BattyRun2.dll Unerwünschter PoP-Up Mist

#1 Hallo! Also eure Site benutze ich schon längerfristig ^^ aber bisher reichte mir das einfach eure Tipps nach zu arbeiten ..

Jetzt habe ich ein Problem das ich komischerweise nach Aufarbeitung des gleichen Problems vom 23.10 (Beitrag barbzz) nicht los werde! Oder aber ich habe die vorangegangenen Probleme doch nicht soooo richtig gelöst :-(

Logfile of HijackThis v1.99.1
Scan saved at 12:15:55, on 07.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\PSCastor\PSCastor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\MICHAE~1\LOKALE~1\Temp\Rar$EX00.281\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.ysearch.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{2B2AB34D-ED35-B337-6B55-C658C14504A6} - (no file)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: (no name) - {C35F268C-6B1C-9A9B-976F-3E0A5D8DF8A6} - C:\WINDOWS\lznjvsza.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu1\toolbaru.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PSCastor] "C:\Programme\PSCastor\PSCastor.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Programme\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {128988D7-0075-4D92-9557-9A2BFCFAE319} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {128988D7-0075-4D92-9557-9A2BFCFAE319} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/145f0da8859fd1a16716/netzip/RdxIE601_de.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125250401093
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/de/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8FD63F1-2A6E-426B-B17F-D9FE14388E84}: NameServer = 217.237.151.225,217.237.150.225
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - F:\Programme\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Programme\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Programme\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)

Soooo .. hier dann mit ComboFix ein Log erstellt ..

Michael Gromer - 06-11-07 13:11:34,96 Service Pack 2
ComboFix 06.10.19 - Running from: "F:\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\RACLE~1\?racle


((((((((((((((((((((((((((((((( Files Created from 2006-10-07 to 2006-11-07 ))))))))))))))))))))))))))))))))))


2006-10-26 17:40 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
2006-10-22 11:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-07 10:41 -------- d-------- C:\Programme\CleanUp!
2006-11-07 09:49 -------- d-------- C:\Programme\WinACE
2006-11-02 17:10 -------- d-------- C:\Programme\ICQToolbar
2006-11-02 17:10 -------- d-------- C:\Dokumente und Einstellungen\Michael Gromer\Anwendungsdaten\ICQ Toolbar
2006-11-01 00:11 -------- d-------- C:\Programme\WinRAR
2006-10-31 09:30 -------- d---s---- C:\Dokumente und Einstellungen\Michael Gromer\Anwendungsdaten\Microsoft
2006-10-29 19:49 -------- d-------- C:\Dokumente und Einstellungen\Michael Gromer\Anwendungsdaten\Adobe
2006-10-29 19:46 -------- d-------- C:\Programme\Gemeinsame Dateien\Vbox
2006-10-29 19:46 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-10-29 19:45 -------- d-------- C:\Programme\Gemeinsame Dateien\Adobe
2006-10-29 19:45 -------- d-------- C:\Programme\Adobe
2006-10-26 17:44 -------- d-------- C:\Programme\Gemeinsame Dateien\MAGIX Shared
2006-10-25 08:57 -------- d-------- C:\Programme\ABBYY FineReader 5.0 Sprint
2006-10-25 08:31 -------- d-------- C:\Programme\Lexmark X74-X75
2006-10-24 07:45 -------- d-------- C:\Programme\PSDream
2006-10-24 07:45 -------- d-------- C:\Programme\PSCastor
2006-10-19 15:56 32208 ---hs---- C:\Programme\Gemeinsame Dateien\Y1324OU.exe
2006-10-03 10:43 -------- d-------- C:\Programme\Internet Explorer
2006-09-13 06:02 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 16:51 1245184 --------- C:\WINDOWS\system32\msxml4.dll
2006-08-25 16:46 617472 --------- C:\WINDOWS\system32\comctl32.dll
2006-08-21 13:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-07 16:17 61440 --------- C:\WINDOWS\system32\BattyRun2.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Programme\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"PSCastor"="\"C:\\Programme\\PSCastor\\PSCastor.exe\""
"Microsoft Works Update Detection"="c:\\Programme\\Microsoft Works\\WkDetect.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"="C:\\Programme\\ICQLite\\ICQLite.exe -trayboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\not active]
"DB_AFD"="C:\\Programme\\DATA BECKER\\XP optimal einstellen 3.0\\DBAFD.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="7db39a0d-580f-4be9-9195-8bfcd226f6c2"
"SubscribedURL"="C:\\WINDOWS\\System32\\AquaReal.ocx"
"FriendlyName"="PC-Aquarium Deluxe"
"Flags"=dword:00004003
"Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,20,03,00,00,35,02,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,01,00,00,00,20,03,00,00,35,02,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,20,03,00,00,58,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=hex:01,00,00,00
"NoInstrumentation"=dword:00000001
"NoDrives"=dword:00000000
"NoDriveAutorun"=dword:00000000
"NoSharedDocuments"=dword:00000000
"NoFavoritesMenu"=dword:00000001
"SpecifyDefaultButtons"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Office Outlook"="C:\\PROGRA~1\\MICROS~4\\OFFICE11\\OUTLOOK.EXE /recycle"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Programme\\Gemeinsame Dateien\\Ahead\\lib\\NMBgMonitor.exe\""
"NCLaunch"="C:\\WINDOWS\\NCLAUNCH.EXe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Microsoft Works Update Detection"="c:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"WorksFUD"="c:\\Programme\\Microsoft Works\\wkfud.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"Microsoft Works Portfolio"="c:\\Programme\\Microsoft Works\\WksSb.exe /AllUsers"
"ICQ Lite"="C:\\Programme\\ICQLite\\ICQLite.exe -minimize"
"Lexmark X74-X75"="\"C:\\Programme\\Lexmark X74-X75\\lxbbbmgr.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Adobe Reader - Schnellstart.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader - Schnellstart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader - Schnellstart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Logitech Desktop Messenger.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^Michael Gromer^Startmenü^Programme^Autostart^Registration-InstantCopy.lnk]
"path"="C:\\Dokumente und Einstellungen\\Michael Gromer\\Startmenü\\Programme\\Autostart\\Registration-InstantCopy.lnk"
"backup"="C:\\WINDOWS\\pss\\Registration-InstantCopy.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Pinnacle\\SHARED~1\\INSTAN~1\\Pixie\\RegTool.exe InstantCopy,INSCPY,register,DE,0,serial=AARTO-AAWNO-EMMGX-ZEAMA-MPWGA"
"item"="Registration-InstantCopy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0190 Alarm]
"key"="Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="0190Alarm"
"hkey"="HKCU"
"command"="C:\\Programme\\0190 Alarm\\0190Alarm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKLM"
"command"="C:\\Programme\\SlySoft\\AnyDVD\\AnyDVD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Programme\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbbbmgr"
"hkey"="HKLM"
"command"="\"C:\\Programme\\Lexmark X74-X75\\lxbbbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="C:\\Programme\\Logitech\\Video\\ManifestEngine.exe boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Programme\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Programme\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Guardian]
"key"="Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CMGrdian"
"hkey"="HKLM"
"command"="\"C:\\Programme\\McAfee\\McAfee Shared Components\\Guardian\\CMGrdian.exe\" /SU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee.InstantUpdate.Monitor]
"key"="Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RuLaunch"
"hkey"="HKCU"
"command"="\"C:\\Programme\\McAfee\\McAfee Shared Components\\Instant Updater\\RuLaunch.exe\" /STARTMONITOR"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLoads Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dw"
"hkey"="HKLM"
"command"="\"C:\\Programme\\DownloadWare\\dw.exe\" /H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\routcnf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="routcnf"
"hkey"="HKLM"
"command"="C:\\Programme\\Telekom\\Eumex 404PC\\routcnf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Programme\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Programme\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Programme\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XPoe-Runtime]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xpoerunt"
"hkey"="HKCU"
"command"="C:\\Programme\\DATA BECKER\\XP optimal einstellen 3.0\\xpoerunt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\1-Klick-Wartung.job
C:\WINDOWS\tasks\{379569C4-655F-42E3-9AB9-4BED466EDD61}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{396BDFDF-4361-48CE-8FCC-A2B025735F23}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{4B4067C7-56A6-404E-8A6B-B9FDDA94C807}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{4E0ABFA3-8428-470E-8F76-34F48A6A0D13}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{7F78950F-0B9F-408F-969C-48BC808629D9}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{8B123A06-B7B3-4768-BAF1-9A9610EA8C91}_MICHAEL_Michael Gromer.job

Completion time: 06-11-07 13:12:08.43
C:\ComboFix.txt ... 06-11-07 13:12
C:\ComboFix2.txt ... 06-11-07 12:08
C:\ComboFix3.txt ... 06-11-07 10:48
__________
THX for help ^^

#2 auf dem Rechner sind noch mehr viren - ich brauche noch dieses log

««
Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Schön das man noch mehr Fehler hat auf die man aufmerksam gemacht wird ^^ jubel jubel freu freu ;-)

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\WINDOWS\system32

07.11.2006 18:36 402.426 perfh009.dat
07.11.2006 18:36 413.842 perfh007.dat
07.11.2006 18:36 61.896 perfc009.dat
07.11.2006 18:36 73.086 perfc007.dat
07.11.2006 18:36 963.278 PerfStringBackup.INI
07.11.2006 18:32 1.158 wpa.dbl
07.11.2006 18:32 49.871 nvapps.xml
07.11.2006 10:28 19.456 Thumbs.db
04.10.2006 21:03 9.639.336 MRT.exe
13.09.2006 06:02 1.084.416 msxml3.dll
12.09.2006 16:51 1.245.184 msxml4.dll
05.09.2006 21:30 356.952 FNTCACHE.DAT
04.09.2006 07:12 1.494.016 shdocvw.dll
25.08.2006 16:46 617.472 comctl32.dll
21.08.2006 13:26 16.896 fltlib.dll
21.08.2006 10:14 23.040 fltmc.exe
16.08.2006 12:58 100.352 6to4svc.dll
07.08.2006 16:17 61.440 BattyRun2.dll

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\DOKUME~1\MICHAE~1\LOKALE~1\TEMP

07.11.2006 18:32 463 WCESCOMM.LOG
07.11.2006 13:26 983 TmpICQMagic_{EC202595-1DFD-4301-A1EA-13C1E331B505}8164.html
07.11.2006 12:35 16.384 ~DFBD33.tmp
07.11.2006 12:35 16.384 ~DFB7BC.tmp
4 Datei(en) 34.214 Bytes
0 Verzeichnis(se), 101.888.475.136 Bytes frei

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\WINDOWS

07.11.2006 18:40 149 lznjvsza.ini
07.11.2006 18:32 159 wiadebug.log
07.11.2006 18:32 50 wiaservc.log
07.11.2006 18:32 1.777.307 WindowsUpdate.log
07.11.2006 18:32 0 0.log
07.11.2006 18:32 2.048 bootstat.dat
07.11.2006 13:26 32.626 SchedLgU.Txt
07.11.2006 13:19 229 NeroDigital.ini
07.11.2006 11:06 112.363 windows.txt
07.11.2006 10:31 308.968 ntbtlog.txt
06.11.2006 23:52 1.266 IE4 Error Log.txt
06.11.2006 16:52 1.222 LEXSTAT.INI
06.11.2006 16:02 272.565 setupapi.log
29.10.2006 19:45 109.738 wmsetup.log
29.10.2006 19:45 316.640 WMSysPr9.prx
26.10.2006 17:51 0 homeDVD-Fotos5_5.INI
12.10.2006 00:06 301.364 comsetup.log
12.10.2006 00:06 43.666 ocmsn.log
12.10.2006 00:06 183.615 ntdtcsetup.log
12.10.2006 00:06 1.393 imsins.log
12.10.2006 00:06 137.012 iis6.log
12.10.2006 00:06 346.497 tsoc.log
12.10.2006 00:06 13.069 KB924191.log
12.10.2006 00:06 447.839 ocgen.log
12.10.2006 00:06 44.501 msgsocm.log
12.10.2006 00:06 890.433 FaxSetup.log
12.10.2006 00:06 37.633 updspapi.log
12.10.2006 00:06 1.393 imsins.BAK
12.10.2006 00:06 12.883 KB922819.log
12.10.2006 00:06 12.059 KB923414.log
12.10.2006 00:05 12.053 KB924496.log
12.10.2006 00:04 9.505 KB923191.log
12.10.2006 00:03 1.880 win.ini
10.10.2006 20:33 136.897 Directx.log
03.10.2006 12:57 211 RomeTW.ini
03.10.2006 11:41 691 bsx32.ini
03.10.2006 08:28 11.539 KB925486.log
03.10.2006 08:27 15.531 KB920872.log
03.10.2006 08:27 11.623 KB920685.log
03.10.2006 08:27 11.670 KB919007.log
03.10.2006 08:26 7.969 KB922582.log
24.09.2006 15:54 65.983 offlog.txt
19.09.2006 18:40 108.336 mswinsck.ocx
25.08.2006 08:16 16.138 KB920214.log
25.08.2006 08:16 15.871 KB921883.log
25.08.2006 08:16 15.711 KB922616.log
25.08.2006 08:15 16.108 KB921398.log
25.08.2006 08:15 19.416 KB918899.log
25.08.2006 08:14 12.098 KB920670.log
25.08.2006 08:14 12.257 KB917422.log
25.08.2006 08:14 12.510 KB920683.log
24.07.2006 19:58 32.193 spupdsvc.log
24.07.2006 11:25 13.345 WgaNotify.log
23.07.2006 11:50 816 eReg.dat
12.07.2006 19:34 13.261 KB917159.log
12.07.2006 19:34 13.829 KB914388.log
12.07.2006 19:34 11.539 KB916595.log

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\WINDOWS\Temp

07.11.2006 18:32 409 WGANotify.settings
07.11.2006 18:32 40.960 rtdrvmon.exe
07.11.2006 18:32 0 T30DebugLogFile.txt
07.11.2006 18:32 0 Perflib_Perfdata_e4.dat
07.11.2006 18:32 255 WGAErrLog.txt
5 Datei(en) 41.624 Bytes
0 Verzeichnis(se), 101.888.569.344 Bytes frei

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\WINDOWS\Downloaded Program Files

02.08.2005 15:48 495 LegitCheckControl.inf
26.05.2005 03:19 293 muweb.inf
07.04.2005 07:28 143 activex.inf
04.04.2005 15:53 753.664 activex.ocx
04.03.2005 03:52 752 jinstall-1_5_0_02.inf
17.01.2005 16:09 227 opuc.inf
30.11.2004 13:17 728 qdiagh.inf
28.01.2004 11:14 524.445 RdxIE.dll
08.12.2003 13:58 3.759 swflash.inf
25.07.2002 16:13 24.576 dwusplay.dll
25.07.2002 16:13 196.608 dwusplay.exe
25.07.2002 16:05 172.032 isusweb.dll
30.01.2002 12:11 65 desktop.ini
13 Datei(en) 1.677.787 Bytes
0 Verzeichnis(se), 101.888.565.248 Bytes frei

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\

07.11.2006 18:50 0 sys.txt
07.11.2006 18:49 895 down.txt
07.11.2006 18:49 499 tmp.txt
07.11.2006 18:48 18.864 system.txt
07.11.2006 18:47 488 systemtemp.txt
07.11.2006 18:47 112.363 system32.txt
07.11.2006 18:32 2.147.012.608 hiberfil.sys
07.11.2006 18:32 805.306.368 pagefile.sys
02.04.2006 18:14 88 AUTOEXEC.BAT
14.03.2006 18:46 222 boot.ini
30.08.2004 20:23 47.564 NTDETECT.COM
30.08.2004 20:23 251.184 ntldr
30.01.2002 12:13 0 MSDOS.SYS
30.01.2002 12:13 0 CONFIG.SYS
30.01.2002 12:13 0 IO.SYS
18.08.2001 13:00 4.952 bootfont.bin
23.08.1995 09:20 232.720 OLEAUT32.DLL
13.06.1995 23:30 329.216 MSVCRT30.DLL
13.06.1995 23:30 707.856 VB40032.DLL
13.06.1995 23:30 74.240 OLEPRO32.DLL
20 Datei(en) 2.954.100.127 Bytes
0 Verzeichnis(se), 101.888.561.152 Bytes frei
__________
THX for help ^^

#4 1.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

Registry values to replace with dummy:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLoads Installer
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C35F268C-6B1C-9A9B-976F-3E0A5D8DF8A6}

Files to delete:
C:\Programme\Gemeinsame Dateien\Y1324OU.exe
C:\WINDOWS\lznjvsza.ini
C:\WINDOWS\bsx32.ini
C:\WINDOWS\lznjvsza.dll
C:\WINDOWS\system32\BattyRun2.dll

Folders to delete:
C:\Programme\Batty2
C:\Programme\Batty
C:\Programme\PSDream
C:\Programme\PSCastor
C:\Programme\DownloadWare

Klicke die grüne Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

««
öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R3 - URLSearchHook: (no name) - _{2B2AB34D-ED35-B337-6B55-C658C14504A6} - (no file)

O2 - BHO: (no name) - {C35F268C-6B1C-9A9B-976F-3E0A5D8DF8A6} - C:\WINDOWS\lznjvsza.dll

O4 - HKCU\..\Run: [PSCastor] "C:\Programme\PSCastor\PSCastor.exe"

O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)

O20 - AppInit_DLLs: BattyRun2.dll

PC neustarten

»»
scanne und poste den scanreport
http://virus-protect.org/ewido.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Hola, habe alles gemacht wie du meintest .. brachte nach dem neustart aber diese meldung..

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ehlyufbb

*******************

Script file located at: fkktksie

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

habe danach aber fortgefahren mit hijack

Logfile of HijackThis v1.99.1
Scan saved at 15:45:08, on 08.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\MICHAE~1\LOKALE~1\Temp\Rar$EX02.141\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.ysearch.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\tbu1\toolbaru.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu1\toolbaru.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Programme\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {128988D7-0075-4D92-9557-9A2BFCFAE319} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {128988D7-0075-4D92-9557-9A2BFCFAE319} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/145f0da8859fd1a16716/netzip/RdxIE601_de.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125250401093
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/de/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8FD63F1-2A6E-426B-B17F-D9FE14388E84}: NameServer = 217.237.151.225,217.237.150.225
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - F:\Programme\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Programme\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Programme\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)
__________
THX for help ^^

#6 ««
Avenger

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_LOG\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Log
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_LOG\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Log
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDOWS_LOG\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Windows Log
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_LOG\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Log

Files to delete:
C:\WINDOWS\system\smss.exe
C:\WINDOWS\system32\nvsvcd.exe

««
poste noch mal das log von combofix + die 6 Logs von datfndbat

+
poste dieses log
http://virus-protect.org/registry_stuff.html
__________
MfG Sabina

rund um die PC-Sicherheit

#7 ComboFix

Michael Gromer - 06-11-08 16:35:08,59 Service Pack 2
ComboFix 06.10.19 - Running from: "F:\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\RACLE~1\?racle


((((((((((((((((((((((((((((((( Files Created from 2006-10-08 to 2006-11-08 ))))))))))))))))))))))))))))))))))


2006-10-26 17:40 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll
2006-10-22 11:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-07 10:41 -------- d-------- C:\Programme\CleanUp!
2006-11-07 09:49 -------- d-------- C:\Programme\WinACE
2006-11-02 17:10 -------- d-------- C:\Programme\ICQToolbar
2006-11-02 17:10 -------- d-------- C:\Dokumente und Einstellungen\Michael Gromer\Anwendungsdaten\ICQ Toolbar
2006-11-01 00:11 -------- d-------- C:\Programme\WinRAR
2006-10-31 09:30 -------- d---s---- C:\Dokumente und Einstellungen\Michael Gromer\Anwendungsdaten\Microsoft
2006-10-29 19:49 -------- d-------- C:\Dokumente und Einstellungen\Michael Gromer\Anwendungsdaten\Adobe
2006-10-29 19:46 -------- d-------- C:\Programme\Gemeinsame Dateien\Vbox
2006-10-29 19:46 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-10-29 19:45 -------- d-------- C:\Programme\Gemeinsame Dateien\Adobe
2006-10-29 19:45 -------- d-------- C:\Programme\Adobe
2006-10-26 17:44 -------- d-------- C:\Programme\Gemeinsame Dateien\MAGIX Shared
2006-10-25 08:57 -------- d-------- C:\Programme\ABBYY FineReader 5.0 Sprint
2006-10-25 08:31 -------- d-------- C:\Programme\Lexmark X74-X75
2006-10-24 07:45 -------- d-------- C:\Programme\PSDream
2006-10-24 07:45 -------- d-------- C:\Programme\PSCastor
2006-10-19 15:56 32208 ---hs---- C:\Programme\Gemeinsame Dateien\Y1324OU.exe
2006-10-03 10:43 -------- d-------- C:\Programme\Internet Explorer
2006-09-13 06:02 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 16:51 1245184 --------- C:\WINDOWS\system32\msxml4.dll
2006-08-25 16:46 617472 --------- C:\WINDOWS\system32\comctl32.dll
2006-08-21 13:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Programme\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"Microsoft Works Update Detection"="c:\\Programme\\Microsoft Works\\WkDetect.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\not active]
"DB_AFD"="C:\\Programme\\DATA BECKER\\XP optimal einstellen 3.0\\DBAFD.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="7db39a0d-580f-4be9-9195-8bfcd226f6c2"
"SubscribedURL"="C:\\WINDOWS\\System32\\AquaReal.ocx"
"FriendlyName"="PC-Aquarium Deluxe"
"Flags"=dword:00004003
"Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,20,03,00,00,35,02,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,01,00,00,00,20,03,00,00,35,02,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,20,03,00,00,58,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=hex:01,00,00,00
"NoInstrumentation"=dword:00000001
"NoDrives"=dword:00000000
"NoDriveAutorun"=dword:00000000
"NoSharedDocuments"=dword:00000000
"NoFavoritesMenu"=dword:00000001
"SpecifyDefaultButtons"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Office Outlook"="C:\\PROGRA~1\\MICROS~4\\OFFICE11\\OUTLOOK.EXE /recycle"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Programme\\Gemeinsame Dateien\\Ahead\\lib\\NMBgMonitor.exe\""
"NCLaunch"="C:\\WINDOWS\\NCLAUNCH.EXe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Microsoft Works Update Detection"="c:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"WorksFUD"="c:\\Programme\\Microsoft Works\\wkfud.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"Microsoft Works Portfolio"="c:\\Programme\\Microsoft Works\\WksSb.exe /AllUsers"
"ICQ Lite"="C:\\Programme\\ICQLite\\ICQLite.exe -minimize"
"Lexmark X74-X75"="\"C:\\Programme\\Lexmark X74-X75\\lxbbbmgr.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Adobe Reader - Schnellstart.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader - Schnellstart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader - Schnellstart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Logitech Desktop Messenger.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^Michael Gromer^Startmenü^Programme^Autostart^Registration-InstantCopy.lnk]
"path"="C:\\Dokumente und Einstellungen\\Michael Gromer\\Startmenü\\Programme\\Autostart\\Registration-InstantCopy.lnk"
"backup"="C:\\WINDOWS\\pss\\Registration-InstantCopy.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Pinnacle\\SHARED~1\\INSTAN~1\\Pixie\\RegTool.exe InstantCopy,INSCPY,register,DE,0,serial=AARTO-AAWNO-EMMGX-ZEAMA-MPWGA"
"item"="Registration-InstantCopy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0190 Alarm]
"key"="Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="0190Alarm"
"hkey"="HKCU"
"command"="C:\\Programme\\0190 Alarm\\0190Alarm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKLM"
"command"="C:\\Programme\\SlySoft\\AnyDVD\\AnyDVD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Programme\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbbbmgr"
"hkey"="HKLM"
"command"="\"C:\\Programme\\Lexmark X74-X75\\lxbbbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="C:\\Programme\\Logitech\\Video\\ManifestEngine.exe boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Programme\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Programme\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Guardian]
"key"="Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CMGrdian"
"hkey"="HKLM"
"command"="\"C:\\Programme\\McAfee\\McAfee Shared Components\\Guardian\\CMGrdian.exe\" /SU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee.InstantUpdate.Monitor]
"key"="Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RuLaunch"
"hkey"="HKCU"
"command"="\"C:\\Programme\\McAfee\\McAfee Shared Components\\Instant Updater\\RuLaunch.exe\" /STARTMONITOR"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLoads Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dw"
"hkey"="HKLM"
"command"="\"C:\\Programme\\DownloadWare\\dw.exe\" /H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\routcnf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="routcnf"
"hkey"="HKLM"
"command"="C:\\Programme\\Telekom\\Eumex 404PC\\routcnf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Programme\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Programme\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="Software\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Programme\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XPoe-Runtime]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xpoerunt"
"hkey"="HKCU"
"command"="C:\\Programme\\DATA BECKER\\XP optimal einstellen 3.0\\xpoerunt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\1-Klick-Wartung.job
C:\WINDOWS\tasks\{379569C4-655F-42E3-9AB9-4BED466EDD61}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{396BDFDF-4361-48CE-8FCC-A2B025735F23}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{4B4067C7-56A6-404E-8A6B-B9FDDA94C807}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{4E0ABFA3-8428-470E-8F76-34F48A6A0D13}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{7F78950F-0B9F-408F-969C-48BC808629D9}_MICHAEL_Michael Gromer.job
C:\WINDOWS\tasks\{8B123A06-B7B3-4768-BAF1-9A9610EA8C91}_MICHAEL_Michael Gromer.job

Completion time: 06-11-08 16:35:55.01
C:\ComboFix.txt ... 06-11-08 16:35

Datfindbat

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\WINDOWS\system32

08.11.2006 16:36 402.426 perfh009.dat
08.11.2006 16:36 61.896 perfc009.dat
08.11.2006 16:36 413.842 perfh007.dat
08.11.2006 16:36 73.086 perfc007.dat
08.11.2006 16:36 963.278 PerfStringBackup.INI
08.11.2006 16:32 1.158 wpa.dbl
08.11.2006 16:31 49.871 nvapps.xml
07.11.2006 10:28 19.456 Thumbs.db
04.10.2006 21:03 9.639.336 MRT.exe
13.09.2006 06:02 1.084.416 msxml3.dll
12.09.2006 16:51 1.245.184 msxml4.dll
05.09.2006 21:30 356.952 FNTCACHE.DAT
04.09.2006 07:12 1.494.016 shdocvw.dll
25.08.2006 16:46 617.472 comctl32.dll
21.08.2006 13:26 16.896 fltlib.dll
21.08.2006 10:14 23.040 fltmc.exe
16.08.2006 12:58 100.352 6to4svc.dll
07.08.2006 16:17 61.440 BattyRun2.dll

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\DOKUME~1\MICHAE~1\LOKALE~1\TEMP

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\WINDOWS

08.11.2006 16:37 229 NeroDigital.ini
08.11.2006 16:31 159 wiadebug.log
08.11.2006 16:31 1.793.070 WindowsUpdate.log
08.11.2006 16:31 50 wiaservc.log
08.11.2006 16:31 0 0.log
08.11.2006 16:31 2.048 bootstat.dat
08.11.2006 16:30 32.626 SchedLgU.Txt
08.11.2006 15:37 149 lznjvsza.ini
08.11.2006 15:35 1.244 vbliqdep.txt
07.11.2006 18:48 18.864 windows.txt
07.11.2006 10:31 308.968 ntbtlog.txt
06.11.2006 23:52 1.266 IE4 Error Log.txt
06.11.2006 16:52 1.222 LEXSTAT.INI
06.11.2006 16:02 272.565 setupapi.log
29.10.2006 19:45 109.738 wmsetup.log
29.10.2006 19:45 316.640 WMSysPr9.prx
26.10.2006 17:51 0 homeDVD-Fotos5_5.INI
12.10.2006 00:06 301.364 comsetup.log
12.10.2006 00:06 137.012 iis6.log
12.10.2006 00:06 43.666 ocmsn.log
12.10.2006 00:06 183.615 ntdtcsetup.log
12.10.2006 00:06 346.497 tsoc.log
12.10.2006 00:06 1.393 imsins.log
12.10.2006 00:06 13.069 KB924191.log
12.10.2006 00:06 447.839 ocgen.log
12.10.2006 00:06 44.501 msgsocm.log
12.10.2006 00:06 890.433 FaxSetup.log
12.10.2006 00:06 37.633 updspapi.log
12.10.2006 00:06 1.393 imsins.BAK
12.10.2006 00:06 12.883 KB922819.log
12.10.2006 00:06 12.059 KB923414.log
12.10.2006 00:05 12.053 KB924496.log
12.10.2006 00:04 9.505 KB923191.log
12.10.2006 00:03 1.880 win.ini
10.10.2006 20:33 136.897 Directx.log
03.10.2006 12:57 211 RomeTW.ini
03.10.2006 11:41 691 bsx32.ini
03.10.2006 08:28 11.539 KB925486.log
03.10.2006 08:27 15.531 KB920872.log
03.10.2006 08:27 11.623 KB920685.log
03.10.2006 08:27 11.670 KB919007.log
03.10.2006 08:26 7.969 KB922582.log
24.09.2006 15:54 65.983 offlog.txt
19.09.2006 18:40 108.336 mswinsck.ocx
25.08.2006 08:16 16.138 KB920214.log
25.08.2006 08:16 15.871 KB921883.log
25.08.2006 08:16 15.711 KB922616.log
25.08.2006 08:15 16.108 KB921398.log
25.08.2006 08:15 19.416 KB918899.log
25.08.2006 08:14 12.098 KB920670.log
25.08.2006 08:14 12.257 KB917422.log
25.08.2006 08:14 12.510 KB920683.log

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\WINDOWS\Temp

08.11.2006 16:31 16.384 Perflib_Perfdata_b8.dat
1 Datei(en) 16.384 Bytes
0 Verzeichnis(se), 101.836.009.472 Bytes frei


Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\WINDOWS\Downloaded Program Files

02.08.2005 15:48 495 LegitCheckControl.inf
26.05.2005 03:19 293 muweb.inf
07.04.2005 07:28 143 activex.inf
04.04.2005 15:53 753.664 activex.ocx
04.03.2005 03:52 752 jinstall-1_5_0_02.inf
17.01.2005 16:09 227 opuc.inf
30.11.2004 13:17 728 qdiagh.inf
28.01.2004 11:14 524.445 RdxIE.dll
08.12.2003 13:58 3.759 swflash.inf
25.07.2002 16:13 24.576 dwusplay.dll
25.07.2002 16:13 196.608 dwusplay.exe
25.07.2002 16:05 172.032 isusweb.dll
30.01.2002 12:11 65 desktop.ini
13 Datei(en) 1.677.787 Bytes
0 Verzeichnis(se), 101.836.009.472 Bytes frei

Datentr„ger in Laufwerk C: ist Programme
Volumeseriennummer: CC65-D52F

Verzeichnis von C:\

08.11.2006 16:41 0 sys.txt
08.11.2006 16:40 895 down.txt
08.11.2006 16:40 285 tmp.txt
08.11.2006 16:40 18.914 system.txt
08.11.2006 16:40 132 systemtemp.txt
08.11.2006 16:37 112.363 system32.txt
08.11.2006 16:35 15.707 ComboFix.txt
08.11.2006 16:31 2.147.012.608 hiberfil.sys
08.11.2006 16:31 805.306.368 pagefile.sys
08.11.2006 16:31 588 avenger.txt
02.04.2006 18:14 88 AUTOEXEC.BAT
14.03.2006 18:46 222 boot.ini

findStuff

doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
doesn't exist HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
doesn't exist HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
doesn't exist HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
doesn't exist HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
doesn't exist HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
doesn't exist HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
doesn't exist HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
-----------------------
-----------------------
REGEDIT4
-----------------------
-----------------------

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Windows-Firewall/Gemeinsame Nutzung der Internetverbindung"
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,57,69,6e,4d,67,6d,74,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:0001f476

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabled:@xpsp2res.dll,-22019"
"C:\\Programme\\eMule.de\\emule.exe"="C:\\Programme\\eMule.de\\emule.exe:*isabled:eMule"
"C:\\Programme\\Gemeinsame Dateien\\Ahead\\Nero Web\\SetupX.exe"="C:\\Programme\\Gemeinsame Dateien\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:MSI starter"
"C:\\Programme\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Programme\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Programme\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Programme\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:EnabledMSRegisterFile"
"C:\\Programme\\ICQLite\\ICQLite.exe"="C:\\Programme\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"K:\\Stronghold2\\Stronghold2.exe"="K:\\Stronghold2\\Stronghold2.exe:*isabled:Stronghold 2"
"C:\\Programme\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Programme\\Pinnacle\\Studio 10\\programs\\Studio.exe:*isabled:Studio"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:Microsoft Update"
"C:\\WINDOWS\\scvhost.exe"="C:\\WINDOWS\\scvhost.exe:*:Enabled:Microsoft Windows"
"F:\\LimeWire\\LimeWire.exe"="F:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Programme\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Programme\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*isabled:backWeb-8876480"
"F:\\Bittorent\\bittorrent.exe"="F:\\Bittorent\\bittorrent.exe:*isabled:BitTorrent"
"C:\\Programme\\BitTorrent\\bittorrent.exe"="C:\\Programme\\BitTorrent\\bittorrent.exe:*isabled:BitTorrent"
"C:\\Programme\\BitTornado\\btdownloadgui.exe"="C:\\Programme\\BitTornado\\btdownloadgui.exe:*isabled:btdownloadgui"
"C:\\Programme\\Microsoft ActiveSync\\WCESCOMM.EXE"="C:\\Programme\\Microsoft ActiveSync\\WCESCOMM.EXE:*isabled:Connection Manager"
"C:\\Programme\\eDonkey2000\\edonkey2000.exe"="C:\\Programme\\eDonkey2000\\edonkey2000.exe:*isabled:edonkey2000"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*isabled:LEXPPS.EXE"
"F:\\StubInstaller.exe"="F:\\StubInstaller.exe:*isabled:LimeWire swarmed installer"
"C:\\Programme\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Programme\\Pinnacle\\Studio 10\\programs\\umi.exe:*isabled:umi"
"C:\\Programme\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Programme\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*isabled:Windows Media(TM) Audio (wma)"
"C:\\Programme\\DINO_EDITIONS\\WinDVD\\DVD6\\WinDVD.exe"="C:\\Programme\\
DINO_EDITIONS\\WinDVD\\DVD6\\WinDVD.exe:*isabled:WinDVD"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
"139:TCP"="139:TCP:LocalSubNetisabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNetisabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNetisabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNetisabled:@xpsp2res.dll,-22002"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"{A3C21644-7BA7-47F3-B690-18B207D2262D}"=dword:00000001
"{D8FD63F1-2A6E-426B-B17F-D9FE14388E84}"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Sicherheitscenter"
"DependOnService"=hex(7):52,70,63,53,73,00,77,69,6e,6d,67,6d,74,00,00
"ObjectName"="LocalSystem"
"Description"="Überwacht Systemsicherheitseinstellungen und -konfigurationen."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,53,59,53,54,45,4d,52,4f,4f,54,25,5c,73,79,73,74,65,6d,\
33,32,5c,77,73,63,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,62,72,\
6f,77,73,65,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:bf,88,da,98,c1,1c,73,4c,90,14,de,07,de,9d,0d,6c
"srvcomment"="Computer"
"AdjustedNullSessionPipes"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00


[HKEY_CURRENT_USER\Software\Microsoft\OLE]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Nachrichtendienst"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum]
"0"="Root\\LEGACY_MESSENGER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableRemoteConnect"="N"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:00000360
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:55,31,47,90,70,8c,57,5a,bd,f7,66,a4,da,12,5a,aa,64,64,35,33,66,\
34,37,39,00,00,00,00,01,00,00,00,bc,01,00,00,c0,01,00,00,40,ca,06,00,5b,a5,\
b7,71,04,00,00,00,10,00,00,00,00,00,00,00,6f,4d,57,26

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:a6,8c,4a,17,83,e3,37,29,36

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:2d,33,a4,6b,ee,fe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:b5,a0,e3,6c,44,96,e8,04,83,bc,85,30,ab,3e,b3,ba

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:a6,63,46,53,cb,8e,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,5b,d8,39,ad,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,0f,9d,3e,ad,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,3c,ce,3f,ad,79,c4,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Windows-Firewall/Gemeinsame Nutzung der Internetverbindung"
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,57,69,6e,4d,67,6d,74,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Bietet allen Computern in Privat- und Kleinunternehmensnetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:0001f476

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabled:@xpsp2res.dll,-22019"
"C:\\Programme\\eMule.de\\emule.exe"="C:\\Programme\\eMule.de\\emule.exe:*isabled:eMule"
"C:\\Programme\\Gemeinsame Dateien\\Ahead\\Nero Web\\SetupX.exe"="C:\\Programme\\Gemeinsame Dateien\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:MSI starter"
"C:\\Programme\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Programme\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Programme\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Programme\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:EnabledMSRegisterFile"
"C:\\Programme\\ICQLite\\ICQLite.exe"="C:\\Programme\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"K:\\Stronghold2\\Stronghold2.exe"="K:\\Stronghold2\\Stronghold2.exe:*isabled:Stronghold 2"
"C:\\Programme\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Programme\\Pinnacle\\Studio 10\\programs\\Studio.exe:*isabled:Studio"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:Microsoft Update"
"C:\\WINDOWS\\scvhost.exe"="C:\\WINDOWS\\scvhost.exe:*:Enabled:Microsoft Windows"
"F:\\LimeWire\\LimeWire.exe"="F:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Programme\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Programme\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*isabled:backWeb-8876480"
"F:\\Bittorent\\bittorrent.exe"="F:\\Bittorent\\bittorrent.exe:*isabled:BitTorrent"
"C:\\Programme\\BitTorrent\\bittorrent.exe"="C:\\Programme\\BitTorrent\\bittorrent.exe:*isabled:BitTorrent"
"C:\\Programme\\BitTornado\\btdownloadgui.exe"="C:\\Programme\\BitTornado\\btdownloadgui.exe:*isabled:btdownloadgui"
"C:\\Programme\\Microsoft ActiveSync\\WCESCOMM.EXE"="C:\\Programme\\Microsoft ActiveSync\\WCESCOMM.EXE:*isabled:Connection Manager"
"C:\\Programme\\eDonkey2000\\edonkey2000.exe"="C:\\Programme\\eDonkey2000\\edonkey2000.exe:*isabled:edonkey2000"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*isabled:LEXPPS.EXE"
"F:\\StubInstaller.exe"="F:\\StubInstaller.exe:*isabled:LimeWire swarmed installer"
"C:\\Programme\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Programme\\Pinnacle\\Studio 10\\programs\\umi.exe:*isabled:umi"
"C:\\Programme\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Programme\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*isabled:Windows Media(TM) Audio (wma)"
"C:\\Programme\\DINO_EDITIONS\\WinDVD\\DVD6\\WinDVD.exe"="C:\\Programme\\DINO_EDITIONS\\
WinDVD\\DVD6\\WinDVD.exe:*isabled:WinDVD"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
"139:TCP"="139:TCP:LocalSubNetisabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNetisabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNetisabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNetisabled:@xpsp2res.dll,-22002"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"{A3C21644-7BA7-47F3-B690-18B207D2262D}"=dword:00000001
"{D8FD63F1-2A6E-426B-B17F-D9FE14388E84}"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Sicherheitscenter"
"DependOnService"=hex(7):52,70,63,53,73,00,77,69,6e,6d,67,6d,74,00,00
"ObjectName"="LocalSystem"
"Description"="Überwacht Systemsicherheitseinstellungen und -konfigurationen."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,53,59,53,54,45,4d,52,4f,4f,54,25,5c,73,79,73,74,65,6d,\
33,32,5c,77,73,63,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,62,72,\
6f,77,73,65,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:bf,88,da,98,c1,1c,73,4c,90,14,de,07,de,9d,0d,6c
"srvcomment"="Computer"
"AdjustedNullSessionPipes"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00


[HKEY_CURRENT_USER\Software\Microsoft\OLE]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Nachrichtendienst"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Enum]
"0"="Root\\LEGACY_MESSENGER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableRemoteConnect"="N"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:00000360
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:55,31,47,90,70,8c,57,5a,bd,f7,66,a4,da,12,5a,aa,64,64,35,33,66,\
34,37,39,00,00,00,00,01,00,00,00,bc,01,00,00,c0,01,00,00,40,ca,06,00,5b,a5,\
b7,71,04,00,00,00,10,00,00,00,00,00,00,00,6f,4d,57,26

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:a6,8c,4a,17,83,e3,37,29,36

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:2d,33,a4,6b,ee,fe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:b5,a0,e3,6c,44,96,e8,04,83,bc,85,30,ab,3e,b3,ba

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:a6,63,46,53,cb,8e,c4,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,5b,d8,39,ad,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,0f,9d,3e,ad,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,3c,ce,3f,ad,79,c4,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]


Außer das ich DOOF jetzt aufhören werde mit diesem Tauschbörsen-mist .. ne frage zwischendurch .. ich weiß das ist der falsche Thread .. gibt es ein sinnvolles Programm um sowas in naher Zukunft zu vermeiden..
__________
THX for help ^^

#8 TopperHarley

du musst den Avenger noch mal anwenden, es ist alles noch drauf....
versuche es genau nach Anleitung durchzufuehren, und alles richtig anzuhaken und reinzu kopieren. - dann nach dem Neustart wende das andere script vom Avenger an (ich habe dir noch ein zweites erstellt...), um den Virendienst auszuloeschen

_______________________________________________________

wenn das erledigt ist, gehe in die Registry
start - Ausfuehren - regedit

klicke dich durch zum Schluessel:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

loeschen (mit rechtsklick)

"C:\\WINDOWS\\system32\\svchost.exe
"C:\\WINDOWS\\scvhost.exe

PC neustarten

_______________
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Welche logs möchtest du haben? so als vorweihnachtsgeschenk ^^
__________
THX for help ^^

#10 na als wichtigstes will ich die zwei Logs vom Avenger nach neustart sehen,
__________
MfG Sabina

rund um die PC-Sicherheit

#11 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kwon^ipc

*******************

Script file located at: \??\C:\Program Files\edagduoj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_LOG\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_LOG\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_LOG\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Log not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Log failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Log
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_LOG\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_LOG\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_LOG\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Log not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Log failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Log
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDOWS_LOG\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDOWS_LOG\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDOWS_LOG\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Windows Log not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Windows Log failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Windows Log
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_LOG\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_LOG\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_LOG\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Log not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Log failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Log
Status: 0xc0000034



File C:\WINDOWS\system\smss.exe not found!
Deletion of file C:\WINDOWS\system\smss.exe failed!

Could not process line:
C:\WINDOWS\system\smss.exe
Status: 0xc0000034



File C:\WINDOWS\system32\nvsvcd.exe not found!
Deletion of file C:\WINDOWS\system32\nvsvcd.exe failed!

Could not process line:
C:\WINDOWS\system32\nvsvcd.exe
Status: 0xc0000034



File C:\Programme\Gemeinsame Dateien\Y1324OU.exe not found!
Deletion of file C:\Programme\Gemeinsame Dateien\Y1324OU.exe failed!

Could not process line:
C:\Programme\Gemeinsame Dateien\Y1324OU.exe
Status: 0xc0000034



File C:\WINDOWS\lznjvsza.ini not found!
Deletion of file C:\WINDOWS\lznjvsza.ini failed!

Could not process line:
C:\WINDOWS\lznjvsza.ini
Status: 0xc0000034



File C:\WINDOWS\bsx32.ini not found!
Deletion of file C:\WINDOWS\bsx32.ini failed!

Could not process line:
C:\WINDOWS\bsx32.ini
Status: 0xc0000034



File C:\WINDOWS\lznjvsza.dll not found!
Deletion of file C:\WINDOWS\lznjvsza.dll failed!

Could not process line:
C:\WINDOWS\lznjvsza.dll
Status: 0xc0000034



File C:\WINDOWS\system32\BattyRun2.dll not found!
Deletion of file C:\WINDOWS\system32\BattyRun2.dll failed!

Could not process line:
C:\WINDOWS\system32\BattyRun2.dll
Status: 0xc0000034



Folder C:\Programme\Batty2 not found!
Deletion of folder C:\Programme\Batty2 failed!

Could not process line:
C:\Programme\Batty2
Status: 0xc0000034



Folder C:\Programme\Batty not found!
Deletion of folder C:\Programme\Batty failed!

Could not process line:
C:\Programme\Batty
Status: 0xc0000034



Folder C:\Programme\PSDream not found!
Deletion of folder C:\Programme\PSDream failed!

Could not process line:
C:\Programme\PSDream
Status: 0xc0000034



Folder C:\Programme\PSCastor not found!
Deletion of folder C:\Programme\PSCastor failed!

Could not process line:
C:\Programme\PSCastor
Status: 0xc0000034



Folder C:\Programme\DownloadWare not found!
Deletion of folder C:\Programme\DownloadWare failed!

Could not process line:
C:\Programme\DownloadWare
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLoads Installer not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLoads Installer failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C35F268C-6B1C-9A9B-976F-3E0A5D8DF8A6} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C35F268C-6B1C-9A9B-976F-3E0A5D8DF8A6} failed!
Status: 0xc0000034

Registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

sooooo .....
__________
THX for help ^^

#12 nun sieh, dass du die zwei exe aus der registry bekommst (siehe meine Anleitung)

dann scanne und poste den report (vorher alles auf remove stellen)
http://virus-protect.org/counterspy.html
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Infected files detected
c:\dokumente und einstellungen\michael gromer\favoriten\-business directory-\accounting.url
c:\dokumente und einstellungen\michael gromer\favoriten\-business directory-\business consulting.url
c:\dokumente und einstellungen\michael gromer\favoriten\-business directory-\business services.url
c:\dokumente und einstellungen\michael gromer\favoriten\-business directory-\business travel.url
c:\dokumente und einstellungen\michael gromer\favoriten\-business directory-\computer services.url
c:\dokumente und einstellungen\michael gromer\favoriten\-business directory-\human resources.url
c:\dokumente und einstellungen\michael gromer\favoriten\-business directory-\marketing.url
c:\dokumente und einstellungen\michael gromer\favoriten\-business directory-\office equipment.url
c:\dokumente und einstellungen\michael gromer\favoriten\-business directory-\office products.url
c:\dokumente und einstellungen\michael gromer\favoriten\-communications-\cell phones.url
c:\dokumente und einstellungen\michael gromer\favoriten\-communications-\fax machines.url
c:\dokumente und einstellungen\michael gromer\favoriten\-communications-\free internet.url
c:\dokumente und einstellungen\michael gromer\favoriten\-communications-\pda.url
c:\dokumente und einstellungen\michael gromer\favoriten\-communications-\streaming.url
c:\dokumente und einstellungen\michael gromer\favoriten\-communications-\telephones.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\cd burners.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\cd roms.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\computers.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\dvd drives.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\free web hosting.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\hosting.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\internet radio.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\laptops.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\memory.url
c:\dokumente und einstellungen\michael gromer\favoriten\-computers and internet-\streaming.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\action movies.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\actors.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\actresses.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\backstreet boys.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\celebrity photos.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\comedies.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\entertainment.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\movie reviews.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\mp3.url
c:\dokumente und einstellungen\michael gromer\favoriten\-entertainment-\radio.url
c:\dokumente und einstellungen\michael gromer\favoriten\-games-\computer games.url
c:\dokumente und einstellungen\michael gromer\favoriten\-games-\free online games.url
c:\dokumente und einstellungen\michael gromer\favoriten\-games-\internet games.url
c:\dokumente und einstellungen\michael gromer\favoriten\-games-\playstation.url
c:\dokumente und einstellungen\michael gromer\favoriten\-games-\trivia.url
c:\dokumente und einstellungen\michael gromer\favoriten\-games-\web games.url
c:\dokumente und einstellungen\michael gromer\favoriten\-health and fitness-\baldness.url
c:\dokumente und einstellungen\michael gromer\favoriten\-health and fitness-\cancer.url
c:\dokumente und einstellungen\michael gromer\favoriten\-health and fitness-\contact lenses.url
c:\dokumente und einstellungen\michael gromer\favoriten\-health and fitness-\diet.url
c:\dokumente und einstellungen\michael gromer\favoriten\-health and fitness-\health.url
c:\dokumente und einstellungen\michael gromer\favoriten\-health and fitness-\nutrition.url
c:\dokumente und einstellungen\michael gromer\favoriten\-health and fitness-\stress.url
c:\dokumente und einstellungen\michael gromer\favoriten\-health and fitness-\vitamins.url
c:\dokumente und einstellungen\michael gromer\favoriten\-music-\backstreet boys.url
c:\dokumente und einstellungen\michael gromer\favoriten\-music-\internet radio.url
c:\dokumente und einstellungen\michael gromer\favoriten\-music-\mp3 players.url
c:\dokumente und einstellungen\michael gromer\favoriten\-music-\mp3.url
c:\dokumente und einstellungen\michael gromer\favoriten\-music-\nsync.url
c:\dokumente und einstellungen\michael gromer\favoriten\-music-\opera.url
c:\dokumente und einstellungen\michael gromer\favoriten\-music-\rock.url
c:\dokumente und einstellungen\michael gromer\favoriten\-music-\web radio.url
c:\dokumente und einstellungen\michael gromer\favoriten\-autos-\auto finance.url
c:\dokumente und einstellungen\michael gromer\favoriten\-autos-\auto leasing.url
c:\dokumente und einstellungen\michael gromer\favoriten\-autos-\car dealers.url
c:\dokumente und einstellungen\michael gromer\favoriten\-autos-\car insurance.url
c:\dokumente und einstellungen\michael gromer\favoriten\-autos-\cars.url


Network Essentials Browser Hijacker more information...
Details: Network Essentials adds hundreds of Internet Explorer favorite site links to the users favorate folder as well as desktop.
Status: Deleted

Infected files detected
c:\dokumente und einstellungen\michael gromer\favoriten\-shopping-\clothing.url
c:\dokumente und einstellungen\michael gromer\favoriten\-shopping-\coupons.url
c:\dokumente und einstellungen\michael gromer\favoriten\-shopping-\electronics.url
c:\dokumente und einstellungen\michael gromer\favoriten\-shopping-\gifts.url
c:\dokumente und einstellungen\michael gromer\favoriten\-shopping-\home.url
c:\dokumente und einstellungen\michael gromer\favoriten\-shopping-\pet supplies.url
c:\dokumente und einstellungen\michael gromer\favoriten\-shopping-\shoes.url
c:\dokumente und einstellungen\michael gromer\favoriten\-sports-\auto racing.url
c:\dokumente und einstellungen\michael gromer\favoriten\-sports-\bodybuilding.url
c:\dokumente und einstellungen\michael gromer\favoriten\-sports-\boxing.url
c:\dokumente und einstellungen\michael gromer\favoriten\-sports-\college basketball.url
c:\dokumente und einstellungen\michael gromer\favoriten\-sports-\fishing.url
c:\dokumente und einstellungen\michael gromer\favoriten\-sports-\nba.url
c:\dokumente und einstellungen\michael gromer\favoriten\-sports-\nfl.url
c:\dokumente und einstellungen\michael gromer\favoriten\-sports-\sports tickets.url
c:\dokumente und einstellungen\michael gromer\favoriten\-travel-\airlines.url
c:\dokumente und einstellungen\michael gromer\favoriten\-travel-\car rentals.url
c:\dokumente und einstellungen\michael gromer\favoriten\-travel-\spas.url
c:\dokumente und einstellungen\michael gromer\favoriten\-travel-\travel agents.url
c:\dokumente und einstellungen\michael gromer\favoriten\-travel-\travel.url
c:\dokumente und einstellungen\michael gromer\favoriten\-autos-\car dealers.url


ICanNews Adware more information...
Details: ICanNews is an adware program that logs keywords typed in web searches and creates shortcuts and displays advertisements.
Status: Deleted

Infected files detected
c:\windows\downloaded program files\activex.ocx


Unclassified.Spyware.Loader Spyware more information...
Details: Spyware.Loader is spyware that is set to automatically start when Windows loads up by hiding itself in a number of different startup locations.
Status: Deleted

Infected files detected
C:\WINDOWS\system32\grwinsthlp.exe


DownloadWare Adware more information...
Details: DownloadWare is a process that runs on Windows startup. If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. It may be installed through an ActiveX control.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\kfh
HKEY_LOCAL_MACHINE\software\kfh\cl Guid A15954B2AACE4C18A0888820F0DFABA6
HKEY_LOCAL_MACHINE\software\kfh\cl Version 8
HKEY_LOCAL_MACHINE\software\kfh\cl InstallTime 1040930071
HKEY_LOCAL_MACHINE\software\kfh\cl PrevTime 1043099607
HKEY_LOCAL_MACHINE\software\mlh
HKEY_LOCAL_MACHINE\software\mlh Guid 26E0D54433A4ED18DCB787ECDC788C1
HKEY_LOCAL_MACHINE\software\mlh Version 9
HKEY_LOCAL_MACHINE\software\mlh InstallTime 1093682584
HKEY_LOCAL_MACHINE\software\mlh Country DE
HKEY_LOCAL_MACHINE\software\mlh PrevTime 1093682783
HKEY_CURRENT_USER\software\medialoads
HKEY_CURRENT_USER\software\medialoads\Enhanced\Params paramversion 1
HKEY_CURRENT_USER\software\medialoads\Enhanced\Params poprate 7200
HKEY_CURRENT_USER\software\medialoads\Enhanced\Params popdelay 30
HKEY_CURRENT_USER\software\medialoads\Enhanced\Params updateinterval 345600
HKEY_CURRENT_USER\software\medialoads\Enhanced\Params retryrate 86400
HKEY_CURRENT_USER\software\medialoads\Enhanced Guid EBFF7E42F58748A688B4B0EB682F39AF
HKEY_CURRENT_USER\software\medialoads\Enhanced Version 2
HKEY_CURRENT_USER\software\medialoads\Enhanced Register 0
HKEY_CURRENT_USER\software\medialoads\Enhanced PrevTime 1096284715
HKEY_CURRENT_USER\software\medialoads\Enhanced Cookie RF*TR_RF_SPMEDIAPOP|SU*#145:1096194569:1096194569:1095580059|PU*#145-1
:1096194569:1096194569:1095580059|LU*#145-1-46:1096194569:1096194569:1095580059|
AT*A:18742:3:1080839846_A:17697:4:1081026019_A:156
HKEY_CURRENT_USER\software\medialoads\Prefs Filename C:\Programme\MediaLoads\v1\ml.exe
HKEY_CURRENT_USER\software\medialoads\Prefs Guid 2816707BE5EB44EF92DB122072C1B1BA
HKEY_CURRENT_USER\software\medialoads\Prefs UninstallString "C:\Programme\DownloadWare\dw.exe" /R
HKEY_CURRENT_USER\software\medialoads\Prefs DisplayName MediaLoads Installer


AvenueMedia.DyFuCA Browser Plug-in more information...
Details: DyFuCA Internet Optimizer is an adware which also hijacks your browser error page. It opens pop-up windows to display ads from its network sites periodically, also is known to update itself.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer SlowInfoCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Internet Optimizer Changed 0


VLoading Trojan Downloader more information...
Details: Allows automatic download and running of software from the internet. After the control is installed, any web page has the ability to run any executable file on the local machine.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/econnect.dll


eDonkey2000 P2P more information...
Details: eDonkey2000 is a P2P file sharing program that bundles adware/spyware such as Webhancer, Web Search Toolbar and New.Net.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\ProgID eD2KDownloadManager.object.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620}\
VersionIndependentProgID eD2KDownloadManager.object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{320154BB-D666-48F6-990E-172B32954620} eD2K downloadManager object


iSearch.DesktopSearch Spyware more information...
Details: Removes the users access to use Windows Search and replaces it with C:\WINDOWS\isrvs\desktop.exe.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID {17492023-C23A-453E-A040-C7C580BBF700} 1


Delfin Media Viewer 2.11 Adware more information...
Details: DelFin Media Viewer 2.11 is a program which creates advertisement on user's PC.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DelFin Media Viewer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DelFin Media Viewer SlowInfoCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DelFin Media Viewer Changed 0


Cok.ad.yieldmanager Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@ad.yieldmanager[2].txt


Adviva Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@adviva[2].txt


Cok.PriceBandit Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@apmebf[2].txt


ATDMT.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@atdmt[1].txt


ABetterInternet.Aurora Cookie Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@a[2].txt


CGI-Bin Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@cgi-bin[2].txt


cookie.monster Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@cookie.monster[2].txt


DoubleClick Cookie more information...
Details: DoubleClick is a popular ad serving network that uses spyware cookies, to target advertising.
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@doubleclick[1].txt


as-us.falkag Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@falkag[1].txt


FastClick.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@fastclick[2].txt


HotLog.ru Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@hotlog[1].txt


IndexTools.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@indextools[2].txt


Mediaplex.com Cookie more information...
Details: Cookie used to track cross site advertising with the Mediaplex and value Click advertising companies.
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@mediaplex[1].txt


PacificPoker Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@pacificpoker[1].txt


Revenue.net Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@revenue[2].txt


Radar Spy 1.0 Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@tradedoubler[2].txt


Ajan 1.0 Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@xiti[1].txt


XXXCounter.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\michael gromer\cookies\michael gromer@xxxcounter[1].txt
__________
THX for help ^^

#14 ich weiss nicht, ob du wirklich ALLES removed hast............., scanne noch mal und poste den report
__________
MfG Sabina

rund um die PC-Sicherheit

#15 habe einen 2. suchlauf gemacht und dieser hatte keinen weiteren eintrag gefunden .. habe in meinem eifer leider den report weg gedrückt weil ich .. naja ich konnte den finger nich stillhalten .. soll ich morgen mittag noch einen weiteren suchlauf mit nem programm machen?
__________
THX for help ^^