.2006 11:44:11 for strings:
; 'xprotector'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR\0000]
"Service"="XPROTECTOR"
"DeviceDesc"="XPROTECTOR"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR\0000]
"Service"="XPROTECTOR"
"DeviceDesc"="XPROTECTOR"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR\0000]
"Service"="XPROTECTOR"
"DeviceDesc"="XPROTECTOR"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR\0000\LogConf]

; End Of The Log...


und hier der 2.


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 20.07.2006 11:45:15 for strings:
; 'server3.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_USERS\S-1-5-21-436374069-1757981266-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"d"="C:\\WINDOWS\\system32\\server3.exe"

[HKEY_USERS\S-1-5-21-436374069-1757981266-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"a"="C:\\WINDOWS\\system32\\server3.exe"

; End Of The Log...




so weiter gehts^^

hätte nie gedacht das sowas so extrem lange dauert

#20 es fehlt noch eine ..und was beschwerst du dich...der Rechner gehoerte formatiert, du laedst froehlich backdoors ueber den mIRC.................
__________
MfG Sabina

rund um die PC-Sicherheit

#21 Okay hier der letze:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 20.07.2006 11:49:17 for strings:
; 'wsock32'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\ServiceProvider]
; Contents of value:
; %systemroot%\system32\wsock32.dll
"
edit (Sabina)


Mhmhmh okay und was kann ich dagegen machen?

Haste nen tipp für mich^^

Denn wie du sicherlich bemerkt haste habe ich wirklich keine ahnung xD

#22 avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR

Files to delete:

C:\WINDOWS\system32\wsock32.sys
C:\WINDOWS\system32\drivers\Xprotector.sys
C:\WINDOWS\system32\server3.exe
C:\mIRC\download\svchost.exe

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste das log vom avenger, was nach neustart erscheint
__________
MfG Sabina

rund um die PC-Sicherheit

#23 Okay gemacht

das kam raus

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dvipabyl

*******************

Script file located at: \??\C:\WINDOWS\system32\lcqhkujv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR
Status: 0xc0000034



File C:\WINDOWS\system32\wsock32.sys not found!
Deletion of file C:\WINDOWS\system32\wsock32.sys failed!

Could not process line:
C:\WINDOWS\system32\wsock32.sys
Status: 0xc0000034

File c:\WINDOWS\system32\drivers\Xprotector.sys deleted successfully.
File C:\WINDOWS\system32\server3.exe deleted successfully.
File c:\mIRC\download\svchost.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#24 multiavtool.
http://virus-protect.org/multiavtool.html

* klicke "3" - McAfee -- es erscheint ein leeres DOS-Fenster.

bei der Eingabe "3" im MULTIAVTOOL muss eine Internetverbindung vorhanden sein

- man muss eingeben, was gescannt werden soll
- C:\Windows\System32 -> dann beginnt der Scan, man sollte dann auch scannen lassen:
- C:\Windows
- C:\

* klicke "6 --> der PC wird neustarten --> suche die 3 Scanreporte in C:\AV-CLS und kopiere sie
__________
MfG Sabina

rund um die PC-Sicherheit

#25 Okay ich habe es nun alles gemacht.
Aber immer wenn ich nen scann protokoll aufrufe gibt er mir nur das letze und es ist auch nur 1 vorhanden
naja ich habe es dann nochmal laufen lassen und immer danach hat er es mir ausgegeben darauf habe ich es gespeichert in einem word dokument.
Ich hoffe das hat nicht irgendwas verfälscht

Also fangen wir an

Virus Scan Report File
Virus Scan Information

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4805 created Jul 12 2006
Scanning for 201016 viruses, trojans and variants.

Virus Scan Results



07/20/2006 13:52:43


Options:
"C:\WINDOWS\SYSTEM32" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [System]
Scanning C:\WINDOWS\SYSTEM32\*.*

Summary report on C:\WINDOWS\SYSTEM32\*.*
File(s)
Total files: ........... 7890
Clean: ................. 7880
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 1


Time: 00:03.04






dann das 2.








Virus Scan Report File

Virus Scan Information

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4805 created Jul 12 2006
Scanning for 201016 viruses, trojans and variants.

Virus Scan Results




07/20/2006 13:24:35


Options:
"C:\WINDOWS" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [System]
Scanning C:\WINDOWS\*.*

Summary report on C:\WINDOWS\*.*
File(s)
Total files: ........... 22548
Clean: ................. 22538
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 1


Time: 00:06.52






jetzt das 3.


Virus Scan Report File

Virus Scan Information

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4805 created Jul 12 2006
Scanning for 201016 viruses, trojans and variants.

Virus Scan Results




07/20/2006 12:49:40


Options:
"C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [System]
Scanning C:\*.*
C:\avenger\backup.zip\SERVER3.EXE ... Found trojan or variant New Malware.p !!!
Please send a copy of the file to McAfee
C:\avenger\backup.zip\SVCHOST.EXE ... Found trojan or variant New Malware.p !!!
Please send a copy of the file to McAfee
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Wanadoo Edition\Celtic Kings - Rage of War\Celtic Kings mit GameSpy Arcade online spielen.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\mIRC\download\server4.exe ... Found trojan or variant New Malware.p !!!
Please send a copy of the file to McAfee
The file or process has been deleted.
C:\Programme\Ground Control II\gsa.url ... Found potentially unwanted program Adware-Url.gen.
The file or process has been deleted.
C:\Programme\ICQToolbar\toolbaru.inf ... Found potentially unwanted program Adware-Softomate.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 117102
Clean: ................. 117056
Possibly Infected: ..... 3
Cleaned: ............... 0
Deleted: ............... 4
Non-critical Error(s): 3


Time: 00:30.52




So hoffe ich habe alles richtig gemacht.
Neu gestartet habe ich auch^^

#26 haette ich mir denken koennen, dass es da noch mehr gibt.....

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint

Zitat

cd\
dir "C:\mIRC\download" >>files.txt
notepad files.txt

__________
MfG Sabina

rund um die PC-Sicherheit

#27 mhmh das kam raus^^

ich hoffe das habe ich richtig gemacht weil es ging ein bisschen zu schnell xD


Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 58CE-A961

Verzeichnis von C:\mIRC\download

20.07.2006 12:58 <DIR> .
20.07.2006 12:58 <DIR> ..
0 Datei(en) 0 Bytes
2 Verzeichnis(se), 131.405.357.056 Bytes frei

#28 es waren also nur die server3.exe und server4. exe und svchost.exe drin....

ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren

+
das log von winpfind
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit

#29 So post_this hat das gesagt :


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Jul 21, 2006 11:36:13


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AntiVirScheduler
Display Name: AntiVir Scheduler
Start Mode: Auto
Start Name: LocalSystem
Description: Dienst zur Planung und Steuerung von Prüf- und Updateaufgaben der AntiVir PersonalEdition ...
Service Type: Own Process
Path: c:\programme\antivir personaledition classic\sched.exe
State: Running
Process ID: 288
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 2
Service Name: AntiVirService
Display Name: AntiVir PersonalEdition Classic Service
Start Mode: Auto
Start Name: LocalSystem
Description: Echtzeit Virenschutz durch H+BEDV AntiVir ...
Service Type: Own Process
Path: c:\programme\antivir personaledition classic\avguard.exe
State: Running
Process ID: 304
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #3
Service Name: aspnet_state
Display Name: ASP.NET State Service
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Provides support for out-of-process session states for ASP.NET. If this service is stopped, ...
Service Type: Own Process
Path: c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #4
Service Name: aswUpdSv
Display Name: avast! iAVS4 Control Service
Start Mode: Auto
Start Name: LocalSystem
Description: Bietet das automatische Update für avast! ...
Service Type: Own Process
Path: "c:\programme\alwil software\avast4\aswupdsv.exe"
State: Running
Process ID: 348
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #5
Service Name: avast! Antivirus
Display Name: avast! Antivirus
Start Mode: Auto
Start Name: LocalSystem
Description: Verwaltet und implementiert avast! Antivirus Dienste für diesen Computer. Dies beinhaltet den ...
Service Type: Own Process
Path: "c:\programme\alwil software\avast4\ashserv.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 6
Service Name: avast! Mail Scanner
Display Name: avast! Mail Scanner
Start Mode: Manual
Start Name: LocalSystem
Description: Implementiert Mailüberprüfung durch avast! ...
Service Type: Own Process
Path: "c:\programme\alwil software\avast4\ashmaisv.exe" /service
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 7
Service Name: avast! Web Scanner
Display Name: avast! Web Scanner
Start Mode: Manual
Start Name: LocalSystem
Description: Implementiert Internetüberprüfung (HTTP) durch avast! ...
Service Type: Own Process
Path: "c:\programme\alwil software\avast4\ashwebsv.exe" /service
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 8
Service Name: Brother XP spl Service
Display Name: BrSplService
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\brsvc01a.exe
State: Running
Process ID: 1872
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 9
Service Name: clr_optimization_v2.0.50727_32
Display Name: .NET Runtime Optimization Service v2.0.50727_X86
Start Mode: Manual
Start Name: LocalSystem
Description: Microsoft .NET Framework ...
Service Type: Own Process
Path: c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 10
Service Name: de_serv
Display Name: AVM FRITZ!web Routing Service
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\gemeinsame dateien\avm\de_serv.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #11
Service Name: Nla
Display Name: NLA (Network Location Awareness)
Start Mode: Boot
Start Name: LocalSystem
Description: Sammelt und speichert Netzwerkkonfigurations- und Standortinformationen und benachrichtigt ...
Service Type: Share Process
Path: \systemroot\c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1132
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #12
Service Name: NVSvc
Display Name: NVIDIA Display Driver Service
Start Mode: Boot
Start Name: LocalSystem
Description: Provides system and desktop level support to the NVIDIA display ...
Service Type: Own Process
Path: \systemroot\c:\windows\system32\nvsvc32.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #13
Service Name: SharedAccess
Display Name: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung
Start Mode: Boot
Start Name: LocalSystem
Description: Bietet allen Computern in Heim- und kleinen Firmennetzwerken Dienste für die ...
Service Type: Share Process
Path: \systemroot\c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #14
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{a3b71fbd-22e2-4644-b261-884b49640181}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #15
Service Name: Symantec Core LC
Display Name: Symantec Core LC
Start Mode: Boot
Start Name: LocalSystem
Description: Symantec Core ...
Service Type: Own Process
Path: \systemroot\"c:\programme\gemeinsame dateien\symantec shared\ccpd-lc\symlcsvc.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 16
Service Name: TUWinStylerThemeSvc
Display Name: TuneUp WinStyler Theme Service
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\programme\tuneup utilities 2006\winstylerthemesvc.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 91 Win32 services on this machine.
16 were unrecognized.

Script Execution Time: 0,59375 seconds.




So und zum 2. Teil



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
aspack 12.09.2005 02:00:00 665816 C:\NAVEX15.SYS
aspack 12.09.2005 02:00:00 963069 C:\NAVEX15.VXD
aspack 12.09.2005 02:00:00 706168 C:\NAVEX32A.DLL
SAHAgent 12.09.2005 02:00:00 960521 C:\VIRSCAN1.DAT
FSG! 12.09.2005 02:00:00 1402652 C:\VIRSCAN8.DAT
UPX! 12.09.2005 02:00:00 2661441 C:\VIRSCAN9.DAT
FSG! 12.09.2005 02:00:00 2661441 C:\VIRSCAN9.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 05.03.2006 19:02:30 65536 C:\WINDOWS\IFinst27.exe

Checking %System% folder...
UPX! 31.05.2006 11:02:04 624640 C:\WINDOWS\SYSTEM32\aswBoot.exe
aspack 26.05.2005 16:34:52 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 22.07.2005 20:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
PEC2 04.08.2004 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 19.06.2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 07.07.2006 03:21:46 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2004 14:00:00 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04.08.2004 14:00:00 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 04.08.2004 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 19.06.2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
21.07.2006 10:49:08 S 2048 C:\WINDOWS\bootstat.dat
21.07.2006 10:58:20 H 4212 C:\WINDOWS\system32\zllictbl.dat
29.05.2006 18:16:04 S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
01.06.2006 22:28:44 S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
19.06.2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
21.07.2006 10:57:44 H 1024 C:\WINDOWS\system32\config\default.LOG
21.07.2006 10:49:10 H 1024 C:\WINDOWS\system32\config\SAM.LOG
21.07.2006 10:50:54 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
21.07.2006 11:39:18 H 1024 C:\WINDOWS\system32\config\software.LOG
21.07.2006 11:23:12 H 1024 C:\WINDOWS\system32\config\system.LOG
17.07.2006 01:20:32 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
17.07.2006 01:20:48 S 558 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
17.07.2006 01:20:48 S 146 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
01.06.2006 20:01:36 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\f3e9469f-829c-4e2b-9ccd-248231b97317
01.06.2006 20:01:36 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
21.07.2006 10:49:16 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04.08.2004 14:00:00 70656 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 19.03.2004 04:44:32 14250496 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 04.08.2004 14:00:00 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 14:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 14:00:00 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 14:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 14:00:00 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 14:00:00 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 14:00:00 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 14:00:00 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 14:00:00 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10.11.2005 14:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 04.08.2004 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 14:00:00 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04.08.2004 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 14:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 14:00:00 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
10.10.2005 22:49:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 04.08.2004 14:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 14:00:00 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04.08.2004 14:00:00 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04.08.2004 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 14:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 14:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 05:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04.08.2004 14:00:00 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04.08.2004 14:00:00 555008 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04.08.2004 14:00:00 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04.08.2004 14:00:00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04.08.2004 14:00:00 157184 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04.08.2004 14:00:00 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04.08.2004 14:00:00 133120 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04.08.2004 14:00:00 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 04.08.2004 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04.08.2004 14:00:00 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 04.08.2004 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04.08.2004 14:00:00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04.08.2004 14:00:00 260096 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 04.08.2004 14:00:00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04.08.2004 14:00:00 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04.08.2004 14:00:00 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04.08.2004 14:00:00 303104 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 04.08.2004 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04.08.2004 14:00:00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04.08.2004 14:00:00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26.05.2005 05:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
15.11.2005 19:41:24 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
17.11.2005 12:26:28 1651 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Logitech SetPoint.lnk
15.11.2005 19:25:02 1714 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
15.11.2005 19:24:00 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
15.11.2005 19:41:24 HS 84 C:\Dokumente und Einstellungen\User_1\Startmenü\Programme\Autostart\desktop.ini
05.03.2006 12:01:40 640 C:\Dokumente und Einstellungen\User_1\Startmenü\Programme\Autostart\Xfire.lnk

Checking files in %USERPROFILE%\Application Data folder...
15.11.2005 19:24:00 HS 62 C:\Dokumente und Einstellungen\User_1\Anwendungsdaten\desktop.ini
31.05.2006 14:02:12 71640 C:\Dokumente und Einstellungen\User_1\Anwendungsdaten\GDIPFONTCACHEV1.DAT
20.07.2006 13:49:50 5252 C:\Dokumente und Einstellungen\User_1\Anwendungsdaten\wklnhst.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programme\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IPSContMenu
{EBDF1F20-C829-11D1-8233-0020AF3E97A9} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programme\AntiVir PersonalEdition Classic\shlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll"
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programme\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\IPSContMenu
{EBDF1F20-C829-11D1-8233-0020AF3E97A9} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programme\AntiVir PersonalEdition Classic\shlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\IPSContMenu
{EBDF1F20-C829-11D1-8233-0020AF3E97A9} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Programme\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{855F3B16-6D32-4fe6-8A56-BBB695989046} = ICQ Toolbar : C:\Programme\ICQToolbar\toolbaru.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole : C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B205A35E-1FC4-4CE3-818B-899DBBB3388C}
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
ButtonText = ICQ Lite : C:\Programme\ICQLite\ICQLite.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{C4069E3A-68F1-403E-B40E-20066696354B} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{855F3B16-6D32-4FE6-8A56-BBB695989046} = ICQ Toolbar : C:\Programme\ICQToolbar\toolbaru.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMan SOUNDMAN.EXE
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Logitech Hardware Abstraction Layer KHALMNPR.EXE
SunJavaUpdateSched C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ICQ Lite "C:\Programme\ICQLite\ICQLite.exe" -minimize
SunServer C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
avgnt "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
Zone Labs Client "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Programme\Messenger\msmsgs.exe" /background
MsnMsgr "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
SpybotSD TeaTimer C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
ICQ Lite C:\Programme\ICQLite\ICQLite.exe -trayboot

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Generic Host Process C:\WINDOWS\system32\scvhost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
undockwithoutlogon 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
Disabled 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 21.07.2006 11:41:40

#30 1.
virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\IFinst27.exe

poste den report

---------------------------------------------------------------

2.
poste dieses log
http://virus-protect.org/registry_stuff.html

---------------------------------------------------------------

Gehe in die Registry
Start - Ausfuehren - regedit

bearbeiten - suchen - (einkopieren: ) Generic Host Process und scvhost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Generic Host Process <---loeschen

+
was du sonst noch findest.


PC neustarten
__________
MfG Sabina

rund um die PC-Sicherheit