Winfixer 2005 Überbleibsel

#1 Moin, ich hab hier wieder mal eine Rechner mit auffälligem Verhalten
eine Ganze Reihe von Sachen sind bereits raus...(45 warns von Trojaner bis weiss der Kiuckuck was)
Darunter war auch die beegg.dll die nach einschlägigen Forendaten auf Winfixer 2005 Hinweist wenn ich mich net irre und von S&D als VirtuaMonde gelistet wurde.

Allerdings scheine ich nicht alles los geworden zu sein.
Anbei mal das Hijacker log, vielleicht findet eienr noch weise Worte

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 19:32:48, on 23.01.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Anwendungen\Brennsoftware\Nero\InCD\InCDsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\msbitsec.exe
C:\WINDOWS\system32\mtserv.exe
C:\WINDOWS\system32\ntfscrypt.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\system32\shell32.exe
C:\WINDOWS\smsc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sysmgr64.exe
C:\WINDOWS\system32\sysdriver.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Meike\Desktop\VundoFix\pruefung.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://einwahl.oleco.de/
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Anwendungen\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\System32\geebb.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [NI.UWFX5U_0001_N56M1711] "C:\Dokumente und Einstellungen\Meike\Lokale Einstellungen\Temporary Internet Files\Content.IE5\S1UZS9QJ\WinFixer2005ScannerInstallDE[1].exe" -nag
O4 - HKLM\..\RunServices: [RcNB Test] blda32a.exe
O4 - HKLM\..\RunServices: [RNBvnc Test] deadv32.exe
O4 - HKLM\..\RunServices: [Microsoft SDKb] msnull.exe
O4 - HKLM\..\RunServices: [AdobeReaderPro] msngrer.exe
O4 - HKLM\..\RunServices: [Win32] tbkqpqr.exe
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132860669343
O20 - Winlogon Notify: awtsp - C:\WINDOWS\SYSTEM32\awtsp.dll
O20 - Winlogon Notify: geebb - C:\WINDOWS\System32\geebb.dll (file missing)
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Anwendungen\Brennsoftware\Nero\InCD\InCDsrv.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: microsoft update (msnupdate) - Unknown owner - C:\WINDOWS\windupdate.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Microsoft Windows Explorer Shell Subsystem (Shell32Extender) - Unknown owner - C:\WINDOWS\system32\shell32.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe

#2 DesMas

««
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

««
Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

««
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html

----------------------------------------------------------------

««
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

sysmgr64

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

microsoft update

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

msnupdate

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

Local Security Authority Subsystem Service

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

Microsoft Windows Explorer Shell Subsystem

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

Shell32Extender

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

System Manager Service

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

SMSC

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit

#3 und auf gehts mal wieder:

system32.txt
(mal etwas länger da mit da so einige suspektere sachen weiter unten drin sind)

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 601C-D157

Verzeichnis von C:\WINDOWS\system32

24.01.2007 15:59 7.168 rdriv.sys
24.01.2007 15:59 42.777 OODBS.lor
23.01.2007 19:23 3.097 bbeeg.ini
23.01.2007 16:49 2.206 wpa.dbl
07.01.2007 16:40 186.896 ntfscrypt.exe
03.01.2007 17:08 188.928 mtserv.exe
27.11.2006 14:29 87 CPS.ini
31.10.2006 16:57 311.802 perfh009.dat
31.10.2006 16:57 40.190 perfc009.dat
31.10.2006 16:57 48.354 perfc007.dat
31.10.2006 16:57 316.838 perfh007.dat
31.10.2006 16:57 723.744 PerfStringBackup.INI
17.10.2006 19:32 20.480 mstskmgr.exe
01.08.2006 09:46 168.960 sysdriver.exe
27.07.2006 09:57 70 mdsc.ini
13.06.2006 21:40 63.488 TFTP5028
03.06.2006 20:54 77 bios.rom
14.05.2006 11:44 7.888 eraseme_80874.exe
14.05.2006 11:42 71 i
14.05.2006 10:52 734.049 bbeeg.bak2
19.02.2006 19:46 62 mdn.cpp
07.01.2006 19:58 442.284 bbeeg.ini2
07.01.2006 19:40 14.336 eraseme_00578.exe
04.01.2006 18:46 62.381 eraseme_11786.exe
04.01.2006 18:26 62.381 eraseme_15625.exe
31.12.2005 14:59 182.272 shell32.exe
22.12.2005 15:34 62.381 eraseme_38547.exe
22.12.2005 15:16 62.381 eraseme_26550.exe
20.12.2005 20:25 0 eraseme_22861.exe
20.12.2005 20:24 390.376 bbeeg.bak1
20.12.2005 11:18 34.992 eraseme_02446.exe
19.12.2005 18:59 92.672 mswinsdq.exe
19.12.2005 18:33 3.072 TFTP5496
18.12.2005 18:57 0 eraseme_31308.exe
16.12.2005 12:59 238.080 msbitsec.exe
15.12.2005 17:43 0 eraseme_24426.exe
12.12.2005 19:51 28.173 pmkhf.dll
06.12.2005 22:01 28.173 pmkjg.dll
06.12.2005 21:39 19.456 dllsys64.exe
28.11.2005 20:09 45.056 wupsys64.exe
28.11.2005 20:09 26.624 wiaadmgr.exe
24.11.2005 20:37 48.732 eraseme_40347.exe
24.11.2005 20:21 28.173 awtsp.dll
24.11.2005 19:42 407.043 ddaya.dll
24.11.2005 19:39 28.173 geeba.dll
22.11.2005 15:20 28.173 jkkjk.dll
22.11.2005 10:40 5.120 TFTP2140
22.11.2005 10:30 28.173 awtqq.dll
19.11.2005 20:52 83.456 TFTP2500
14.11.2005 17:21 48.732 pnpsp2fix.exe
09.10.2005 12:30 93.696 TFTP2848
02.10.2005 15:57 16.792 system12.exe
15.09.2005 19:42 52.611 updates.pif
14.09.2005 18:09 61.440 eraseme_82478.exe
12.09.2005 17:21 94.208 deadv32.exe
08.09.2005 18:41 66.996 svchostt.exe
08.09.2005 18:39 83 c.bat
08.09.2005 18:39 71 .pif
28.08.2005 18:17 106.512 inetinfos.exe
13.08.2005 11:27 31.744 TFTP3584
13.08.2005 11:26 58 o
13.08.2005 10:56 94.208 dead32a.exe
13.08.2005 10:55 5.840 .exe
13.08.2005 10:19 0 TFTP3236
12.08.2005 11:58 25.065 wmpscheme.xml
04.08.2005 17:54 1.457.496 MRT.exe
19.07.2005 11:38 2.699.264 MSHTML.DLL

systemtemp.txt

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 601C-D157

Verzeichnis von C:\DOKUME~1\Meike\LOKALE~1\Temp

system.txt

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 601C-D157

Verzeichnis von C:\WINDOWS

24.01.2007 16:00 2.010.694 WindowsUpdate.log
24.01.2007 16:00 50 wiaservc.log
24.01.2007 15:59 159 wiadebug.log
24.01.2007 15:59 0 0.log
24.01.2007 15:59 2.048 bootstat.dat
23.01.2007 19:49 32.580 SchedLgU.Txt
23.01.2007 19:23 232.946 ntbtlog.txt
23.01.2007 18:00 88.816 setupapi.log
17.01.2007 21:10 42.190 ModemLog_Intel(R) 537EA Modem.txt
17.01.2007 21:01 591 oleco.ini
16.01.2007 17:05 488 win.ini
16.01.2007 17:05 227 system.ini
02.01.2007 19:02 49 NeroDigital.ini
16.12.2006 17:16 583 Ulead32.ini
16.12.2006 17:09 52 pex.INI
08.08.2006 16:31 45.056 NCUNINST.EXE

temp.txt

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 601C-D157

Verzeichnis von C:\WINDOWS\Temp

down.txt

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 601C-D157

Verzeichnis von C:\WINDOWS\Downloaded Program Files

26.05.2005 04:19 293 muweb.inf
20.07.2004 21:35 65 desktop.ini
08.12.2003 12:58 3.759 swflash.inf
3 Datei(en) 4.117 Bytes
0 Verzeichnis(se), 14.090.342.400 Bytes frei

sys.txt
(ebenfalls etwas weiter)

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 601C-D157

Verzeichnis von C:\

24.01.2007 16:13 0 sys.txt
24.01.2007 16:13 392 down.txt
24.01.2007 16:13 117 tmp.txt
24.01.2007 16:12 7.804 system.txt
24.01.2007 16:12 133 systemtemp.txt
24.01.2007 16:12 98.985 system32.txt
24.01.2007 15:59 301.989.888 pagefile.sys
17.01.2007 21:02 18.441 mstskmgr.exe
16.01.2007 17:05 194 boot.ini
16.08.2006 08:51 59.392 jxyqjg.exe
16.08.2006 08:51 14.336 bqxh.exe
16.08.2006 08:47 75.776 icaaxih.exe
16.08.2006 08:46 372.781 usb07.exe
16.08.2006 08:45 75.776 kmpb.exe
16.08.2006 08:44 19.456 msutil64.exe
16.08.2006 08:43 16.384 blah1.exe
16.08.2006 08:41 0 ospysw.exe
16.08.2006 08:41 0 pfxvrqr.exe
16.08.2006 08:41 0 yiinjnp.exe
16.08.2006 08:41 0 jixu.exe
16.08.2006 08:41 0 wnqnks.exe
16.08.2006 08:41 0 ptyfbpjm.exe
16.08.2006 08:41 0 raiqwt.exe
16.08.2006 08:41 0 tmshl.exe
16.08.2006 08:41 0 ejcakt.exe
16.08.2006 08:41 0 ubbfi.exe
03.03.2006 18:51 54.998 usxzbwx.exe
07.01.2006 19:40 283.800 usbwx.exe
26.12.2005 11:56 31.868 update.exe
26.12.2005 11:48 27.242 usbdr.exe
20.12.2005 20:40 17.476 school.exe
19.12.2005 20:58 283.809 usbw64.exe
30.10.2005 19:18 51.914 sjj.exe
13.10.2005 21:31 16.792 proxi.exe
09.10.2005 12:04 16.792 prox.exe
02.10.2005 16:59 327 asdf.txt
02.10.2005 16:59 65.536 mmxmetal.exe
28.08.2005 18:17 5.894 a.bat

ComboFix.txt

Zitat

"Meike" - 07-01-24 16:20:12 Service Pack 1
ComboFix 07-01-24.2 - Running from: "C:\Dokumente und Einstellungen\Meike\Desktop\VundoFix"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00003.dll
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00004.dll
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00005.dll
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00006.dll
C:\WINDOWS\system32\system12.exe
C:\Programme\Gemeinsame Dateien\download


((((((((((((((((((((((((((((((( Files Created from 2006-12-24 to 2007-01-24 ))))))))))))))))))))))))))))))))))


2007-01-23 18:58 <DIR> dr-h----- C:\DOKUME~1\ADMINI~1\Anwendungsdaten
2007-01-23 18:58 <DIR> dr------- C:\DOKUME~1\ADMINI~1\Startmen�
2007-01-23 18:58 <DIR> d--h----- C:\DOKUME~1\ADMINI~1\Vorlagen
2007-01-23 18:58 <DIR> d--h----- C:\DOKUME~1\ADMINI~1\Netzwerkumgebung
2007-01-23 18:58 <DIR> d--h----- C:\DOKUME~1\ADMINI~1\Lokale Einstellungen
2007-01-23 18:58 <DIR> d--h----- C:\DOKUME~1\ADMINI~1\Druckumgebung
2007-01-23 18:58 <DIR> d-------- C:\DOKUME~1\ADMINI~1\Favoriten
2007-01-16 17:11 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\Anwendungsdaten\Spybot - Search & Destroy
2007-01-16 17:03 <DIR> d-------- C:\WINDOWS\pss
2007-01-07 16:38 186,896 --a------ C:\WINDOWS\system32\ntfscrypt.exe
2007-01-03 17:06 188,928 --a------ C:\WINDOWS\system32\mtserv.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-24 16:11 314257 --a------ C:\DOKUME~1\Meike\Anwendungsdaten\cleanup!.log
2007-01-24 15:59 7168 --a------ C:\WINDOWS\system32\rdriv.sys
2007-01-17 21:10 -------- d-------- C:\Programme\oleco
2007-01-17 21:02 18441 --a------ C:\mstskmgr.exe
2007-01-16 17:01 -------- d-------- C:\Programme\avpersonal


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATIModeChange"="Ati2mdxx.exe"
"AVGCtrl"="\"C:\\Programme\\AVPersonal\\AVGNT.EXE\" /min"
"NI.UWFX5U_0001_N56M1711"="\"C:\\Dokumente und Einstellungen\\Meike\\Lokale Einstellungen\\Temporary Internet Files\\Content.IE5\\S1UZS9QJ\\WinFixer2005ScannerInstallDE[1].exe\" -nag "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RcNB Test"="blda32a.exe"
"RNBvnc Test"="deadv32.exe"
"Microsoft SDKb"="msnull.exe"
"AdobeReaderPro"="msngrer.exe"
"Win32"="tbkqpqr.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="\"C:\\WINDOWS\\System32\\msiexec.exe\" /L*v C:\\WINDOWS\\TEMP\\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="\"C:\\WINDOWS\\System32\\msiexec.exe\" /L*v C:\\WINDOWS\\TEMP\\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeReaderPro]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msngrer"
"hkey"="HKLM"
"command"="msngrer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ashampoo PopUpBlocker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PopUpKiller"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\Ashampoo\\ASHAMP~1\\PopUpKiller.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BJPSMAIN"
"hkey"="HKLM"
"command"="C:\\Programme\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fpdisp5a"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fpdisp5a.exe\" /source=HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Anwendungen\\Brennsoftware\\Nero\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AcBtnMgr_X84-X85"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X84-X85.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ACMonitor_X84-X85"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X84-X85.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft SDKb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnull"
"hkey"="HKLM"
"command"="msnull.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows 128bit Subsystem]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="system12"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\system12.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkUFind"
"hkey"="HKLM"
"command"="C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS DLL Library Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dllsys64"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\dllsys64.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Task Manager 32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mstskmgr"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\mstskmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Programme\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPP System Update 64]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wupsys64"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\wupsys64.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="printray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RcNB Test]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="blda32a"
"hkey"="HKLM"
"command"="blda32a.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RNBvnc Test]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="deadv32"
"hkey"="HKLM"
"command"="deadv32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Memory Card Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Monitor"
"hkey"="HKLM"
"command"="C:\\Programme\\Ulead Systems\\Ulead Photo Explorer 7.0\\Monitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tbkqpqr"
"hkey"="HKLM"
"command"="tbkqpqr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"
"ALUAlert"="C:\\Programme\\Symantec\\LiveUpdate\\ALUNotify.exe"
"RcNB Test"="dead32a.exe"
"RNBvnc Test"="deadv32.exe"
"shell"="\"C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\Web Folders\\ibm00003.exe\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"
"ALUAlert"="C:\\Programme\\Symantec\\LiveUpdate\\ALUNotify.exe"
"RcNB Test"="dead32a.exe"
"RNBvnc Test"="deadv32.exe"
"shell"="\"C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\Web Folders\\ibm00003.exe\""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebb

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-24 16:22:46

regsearch

sysmgr64

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSMGR64]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSMGR64\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSMGR64\0000]
"Service"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSMGR64\0000]
"DeviceDesc"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSMGR64\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSMGR64\0000\Control]
"ActiveService"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysmgr64]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysmgr64]
"DisplayName"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysmgr64\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysmgr64\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysmgr64\Enum]
"0"="Root\\LEGACY_SYSMGR64\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSMGR64]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSMGR64\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSMGR64\0000]
"Service"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSMGR64\0000]
"DeviceDesc"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysmgr64]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysmgr64]
"DisplayName"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysmgr64\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64\0000]
"Service"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64\0000]
"DeviceDesc"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64\0000\Control]
"ActiveService"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr64]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr64]
"DisplayName"="sysmgr64"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr64\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr64\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr64\Enum]
"0"="Root\\LEGACY_SYSMGR64\\0000"

{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}"=""

microsoft update

Zitat

REGEDIT4


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSNUPDATE\0000]
"DeviceDesc"="microsoft update"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msnupdate]
"DisplayName"="microsoft update"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSNUPDATE\0000]
"DeviceDesc"="microsoft update"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msnupdate]
"DisplayName"="microsoft update"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE\0000]
"DeviceDesc"="microsoft update"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnupdate]
"DisplayName"="microsoft update"

msnupdate

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSNUPDATE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSNUPDATE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSNUPDATE\0000]
"Service"="msnupdate"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSNUPDATE\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSNUPDATE\0000\Control]
"ActiveService"="msnupdate"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msnupdate]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msnupdate\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msnupdate\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msnupdate\Enum]
"0"="Root\\LEGACY_MSNUPDATE\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSNUPDATE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSNUPDATE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSNUPDATE\0000]
"Service"="msnupdate"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msnupdate]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msnupdate\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE\0000]
"Service"="msnupdate"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE\0000\Control]
"ActiveService"="msnupdate"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnupdate]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnupdate\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnupdate\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnupdate\Enum]
"0"="Root\\LEGACY_MSNUPDATE\\0000"

Local Security Authority Subsystem Service

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSASS\0000]
"DeviceDesc"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsass]
"DisplayName"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSASS\0000]
"DeviceDesc"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lsass]
"DisplayName"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000]
"DeviceDesc"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass]
"DisplayName"="Local Security Authority Subsystem Service"

Microsoft Windows Explorer Shell Subsystem

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHELL32EXTENDER\0000]
"DeviceDesc"="Microsoft Windows Explorer Shell Subsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Shell32Extender]
"DisplayName"="Microsoft Windows Explorer Shell Subsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SHELL32EXTENDER\0000]
"DeviceDesc"="Microsoft Windows Explorer Shell Subsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Shell32Extender]
"DisplayName"="Microsoft Windows Explorer Shell Subsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER\0000]
"DeviceDesc"="Microsoft Windows Explorer Shell Subsystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shell32Extender]
"DisplayName"="Microsoft Windows Explorer Shell Subsystem"

Shell32Extender

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHELL32EXTENDER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHELL32EXTENDER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHELL32EXTENDER\0000]
"Service"="Shell32Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHELL32EXTENDER\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHELL32EXTENDER\0000\Control]
"ActiveService"="Shell32Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Shell32Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Shell32Extender\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Shell32Extender\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Shell32Extender\Enum]
"0"="Root\\LEGACY_SHELL32EXTENDER\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SHELL32EXTENDER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SHELL32EXTENDER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SHELL32EXTENDER\0000]
"Service"="Shell32Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Shell32Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Shell32Extender\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER\0000]
"Service"="Shell32Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER\0000\Control]
"ActiveService"="Shell32Extender"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shell32Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shell32Extender\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shell32Extender\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shell32Extender\Enum]
"0"="Root\\LEGACY_SHELL32EXTENDER\\0000"

System Manager Service

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SMSC\0000]
"DeviceDesc"="System Manager Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSC]
"DisplayName"="System Manager Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SMSC\0000]
"DeviceDesc"="System Manager Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SMSC]
"DisplayName"="System Manager Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC\0000]
"DeviceDesc"="System Manager Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSC]
"DisplayName"="System Manager Service"

SMSC

Zitat

REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SMSC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SMSC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SMSC\0000]
"Service"="SMSC"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SMSC\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SMSC\0000\Control]
"ActiveService"="SMSC"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSC\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSC\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSC\Enum]
"0"="Root\\LEGACY_SMSC\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SMSC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SMSC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SMSC\0000]
"Service"="SMSC"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SMSC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SMSC\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC\0000]
"Service"="SMSC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC\0000\Control]
"ActiveService"="SMSC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSC\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSC\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSC\Enum]
"0"="Root\\LEGACY_SMSC\\0000"

#4 DesMas

««
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop.
Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

Zitat

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"RcNB Test"=-
"RNBvnc Test"=-
"shell"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"RcNB Test"=-
"RNBvnc Test"=-
"shell"=-

««
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|NI.UWFX5U_0001_N56M1711
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|RcNB Test
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|RNBvnc Test
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|Microsoft SDKb
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|AdobeReaderPro
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|Win32
HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks|{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft SDKb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows 128bit Subsystem
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS DLL Library Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Task Manager 32
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPP System Update 64
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RcNB Test
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RNBvnc Test
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSMGR64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysmgr64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSMGR64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysmgr64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSNUPDATE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msnupdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSNUPDATE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msnupdate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnupdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSASS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsass
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSASS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lsass
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHELL32EXTENDER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Shell32Extender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SHELL32EXTENDER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Shell32Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shell32Extender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SMSC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SMSC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SMSC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSC

Files to delete:
C:\WINDOWS\smsc.exe
C:\WINDOWS\sysmgr64.exe
C:\WINDOWS\windupdate.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\rdriv.sys
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\ntfscrypt.exe
C:\WINDOWS\system32\mtserv.exe
C:\WINDOWS\system32\mstskmgr.exe
C:\WINDOWS\system32\sysdriver.exe
C:\WINDOWS\system32\mdsc.ini
C:\WINDOWS\system32\TFTP5028
C:\WINDOWS\system32\eraseme_80874.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\mdn.cpp
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\eraseme_00578.exe
C:\WINDOWS\system32\eraseme_11786.exe
C:\WINDOWS\system32\eraseme_15625.exe
C:\WINDOWS\system32\shell32.exe
C:\WINDOWS\system32\eraseme_38547.exe
C:\WINDOWS\system32\eraseme_26550.exe
C:\WINDOWS\system32\eraseme_22861.exe
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\eraseme_02446.exe
C:\WINDOWS\system32\mswinsdq.exe
C:\WINDOWS\system32\TFTP5496
C:\WINDOWS\system32\eraseme_31308.exe
C:\WINDOWS\system32\msbitsec.exe
C:\WINDOWS\system32\eraseme_24426.exe
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\dllsys64.exe
C:\WINDOWS\system32\wupsys64.exe
C:\WINDOWS\system32\wiaadmgr.exe
C:\WINDOWS\system32\eraseme_40347.exe
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\TFTP2140
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\TFTP2500
C:\WINDOWS\system32\pnpsp2fix.exe
C:\WINDOWS\system32\TFTP2848
C:\WINDOWS\system32\system12.exe
C:\WINDOWS\system32\updates.pif
C:\WINDOWS\system32\eraseme_82478.exe
C:\WINDOWS\system32\deadv32.exe
C:\WINDOWS\system32\svchostt.exe
C:\WINDOWS\system32\c.bat
C:\WINDOWS\system32\.pif
C:\WINDOWS\system32\inetinfos.exe
C:\WINDOWS\system32\TFTP3584
C:\WINDOWS\system32\o
C:\WINDOWS\system32\dead32a.exe
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\TFTP3236
C:\mstskmgr.exe
C:\jxyqjg.exe
C:\bqxh.exe
C:\icaaxih.exe
C:\usb07.exe
C:\kmpb.exe
C:\msutil64.exe
C:\blah1.exe
C:\ospysw.exe
C:\pfxvrqr.exe
C:\yiinjnp.exe
C:\jixu.exe
C:\wnqnks.exe
C:\ptyfbpjm.exe
C:\raiqwt.exe
C:\tmshl.exe
C:\ejcakt.exe
C:\ubbfi.exe
C:\usxzbwx.exe
C:\usbwx.exe
C:\update.exe
C:\usbdr.exe
C:\school.exe
C:\usbw64.exe
C:\sjj.exe
C:\proxi.exe
C:\prox.exe
C:\mmxmetal.exe
C:\a.bat

Folders to delete:
C:\Dokumente und Einstellungen\Meike\Lokale Einstellungen\Temporary Internet Files\Content.IE5\S1UZS9QJ

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
scanne mit vundofix
http://virus-protect.org/artikel/tools/vundofixx.html
---------------------------------------------------------------------

««
ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren

««
poste noch mal die 6 logs von datfindbat (bis Mai 2005)
__________
MfG Sabina

rund um die PC-Sicherheit

#5 seufz, manchmal glaube ich, ich sollte den leuten für ihren leichtsinn den rechner einfach neu installieren und abgesichert wiedergeben, damit sie das lernen und für die Sicherung von pers. Daten extra Geld nehmen....

so auf gehts:

einmal vorneweg das avenger log, da einige Fehlermeldungen drin sind

Zitat

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vyoeukda

*******************

Script file located at: \??\C:\WINDOWS\ndwqcyqe.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSMGR64 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysmgr64 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSMGR64 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysmgr64 deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSMGR64
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr64 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr64 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr64
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSNUPDATE deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msnupdate deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSNUPDATE deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msnupdate deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNUPDATE
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnupdate not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnupdate failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnupdate
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSASS deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsass deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSASS deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lsass deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHELL32EXTENDER deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Shell32Extender deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SHELL32EXTENDER deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Shell32Extender deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHELL32EXTENDER
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shell32Extender not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shell32Extender failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shell32Extender
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SMSC deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSC deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SMSC deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SMSC deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SMSC
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSC not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSC failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSC
Status: 0xc0000034

File C:\WINDOWS\smsc.exe deleted successfully.
File C:\WINDOWS\sysmgr64.exe deleted successfully.
File C:\WINDOWS\windupdate.exe deleted successfully.


File C:\WINDOWS\lsass.exe not found!
Deletion of file C:\WINDOWS\lsass.exe failed!

Could not process line:
C:\WINDOWS\lsass.exe
Status: 0xc0000034

File C:\WINDOWS\system32\rdriv.sys deleted successfully.
File C:\WINDOWS\system32\bbeeg.ini deleted successfully.
File C:\WINDOWS\system32\ntfscrypt.exe deleted successfully.
File C:\WINDOWS\system32\mtserv.exe deleted successfully.
File C:\WINDOWS\system32\mstskmgr.exe deleted successfully.
File C:\WINDOWS\system32\sysdriver.exe deleted successfully.
File C:\WINDOWS\system32\mdsc.ini deleted successfully.
File C:\WINDOWS\system32\TFTP5028 deleted successfully.
File C:\WINDOWS\system32\eraseme_80874.exe deleted successfully.
File C:\WINDOWS\system32\i deleted successfully.
File C:\WINDOWS\system32\bbeeg.bak2 deleted successfully.
File C:\WINDOWS\system32\mdn.cpp deleted successfully.
File C:\WINDOWS\system32\bbeeg.ini2 deleted successfully.
File C:\WINDOWS\system32\eraseme_00578.exe deleted successfully.
File C:\WINDOWS\system32\eraseme_11786.exe deleted successfully.
File C:\WINDOWS\system32\eraseme_15625.exe deleted successfully.
File C:\WINDOWS\system32\shell32.exe deleted successfully.
File C:\WINDOWS\system32\eraseme_38547.exe deleted successfully.
File C:\WINDOWS\system32\eraseme_26550.exe deleted successfully.
File C:\WINDOWS\system32\eraseme_22861.exe deleted successfully.
File C:\WINDOWS\system32\bbeeg.bak1 deleted successfully.
File C:\WINDOWS\system32\eraseme_02446.exe deleted successfully.
File C:\WINDOWS\system32\mswinsdq.exe deleted successfully.
File C:\WINDOWS\system32\TFTP5496 deleted successfully.
File C:\WINDOWS\system32\eraseme_31308.exe deleted successfully.
File C:\WINDOWS\system32\msbitsec.exe deleted successfully.
File C:\WINDOWS\system32\eraseme_24426.exe deleted successfully.
File C:\WINDOWS\system32\pmkhf.dll deleted successfully.
File C:\WINDOWS\system32\pmkjg.dll deleted successfully.
File C:\WINDOWS\system32\dllsys64.exe deleted successfully.
File C:\WINDOWS\system32\wupsys64.exe deleted successfully.
File C:\WINDOWS\system32\wiaadmgr.exe deleted successfully.
File C:\WINDOWS\system32\eraseme_40347.exe deleted successfully.
File C:\WINDOWS\system32\awtsp.dll deleted successfully.
File C:\WINDOWS\system32\ddaya.dll deleted successfully.
File C:\WINDOWS\system32\geeba.dll deleted successfully.
File C:\WINDOWS\system32\jkkjk.dll deleted successfully.
File C:\WINDOWS\system32\TFTP2140 deleted successfully.
File C:\WINDOWS\system32\awtqq.dll deleted successfully.
File C:\WINDOWS\system32\TFTP2500 deleted successfully.
File C:\WINDOWS\system32\pnpsp2fix.exe deleted successfully.
File C:\WINDOWS\system32\TFTP2848 deleted successfully.


File C:\WINDOWS\system32\system12.exe not found!
Deletion of file C:\WINDOWS\system32\system12.exe failed!

Could not process line:
C:\WINDOWS\system32\system12.exe
Status: 0xc0000034

File C:\WINDOWS\system32\updates.pif deleted successfully.
File C:\WINDOWS\system32\eraseme_82478.exe deleted successfully.
File C:\WINDOWS\system32\deadv32.exe deleted successfully.
File C:\WINDOWS\system32\svchostt.exe deleted successfully.
File C:\WINDOWS\system32\c.bat deleted successfully.
File C:\WINDOWS\system32\.pif deleted successfully.
File C:\WINDOWS\system32\inetinfos.exe deleted successfully.
File C:\WINDOWS\system32\TFTP3584 deleted successfully.
File C:\WINDOWS\system32\o deleted successfully.
File C:\WINDOWS\system32\dead32a.exe deleted successfully.


File C:\WINDOWS\system32\.exe not found!
Deletion of file C:\WINDOWS\system32\.exe failed!

Could not process line:
C:\WINDOWS\system32\.exe
Status: 0xc0000034

File C:\WINDOWS\system32\TFTP3236 deleted successfully.
File C:\mstskmgr.exe deleted successfully.
File C:\jxyqjg.exe deleted successfully.
File C:\bqxh.exe deleted successfully.
File C:\icaaxih.exe deleted successfully.
File C:\usb07.exe deleted successfully.
File C:\kmpb.exe deleted successfully.
File C:\msutil64.exe deleted successfully.
File C:\blah1.exe deleted successfully.
File C:\ospysw.exe deleted successfully.
File C:\pfxvrqr.exe deleted successfully.
File C:\yiinjnp.exe deleted successfully.
File C:\jixu.exe deleted successfully.
File C:\wnqnks.exe deleted successfully.
File C:\ptyfbpjm.exe deleted successfully.
File C:\raiqwt.exe deleted successfully.
File C:\tmshl.exe deleted successfully.
File C:\ejcakt.exe deleted successfully.
File C:\ubbfi.exe deleted successfully.
File C:\usxzbwx.exe deleted successfully.
File C:\usbwx.exe deleted successfully.
File C:\update.exe deleted successfully.
File C:\usbdr.exe deleted successfully.
File C:\school.exe deleted successfully.
File C:\usbw64.exe deleted successfully.
File C:\sjj.exe deleted successfully.
File C:\proxi.exe deleted successfully.
File C:\prox.exe deleted successfully.
File C:\mmxmetal.exe deleted successfully.
File C:\a.bat deleted successfully.
Folder C:\Dokumente und Einstellungen\Meike\Lokale Einstellungen\Temporary Internet Files\Content.IE5\S1UZS9QJ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|NI.UWFX5U_0001_N56M1711 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|RcNB Test deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|RNBvnc Test deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|Microsoft SDKb deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|AdobeReaderPro deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices|Win32 deleted successfully.
Registry value HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks|{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsp deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebb deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft SDKb deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows 128bit Subsystem deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS DLL Library Manager deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Task Manager 32 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPP System Update 64 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RcNB Test deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RNBvnc Test deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32 deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Vundo vermeldete 0, wobei 2 andere Progs konnten den am Anfang auch net finden, weswegen ich dem nicht trau

POST_THIS.TXT

Zitat

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Jan 25, 2007 20:42:05


---> Begin Service Listing <---

Unknown Service # 5
Service Name: MBIT
Display Name: Microsoft Background Intelligent Transfer Update Version 2.0
Start Mode: Auto
Start Name: LocalSystem
Description: Transfers data between clients and servers in the background. If BITS is disabled, features such ...
Service Type: Own Process
Path: "c:\windows\system32\msbitsec.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 6
Service Name: MTServ
Display Name: Microsoft Translation Service
Start Mode: Auto
Start Name: LocalSystem
Description: This service allows support for non-native language ...
Service Type: Own Process
Path: "c:\windows\system32\mtserv.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 7
Service Name: NTFSCrypt
Display Name: NTFS Crypto Technology
Start Mode: Auto
Start Name: LocalSystem
Description: This service allows NTFS devices to use Crypto ...
Service Type: Own Process
Path: "c:\windows\system32\ntfscrypt.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch



Unknown Service # 11
Service Name: systemdriver
Display Name: System Driver Service
Start Mode: Auto
Start Name: LocalSystem
Description: This service is used to load system drivers for a majority of services and programs. If ...
Service Type: Own Process
Path: "c:\windows\system32\sysdriver.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 85 Win32 services on this machine.
11 were unrecognized.

Script Execution Time: 3,046875 seconds.

system32.txt

Zitat

Verzeichnis von C:\WINDOWS\system32

25.01.2007 20:35 7.168 rdriv.sys
25.01.2007 20:35 43.359 OODBS.lor
25.01.2007 20:30 2.206 wpa.dbl
27.11.2006 14:29 87 CPS.ini
31.10.2006 16:57 40.190 perfc009.dat
31.10.2006 16:57 311.802 perfh009.dat
31.10.2006 16:57 316.838 perfh007.dat
31.10.2006 16:57 48.354 perfc007.dat
31.10.2006 16:57 723.744 PerfStringBackup.INI
03.06.2006 20:54 77 bios.rom
12.08.2005 11:58 25.065 wmpscheme.xml
04.08.2005 17:54 1.457.496 MRT.exe
19.07.2005 11:38 2.699.264 MSHTML.DLL
12.07.2005 18:04 520.456 LegitCheckControl.dll
12.07.2005 18:04 23.304 GWFSPidGen.dll
08.07.2005 17:10 238.592 tapisrv.dll
08.07.2005 17:10 72.704 remotesp.tsp
30.06.2005 03:15 108.544 umpnpmgr.dll
29.06.2005 02:55 68.608 mscms.dll
29.06.2005 02:55 237.056 icm32.dll
17.06.2005 23:25 581.632 WININET.DLL
17.06.2005 23:25 1.017.856 BROWSEUI.DLL
17.06.2005 23:25 1.338.368 SHDOCVW.DLL
15.06.2005 18:51 285.184 kerberos.dll
11.06.2005 03:42 102.400 win32spl.dll
11.06.2005 00:55 53.248 spoolsv.exe
27.05.2005 03:04 143.872 itircl.dll
27.05.2005 03:04 128.000 itss.dll
27.05.2005 03:04 38.912 hhsetup.dll
27.05.2005 03:04 519.168 hhctrl.ocx

system.txt

Zitat

Verzeichnis von C:\WINDOWS

25.01.2007 20:35 2.014.366 WindowsUpdate.log
25.01.2007 20:35 159 wiadebug.log
25.01.2007 20:35 0 wiaservc.log
25.01.2007 20:35 0 0.log
25.01.2007 20:35 2.048 bootstat.dat
25.01.2007 20:34 32.580 SchedLgU.Txt
23.01.2007 19:23 232.946 ntbtlog.txt
23.01.2007 18:00 88.816 setupapi.log
17.01.2007 21:10 42.190 ModemLog_Intel(R) 537EA Modem.txt
17.01.2007 21:01 591 oleco.ini
16.01.2007 17:05 488 win.ini
16.01.2007 17:05 227 system.ini
02.01.2007 19:02 49 NeroDigital.ini
16.12.2006 17:16 583 Ulead32.ini
16.12.2006 17:09 52 pex.INI
08.08.2006 16:31 45.056 NCUNINST.EXE
14.07.2006 08:29 54.156 QTFont.qfn
06.07.2006 17:23 1.409 QTFont.for
12.03.2006 17:48 30.256 macromix.dll
12.03.2006 17:48 30.544 dirdib.drv
12.03.2006 17:26 0 oleco.tst
02.10.2005 16:59 283 ubber60.ini
15.09.2005 20:55 6.300 svcpack.log
14.09.2005 18:20 217 kodakpcd.Meike.ini
14.09.2005 18:09 61.440 aim.exe
14.09.2005 17:56 40.943 iis6.log
14.09.2005 17:56 97.801 comsetup.log
14.09.2005 17:56 57.367 ntdtcsetup.log
14.09.2005 17:56 102.772 tsoc.log
14.09.2005 17:56 1.374 imsins.log
14.09.2005 17:56 17.224 KB899587.log
14.09.2005 17:56 9.545 ocmsn.log
14.09.2005 17:56 138.986 ocgen.log
14.09.2005 17:56 13.086 msgsocm.log
14.09.2005 17:56 261.913 FaxSetup.log
14.09.2005 17:56 8.144 updspapi.log

25.05.2005 23:44 10.752 hh.exe

tmp.txt

Zitat

nix

down.txt

Zitat

Verzeichnis von C:\WINDOWS\Downloaded Program Files

26.05.2005 04:19 293 muweb.inf
20.07.2004 21:35 65 desktop.ini
08.12.2003 12:58 3.759 swflash.inf

sys.txt

Zitat

Verzeichnis von C:\

25.01.2007 20:45 0 sys.txt
25.01.2007 20:44 392 down.txt
25.01.2007 20:44 117 tmp.txt
25.01.2007 20:44 7.656 system.txt
25.01.2007 20:44 133 systemtemp.txt
25.01.2007 20:44 96.339 system32.txt
25.01.2007 20:41 186 VundoFix.txt
25.01.2007 20:35 27.158 avenger.txt
25.01.2007 20:35 301.989.888 pagefile.sys
24.01.2007 16:22 11.264 ComboFix.txt
16.01.2007 17:05 194 boot.ini
02.10.2005 16:59 327 asdf.txt
28.11.2004 18:06 81 log.txt
20.07.2004 21:37 0 AUTOEXEC.BAT
20.07.2004 21:37 0 IO.SYS
20.07.2004 21:37 0 CONFIG.SYS
20.07.2004 21:37 0 MSDOS.SYS
02.04.2003 13:00 4.952 bootfont.bin
02.04.2003 13:00 47.580 NTDETECT.COM
02.04.2003 13:00 235.296 ntldr

#6 formatieren waere natuerlich bei weitem das vernuenftigste
http://www.sophos.com/virusinfo/analyses/w32sdbotajs.html

1.
kopiere in regsearch

systemdriver

System Driver Service

rdriv

NTFSCrypt

MTServ

Microsoft Translation Service

MBIT

___________________

http://virus-protect.org/artikel/tools/gmer.html
nutze Gmer Starte es und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit nein beantworten, auf den Reiter rootkit gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfuegen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. ist dieser beendet, wähle Copy und füge den Bericht ein.


------------------------
http://virus-protect.org/artikel/tools/sdfix.html
SDFix.zip entpacken

es erscheint folgende Meldung:

"The SDFix Folder has been extracted to %systemdrive% - Please run from that location.
(%systemdrive% = drive that contains the Windows directory - typically C:\SDFix )"

unter C:\ findet man nun den SDFix-Ordner

boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet)

gehe in den Ordner C:\SDFix

RunThis.bat doppelt klicken

schreibe: Y

folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten
kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag,

-------

auf der gleichen Seite
http://virus-protect.org/artikel/tools/sdfix.html
- im normamodus - lade sophos, scanne mit option 6 und poste den scanreport
__________
MfG Sabina

rund um die PC-Sicherheit

#7 und es nimmt kein Ende ...

regsearch listing

systemdriver

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSTEMDRIVER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSTEMDRIVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSTEMDRIVER\0000]
"Service"="systemdriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemdriver]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemdriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemdriver\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemdriver\Enum]
"0"="Root\\LEGACY_SYSTEMDRIVER\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSTEMDRIVER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSTEMDRIVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSTEMDRIVER\0000]
"Service"="systemdriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\systemdriver]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\systemdriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMDRIVER]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMDRIVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMDRIVER\0000]
"Service"="systemdriver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemdriver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemdriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemdriver\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemdriver\Enum]
"0"="Root\\LEGACY_SYSTEMDRIVER\\0000"

[HKEY_USERS\S-1-5-21-1715567821-1454471165-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\WebView\BarricadedFolders]
"shell:SystemDriveRootFolder"=dword:00000000

System Driver Service

Zitat

REGEDIT4


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSTEMDRIVER\0000]
"DeviceDesc"="System Driver Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemdriver]
"DisplayName"="System Driver Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSTEMDRIVER\0000]
"DeviceDesc"="System Driver Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\systemdriver]
"DisplayName"="System Driver Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMDRIVER\0000]
"DeviceDesc"="System Driver Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemdriver]
"DisplayName"="System Driver Service"

rdriv

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Canon\Cnmbj\PrinterDriverInstaller]

[HKEY_LOCAL_MACHINE\SOFTWARE\Canon\Cnmbj\PrinterDriverInstaller\Canon PIXMA iP1500]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Canon PIXMA iP1500\PrinterDriverData]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\FinePrint\PrinterDriverData]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\FinePrint\PrinterDriverData]
"SPLUserModePrinterDriver"="fpuser5.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Lexmark X84-X85\PrinterDriverData]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Print/Providers/LanMan Print Services/Servers/AddPrinterDrivers]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Providers\LanMan Print Services\servers]
"addprinterdrivers"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers\Canon PIXMA iP1500\PrinterDriverData]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers\FinePrint\PrinterDriverData]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers\FinePrint\PrinterDriverData]
"SPLUserModePrinterDriver"="fpuser5.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers\Lexmark X84-X85\PrinterDriverData]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{8B6D7859-A639-4A15-8790-7161976D057A}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{DEB039CC-B704-4F53-B43E-9DD4432FA2E9}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV\0000]
"Service"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV\0000]
"DeviceDesc"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV\0000\Control]
"ActiveService"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i8042prt\Parameters]
"LayerDriver JPN"="kbd101.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i8042prt\Parameters]
"LayerDriver KOR"="kbd101a.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IpFilterDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IpFilterDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mnmdd\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RDPCDD\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv]
"DisplayName"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv\Enum]
"0"="Root\\LEGACY_RDRIV\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Providers\LanMan Print Services\servers]
"addprinterdrivers"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{8B6D7859-A639-4A15-8790-7161976D057A}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{DEB039CC-B704-4F53-B43E-9DD4432FA2E9}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\i8042prt\Parameters]
"LayerDriver JPN"="kbd101.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\i8042prt\Parameters]
"LayerDriver KOR"="kbd101a.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IpFilterDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IpFilterDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mnmdd\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RDPCDD\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\servers]
"addprinterdrivers"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\Canon PIXMA iP1500\PrinterDriverData]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\FinePrint\PrinterDriverData]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\FinePrint\PrinterDriverData]
"SPLUserModePrinterDriver"="fpuser5.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\Lexmark X84-X85\PrinterDriverData]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{8B6D7859-A639-4A15-8790-7161976D057A}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{DEB039CC-B704-4F53-B43E-9DD4432FA2E9}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV\0000]
"Service"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV\0000]
"DeviceDesc"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV\0000\Control]
"ActiveService"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters]
"LayerDriver JPN"="kbd101.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters]
"LayerDriver KOR"="kbd101a.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmdd\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPCDD\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]
"DisplayName"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Enum]
"0"="Root\\LEGACY_RDRIV\\0000"

[HKEY_USERS\S-1-5-21-1715567821-1454471165-725345543-1004\Software\FinePrint Software\FinePrint5\FinePrinters\FinePrint\PrinterDriverData]

NTFSCrypt

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSCRYPT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSCRYPT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSCRYPT\0000]
"Service"="NTFSCrypt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTFSCrypt]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTFSCrypt\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTFSCrypt\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTFSCrypt\Enum]
"0"="Root\\LEGACY_NTFSCRYPT\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSCRYPT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSCRYPT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSCRYPT\0000]
"Service"="NTFSCrypt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTFSCrypt]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTFSCrypt\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSCRYPT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSCRYPT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSCRYPT\0000]
"Service"="NTFSCrypt"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFSCrypt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFSCrypt\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFSCrypt\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFSCrypt\Enum]
"0"="Root\\LEGACY_NTFSCRYPT\\0000"

MTServ

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTSERV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTSERV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTSERV\0000]
"Service"="MTServ"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MTServ]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MTServ\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MTServ\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MTServ\Enum]
"0"="Root\\LEGACY_MTSERV\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MTSERV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MTSERV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MTSERV\0000]
"Service"="MTServ"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MTServ]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MTServ\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTSERV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTSERV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTSERV\0000]
"Service"="MTServ"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTServ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTServ\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTServ\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTServ\Enum]
"0"="Root\\LEGACY_MTSERV\\0000"

Microsoft Translation Service

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTSERV\0000]
"DeviceDesc"="Microsoft Translation Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MTServ]
"DisplayName"="Microsoft Translation Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MTSERV\0000]
"DeviceDesc"="Microsoft Translation Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MTServ]
"DisplayName"="Microsoft Translation Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTSERV\0000]
"DeviceDesc"="Microsoft Translation Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTServ]
"DisplayName"="Microsoft Translation Service"

MBIT

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73830352-D722-4179-ADA5-F045C98DF355}]
@="ITfLangBarItemBitmap"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A26A0525-3FAE-4FA0-89EE-88A964F9F1B5}]
@="ITfLangBarItemBitmapButton"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBIT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBIT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBIT\0000]
"Service"="MBIT"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBIT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBIT\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBIT\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBIT\Enum]
"0"="Root\\LEGACY_MBIT\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBIT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBIT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBIT\0000]
"Service"="MBIT"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MBIT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MBIT\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBIT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBIT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBIT\0000]
"Service"="MBIT"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBIT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBIT\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBIT\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBIT\Enum]
"0"="Root\\LEGACY_MBIT\\0000"

GMER Startlog

Zitat

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\aim.exe (*** hidden *** ) 1444

---- EOF - GMER 1.0.12 ----

SDFix Log

Zitat

SDFix: Version 1.62

26.01.2007 - 16:40:23,68

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
MTServ
NTFSCrypt
rdriv
systemdriver

Path:
"C:\WINDOWS\system32\mtserv.exe"
"C:\WINDOWS\system32\ntfscrypt.exe"
\??\C:\WINDOWS\system32\rdriv.sys
"C:\WINDOWS\system32\sysdriver.exe"

MTServ Deleted
NTFSCrypt Deleted
rdriv Deleted
systemdriver Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINDOWS\system32\msnsrv.exe - Deleted

Could Not Remove C:\WINDOWS\system32\rdriv.sys!


Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\system12.exe"="C:\\WINDOWS\\System32\\system12.exe:*:Enabled:Microsoft Windows 128bit Subsystem"


Remaining Files:
---------------
C:\WINDOWS\system32\rdriv.sys Found

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\WINDOWS\aim.exe
C:\WINDOWS\system32\blda32a.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\WINDOWS\system32\msnull.exe
C:\WINDOWS\system32\mswinscf.exe
C:\WINDOWS\system32\mswinsdp.exe
C:\WINDOWS\system32\tbkqpqr.exe
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys

Den Sphos Report häng ich wegen der Länge an.
Auszüge
Sophos succesfull

Zitat

--> Virus 'Troj/Rootkit-W'
--> Virus 'Troj/Ranck-CZ'
--> Virus 'Troj/Ranck-Gen'
--> Virus 'Troj/Ranky-E'
--> Virus 'Troj/Torpig-BD'
--> Virus 'Troj/Dloader-NJ'
--> Virus 'W32/Tilebot-AK'
--> Virus 'Troj/Drsmartl-B'
--> Virus 'Troj/DwnLdr-BON'
--> Virus 'Troj/Torpig-BL'
--> Virus 'W32/Rbot-ARY'
--> Virus 'W32/Rbot-Gen'
--> Virus 'Mal/Packer'
--> Virus 'W32/Rbot-DCA'
--> Virus 'Troj/Torpig-Gen'
--> Virus 'W32/Sdbot-CPJ'
--> Virus Troj/Drsmartl-A'
--> Virus Troj/Drsmartl-B'
bäh ich gebs auf.....

Sophos failed

Zitat

>>> Virus 'W32/Sdbot-BFX' found in file C:\WINDOWS\aim.exe
Removal failed
>>> Virus 'W32/Rbot-AJF' found in file C:\WINDOWS\system32\blda32a.exe
Removal successful
>>> Virus 'W32/Rbot-BRX' found in file C:\WINDOWS\system32\msnull.exe
Removal successful
>>> Virus 'W32/Rbot-Gen' found in file C:\WINDOWS\system32\mswinscf.exe
Removal successful
>>> Virus 'W32/Rbot-Gen' found in file C:\WINDOWS\system32\mswinsdp.exe
Removal successful
>>> Virus 'Troj/Rootkit-W' found in file C:\WINDOWS\system32\rdriv.sys
Removal failed

no comment :/

#8
avenger

Zitat

Registry values to delete:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|C:\WINDOWS\System32\system12.exe

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSTEMDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemdriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSTEMDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\systemdriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemdriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rdriv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSCRYPT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTFSCrypt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSCRYPT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTFSCrypt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSCRYPT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFSCrypt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTSERV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MTServ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MTSERV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MTServ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTSERV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTServ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBIT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBIT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBIT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MBIT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBIT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBIT

Files to delete:
C:\WINDOWS\aim.exe
C:\WINDOWS\system32\blda32a.exe
C:\WINDOWS\system32\msnull.exe
C:\WINDOWS\system32\mswinscf.exe
C:\WINDOWS\system32\mswinsdp.exe
C:\WINDOWS\system32\tbkqpqr.exe
c:\windows\system32\msbitsec.exe
c:\windows\system32\mtserv.exe
c:\windows\system32\ntfscrypt.exe
c:\windows\system32\sysdriver.exe
c:\windows\system32\rdriv.sys

««
Sophos Anti-Rootkit
http://www.sophos.de/products/free-tools/sophos-anti-rootkit.html

««
AVG Anti-Rootkit 1.0.0.13 Beta
http://www.freewarefiles.com/program_9_90_22524.html

«««
http://virus-protect.org/artikel/tools/gmer.html
nutze Gmer Starte es und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit nein beantworten, auf den Reiter rootkit gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfuegen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. ist dieser beendet, wähle Copy und füge den Bericht ein.

»»
dann arbeite bitte noch mal sdfix ab und poste das log
__________
MfG Sabina

rund um die PC-Sicherheit

#9 avenger LOG

Zitat

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lxujyxiv

*******************

Script file located at: \??\C:\WINDOWS\eqrhwhaj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry value HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|C:\WINDOWS\System32\system12.exe deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSTEMDRIVER not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSTEMDRIVER failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSTEMDRIVER
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemdriver not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemdriver failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemdriver
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSTEMDRIVER not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSTEMDRIVER failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSTEMDRIVER
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\systemdriver not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\systemdriver failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\systemdriver
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMDRIVER not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMDRIVER failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMDRIVER
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemdriver not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemdriver failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemdriver
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rdriv not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rdriv failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rdriv
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSCRYPT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSCRYPT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSCRYPT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTFSCrypt not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTFSCrypt failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTFSCrypt
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSCRYPT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSCRYPT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSCRYPT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTFSCrypt not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTFSCrypt failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTFSCrypt
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSCRYPT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSCRYPT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSCRYPT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFSCrypt not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFSCrypt failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFSCrypt
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTSERV not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTSERV failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MTSERV
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MTServ not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MTServ failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MTServ
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MTSERV not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MTSERV failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MTSERV
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MTServ not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MTServ failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MTServ
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTSERV not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTSERV failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MTSERV
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTServ not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTServ failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTServ
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBIT deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBIT deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBIT deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MBIT deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBIT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBIT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBIT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBIT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBIT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MBIT
Status: 0xc0000034

File C:\WINDOWS\aim.exe deleted successfully.


File C:\WINDOWS\system32\blda32a.exe not found!
Deletion of file C:\WINDOWS\system32\blda32a.exe failed!

Could not process line:
C:\WINDOWS\system32\blda32a.exe
Status: 0xc0000034



File C:\WINDOWS\system32\msnull.exe not found!
Deletion of file C:\WINDOWS\system32\msnull.exe failed!

Could not process line:
C:\WINDOWS\system32\msnull.exe
Status: 0xc0000034



File C:\WINDOWS\system32\mswinscf.exe not found!
Deletion of file C:\WINDOWS\system32\mswinscf.exe failed!

Could not process line:
C:\WINDOWS\system32\mswinscf.exe
Status: 0xc0000034



File C:\WINDOWS\system32\mswinsdp.exe not found!
Deletion of file C:\WINDOWS\system32\mswinsdp.exe failed!

Could not process line:
C:\WINDOWS\system32\mswinsdp.exe
Status: 0xc0000034

File C:\WINDOWS\system32\tbkqpqr.exe deleted successfully.


File c:\windows\system32\msbitsec.exe not found!
Deletion of file c:\windows\system32\msbitsec.exe failed!

Could not process line:
c:\windows\system32\msbitsec.exe
Status: 0xc0000034



File c:\windows\system32\mtserv.exe not found!
Deletion of file c:\windows\system32\mtserv.exe failed!

Could not process line:
c:\windows\system32\mtserv.exe
Status: 0xc0000034



File c:\windows\system32\ntfscrypt.exe not found!
Deletion of file c:\windows\system32\ntfscrypt.exe failed!

Could not process line:
c:\windows\system32\ntfscrypt.exe
Status: 0xc0000034



File c:\windows\system32\sysdriver.exe not found!
Deletion of file c:\windows\system32\sysdriver.exe failed!

Could not process line:
c:\windows\system32\sysdriver.exe
Status: 0xc0000034

File c:\windows\system32\rdriv.sys deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Sophos und AVG meldeten keine Funde

Gmer vermeldete keine versteckten Prozesse

allerdings ist noch wohl einiges in den Einstellungen verdreht, bzw Keys in der Registry fehlern, denn z.B. die SP2 Firewall ist nicht aktivierbar....

EDIT
Firewall mit
rundll32 setupapi,InstallHinfSection Ndi-Steelhead 132 %windir%\inf\netrass.inf
wieder aktiv...

#10 RootkitRevealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html

Poste den report, vor allem, was du unter Hidden Files Detector - findest.

«
poste noch mal das log vom Hijackthis + die 6 logs von datfindbat
__________
MfG Sabina

rund um die PC-Sicherheit

#11 RootKitReveal

Zitat

HKU\.DEFAULT\Control Panel\International 24.01.2007 16:22 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 24.01.2007 16:22 0 bytes Security mismatch.
HKU\S-1-5-21-1715567821-1454471165-725345543-1004\Control Panel\International 24.01.2007 16:22 0 bytes Security mismatch.
HKU\S-1-5-21-1715567821-1454471165-725345543-1004\Control Panel\International\Geo 24.01.2007 16:22 0 bytes Security mismatch.
HKU\S-1-5-21-1715567821-1454471165-725345543-1004\Software\Microsoft\Command Processor 24.01.2007 16:22 0 bytes Security mismatch.
HKU\S-1-5-21-1715567821-1454471165-725345543-1004\Software\Microsoft\Picture It!\9.0\GoToMiniLab 25.05.2006 12:57 3 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-18\Control Panel\International 24.01.2007 16:22 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 24.01.2007 16:22 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 21.07.2004 11:15 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 21.07.2004 11:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 24.01.2007 16:22 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* 12.08.2005 13:04 0 bytes Key name contains embedded nulls (*)

DatFind

system32.txt

Zitat

Verzeichnis von C:\WINDOWS\system32

28.01.2007 09:34 311.802 perfh009.dat
28.01.2007 09:34 40.190 perfc009.dat
28.01.2007 09:34 316.838 perfh007.dat
28.01.2007 09:34 48.354 perfc007.dat
28.01.2007 09:34 723.744 PerfStringBackup.INI
28.01.2007 09:32 215.264 FNTCACHE.DAT
28.01.2007 09:32 49.179 OODBS.lor
27.01.2007 21:25 2.206 wpa.dbl
27.01.2007 11:55 57.048 GDIPFONTCACHEV1.DAT
27.01.2007 11:53 255 spupdwxp.log
07.12.2006 17:02 2.174.976 wmvcore.dll
27.11.2006 14:29 87 CPS.ini
08.11.2006 06:06 679.424 inetcomm.dll
07.11.2006 21:24 1.040.384 ieframe.dll.mui
07.11.2006 21:23 12.288 advpack.dll.mui
07.11.2006 21:03 156.160 msls31.dll
07.11.2006 21:03 180.736 ieui.dll
07.11.2006 21:03 670.720 mstime.dll
07.11.2006 21:03 458.752 msfeeds.dll
07.11.2006 21:03 50.688 msfeedsbs.dll
07.11.2006 21:03 1.162.240 urlmon.dll
07.11.2006 21:03 413.696 vbscript.dll
07.11.2006 21:03 475.648 mshtmled.dll
07.11.2006 21:03 191.488 iepeers.dll
07.11.2006 21:03 131.584 extmgr.dll
07.11.2006 21:03 3.577.856 mshtml.dll
07.11.2006 21:03 27.136 jsproxy.dll
07.11.2006 21:03 231.424 webcheck.dll
07.11.2006 21:03 818.688 wininet.dll
07.11.2006 21:03 6.049.280 ieframe.dll
07.11.2006 03:27 382.976 iedkcs32.dll
07.11.2006 03:27 229.376 ieaksie.dll
07.11.2006 03:26 152.064 ieakeng.dll
07.11.2006 03:26 71.680 admparse.dll
07.11.2006 03:26 55.296 iesetup.dll
07.11.2006 03:26 13.312 ieudinit.exe
07.11.2006 03:26 54.784 ie4uinit.exe
07.11.2006 03:26 43.008 iernonce.dll
07.11.2006 03:26 123.904 advpack.dll
07.11.2006 03:26 92.672 inseng.dll
07.11.2006 03:25 161.792 ieakui.dll
07.11.2006 03:24 56.483 ieuinit.inf
23.10.2006 16:17 1.494.528 shdocvw.dll
23.10.2006 16:17 474.624 shlwapi.dll
23.10.2006 16:17 1.056.256 danim.dll
23.10.2006 16:17 152.064 cdfview.dll
23.10.2006 16:17 1.022.976 browseui.dll
23.10.2006 03:42 123.392 xpsp3res.dll
20.10.2006 02:38 715.776 sxs.dll
17.10.2006 12:06 443.904 html.iec
17.10.2006 12:06 78.336 ieencode.dll
17.10.2006 12:05 206.336 WinFXDocObj.exe
17.10.2006 12:05 1.817.088 inetcpl.cpl
17.10.2006 12:05 105.984 url.dll
17.10.2006 12:05 40.960 licmgr10.dll
17.10.2006 12:05 192.000 msrating.dll
17.10.2006 12:04 101.376 occache.dll
17.10.2006 12:03 17.408 corpol.dll
17.10.2006 12:00 491.520 jscript.dll
17.10.2006 11:58 12.288 msfeedssync.exe
17.10.2006 11:58 61.952 icardie.dll
17.10.2006 11:58 44.544 pngfilt.dll
17.10.2006 11:58 346.624 dxtmsft.dll
17.10.2006 11:57 36.352 imgutil.dll
17.10.2006 11:57 214.528 dxtrans.dll
17.10.2006 11:57 266.752 iertutil.dll
17.10.2006 11:56 45.568 mshta.exe
17.10.2006 11:55 66.560 tdc.ocx
17.10.2006 11:28 48.128 mshtmler.dll
17.10.2006 11:27 380.928 ieapfltr.dll
17.10.2006 11:19 1.383.424 mshtml.tlb
13.10.2006 13:35 146.432 nwprovau.dll
23.09.2006 12:12 82.428 IE7Eula.rtf
13.09.2006 06:02 1.084.416 msxml3.dll
07.09.2006 12:54 57.384 avsda.dll
06.09.2006 16:42 22.752 spupdsvc.exe
05.09.2006 23:01 2.451.824 ieapfltr.dat
01.09.2006 07:44 8.798 icrav03.rat
01.09.2006 07:44 1.988 ticrf.rat
25.08.2006 16:46 617.472 comctl32.dll
21.08.2006 13:26 16.896 fltlib.dll
21.08.2006 10:14 23.040 fltmc.exe
17.08.2006 13:28 132.096 wkssvc.dll
17.08.2006 13:28 729.600 lsasrv.dll
17.08.2006 13:28 332.288 netapi32.dll
16.08.2006 12:58 100.352 6to4svc.dll
21.07.2006 09:29 72.704 hlink.dll
14.07.2006 16:51 121.856 xmllite.dll
14.07.2006 16:25 546.304 hhctrl.ocx
13.07.2006 14:34 8.494.592 shell32.dll
05.07.2006 11:55 1.057.792 kernel32.dll
29.06.2006 08:05 26.112 idndl.dll
29.06.2006 08:05 23.552 normaliz.dll
28.06.2006 17:59 24.576 nlsdl.dll
26.06.2006 18:40 8.192 rasadhlp.dll
26.06.2006 18:40 148.480 dnsapi.dll
22.06.2006 06:06 1.441.792 query.dll
22.06.2006 06:06 69.120 ciodm.dll
08.06.2006 12:06 59.342 normidna.nls
08.06.2006 12:06 60.294 normnfkd.nls
08.06.2006 12:06 45.794 normnfc.nls
08.06.2006 12:06 66.384 normnfkc.nls
08.06.2006 12:06 39.284 normnfd.nls
03.06.2006 20:54 77 bios.rom
01.06.2006 19:47 163.840 jgdw400.dll
01.06.2006 19:47 27.648 jgpl400.dll
19.05.2006 14:09 95.744 iphlpapi.dll
19.05.2006 14:09 112.128 dhcpcsvc.dll
17.05.2006 11:23 579.888 LegitCheckControl.dll
14.05.2006 09:48 181.248 rasmans.dll

systemtemp

Zitat

Verzeichnis von C:\DOKUME~1\Meike\LOKALE~1\Temp

27.01.2007 21:07 87 olecobn.tmp
27.01.2007 21:07 1.358 olecocf.tmp
27.01.2007 21:07 145.892 olecopo.tmp
27.01.2007 19:28 5.896 trash.htm
27.01.2007 09:52 156 sarscan.log
26.01.2007 16:20 385 sOutTmp16209.tmp
30.01.2004 09:50 46.292 NuNInst.cfg
11.12.2003 13:34 1.318.912 NuNInst.exe
04.09.2001 22:03 168.448 set7.tmp
05.10.2000 18:05 165.888 SET6.tmp

system

Zitat

Verzeichnis von C:\WINDOWS

28.01.2007 09:39 1.582.282 WindowsUpdate.log
28.01.2007 09:33 159 wiadebug.log
28.01.2007 09:33 50 wiaservc.log
28.01.2007 09:32 0 0.log
28.01.2007 09:32 2.048 bootstat.dat
27.01.2007 22:47 32.612 SchedLgU.Txt
27.01.2007 22:47 52.212 ModemLog_Intel(R) 537EA Modem.txt
27.01.2007 22:39 118.736 iis6.log
27.01.2007 22:39 218.886 comsetup.log
27.01.2007 22:39 131.770 ntdtcsetup.log
27.01.2007 22:39 293.090 tsoc.log
27.01.2007 22:39 29.924 ocmsn.log
27.01.2007 22:39 1.374 imsins.log
27.01.2007 22:39 22.978 KB922819.log
27.01.2007 22:39 380.725 ocgen.log
27.01.2007 22:39 37.903 msgsocm.log
27.01.2007 22:39 755.200 FaxSetup.log
27.01.2007 22:39 341.627 setupapi.log
27.01.2007 22:39 50.822 updspapi.log
27.01.2007 22:39 1.374 imsins.BAK
27.01.2007 22:39 22.158 KB924191.log
27.01.2007 22:39 19.349 KB923191.log
27.01.2007 22:39 21.297 KB923414.log
27.01.2007 22:38 22.902 KB920872.log
27.01.2007 22:38 21.157 KB920685.log
27.01.2007 22:38 21.305 KB919007.log
27.01.2007 22:38 21.119 KB916595.log
27.01.2007 22:38 15.970 KB922582.log
27.01.2007 22:38 20.261 KB922616.log
27.01.2007 22:37 19.332 KB920670.log
27.01.2007 22:37 20.156 KB913580.log
27.01.2007 22:37 20.599 KB914389.log
27.01.2007 22:37 19.115 KB908531.log
27.01.2007 22:37 20.735 KB900485.log
27.01.2007 22:36 19.864 KB911562.log
27.01.2007 22:36 19.182 KB911927.log
27.01.2007 22:36 18.159 KB904706.log
27.01.2007 22:36 14.401 KB910437.log
27.01.2007 22:36 35.128 KB896424.log
27.01.2007 22:36 22.360 KB902400.log
27.01.2007 22:35 14.799 KB894391.log
27.01.2007 22:35 7.303 KB886185.log
27.01.2007 21:19 6.780 WGA.log
27.01.2007 21:06 34.992 spupdsvc.log
27.01.2007 21:03 18.611 ie7_main.log
27.01.2007 21:03 45.122 ie7.log
27.01.2007 21:02 25.760 wmsetup.log
27.01.2007 20:58 6.340 IDNMitigationAPIs.log
27.01.2007 20:58 6.060 NLSDownlevelMapping.log
27.01.2007 20:57 5.315 KB915865.log
27.01.2007 18:28 0 nsreg.dat
27.01.2007 18:24 6.386 KB912919.log
27.01.2007 18:23 5.433 KB908519.log
27.01.2007 18:17 17.863 KB926255.log
27.01.2007 18:16 1.147 KB926247.log
27.01.2007 18:16 24.822 KB925454.log
27.01.2007 18:15 17.872 KB923694.log
27.01.2007 18:15 20.245 KB923689.log
27.01.2007 18:12 35.993 KB920213.log
27.01.2007 18:11 24.446 KB922760.log
27.01.2007 18:09 18.071 KB924270.log
27.01.2007 18:09 16.798 KB923980.log
27.01.2007 18:07 15.616 KB921883.log
27.01.2007 18:07 15.704 KB921398.log
27.01.2007 18:06 15.623 KB920683.log
27.01.2007 18:05 14.106 KB920214.log
27.01.2007 18:05 18.378 KB918899.log
27.01.2007 18:04 11.198 KB917422.log
27.01.2007 18:03 10.926 KB917159.log
27.01.2007 18:03 11.220 KB914388.log
27.01.2007 18:01 9.416 KB918439.log
27.01.2007 18:01 9.520 KB917953.log
27.01.2007 18:00 9.408 KB917344.log
27.01.2007 18:00 9.670 KB911280.log
27.01.2007 17:58 9.183 KB905749.log
27.01.2007 17:58 8.861 KB905414.log
27.01.2007 17:57 7.809 KB901017.log
27.01.2007 17:57 8.845 KB900725.log
27.01.2007 17:56 5.855 KB899589.log
27.01.2007 17:56 214.368 KB890046.log
27.01.2007 17:56 649 KB826942.log
27.01.2007 17:54 204.961 KB896428.log
27.01.2007 17:54 216.352 KB893066.log
27.01.2007 17:54 771 KB890923-IE6SP1-20050225.103456.log
27.01.2007 17:54 10.689 KB891711.log
27.01.2007 17:53 210.125 KB891781.log
27.01.2007 17:53 10.824 KB890175.log
27.01.2007 17:52 205.378 KB890047.log
27.01.2007 17:52 199.340 KB888302.log
27.01.2007 17:52 212.790 KB888113.log
27.01.2007 17:51 212.061 KB885836.log
27.01.2007 17:51 220.035 KB885835.log
27.01.2007 17:51 215.413 KB885250.log
27.01.2007 17:50 19.028 KB873376.log
27.01.2007 17:50 211.888 KB873339.log
27.01.2007 17:50 209.190 KB873333.log
27.01.2007 17:49 10.051 KB871250.log
27.01.2007 17:49 14.621 KB841533.log
27.01.2007 17:49 21.054 KB841356.log
27.01.2007 17:49 26.888 KB840987.log
27.01.2007 12:10 20.715 KB890859.log
27.01.2007 11:56 1.519 OEWABLog.txt
27.01.2007 11:55 725.252 setuplog.txt
27.01.2007 11:54 360 DtcInstall.log
27.01.2007 11:54 316.640 WMSysPr9.prx
27.01.2007 11:50 427.581 svcpack.log
27.01.2007 11:41 201.303 KB901214.log
27.01.2007 11:40 213.064 KB899591.log
27.01.2007 11:39 201.364 KB899588.log
27.01.2007 11:38 202.526 KB899587.log
27.01.2007 11:36 201.515 KB896423.log
27.01.2007 11:35 207.301 KB896422.log
27.01.2007 11:34 205.050 KB896358.log
27.01.2007 11:32 202.742 KB893756.log
27.01.2007 11:31 203.353 KB893086.log
27.01.2007 11:13 200 cmsetacl.log
27.01.2007 11:12 503 win.ini
27.01.2007 11:12 1.330 sessmgr.setup.log
27.01.2007 10:54 573 medctroc.Log
27.01.2007 10:16 250 gmer.ini
26.01.2007 16:40 357.888 ntbtlog.txt
26.01.2007 16:24 80 gmer_uninstall.cmd
26.01.2007 16:24 565.311 gmer.dll
16.01.2007 17:05 227 system.ini
02.01.2007 19:02 49 NeroDigital.ini
16.12.2006 17:16 583 Ulead32.ini
16.12.2006 17:09 52 pex.INI
28.11.2006 15:23 573.440 gmer.exe
08.08.2006 16:31 45.056 NCUNINST.EXE
14.07.2006 08:29 54.156 QTFont.qfn
06.07.2006 17:23 1.409 QTFont.for
12.03.2006 17:48 30.256 macromix.dll
12.03.2006 17:48 30.544 dirdib.drv
02.10.2005 16:59 283 ubber60.ini
14.09.2005 18:20 217 kodakpcd.Meike.ini
14.09.2005 17:51 7.306 KB896727-IE6SP1-20050719.165959.log
08.09.2005 18:41 10.305 KB828741.log
08.09.2005 18:40 3.804 xpsp1hfm.log
08.09.2005 18:38 14.005 KB835732.log
08.09.2005 18:36 18.307 KB896426.log
12.08.2005 13:02 109 oodcnt.INI
12.08.2005 12:05 9.228 KB893803v2.log
12.08.2005 12:03 7.926 KB898461.log
12.08.2005 11:58 181.279 setupact.log
27.05.2005 00:22 10.752 hh.exe

down

Zitat

Verzeichnis von C:\WINDOWS\Downloaded Program Files

26.05.2005 04:19 293 muweb.inf
20.07.2004 21:35 65 desktop.ini
08.12.2003 12:58 3.759 swflash.inf

temp

Zitat

leer

sys

Zitat

Verzeichnis von C:\

28.01.2007 10:05 0 sys.txt
28.01.2007 10:04 392 down.txt
28.01.2007 10:04 117 tmp.txt
28.01.2007 10:04 10.893 system.txt
28.01.2007 10:04 730 systemtemp.txt
28.01.2007 10:03 100.707 system32.txt
28.01.2007 09:32 301.989.888 pagefile.sys
27.01.2007 11:12 211 boot.ini
27.01.2007 11:01 47.564 NTDETECT.COM
27.01.2007 11:01 251.184 ntldr
27.01.2007 09:47 20.502 avenger.txt
25.01.2007 20:41 186 VundoFix.txt
24.01.2007 16:22 11.264 ComboFix.txt
02.10.2005 16:59 327 asdf.txt
28.11.2004 18:06 81 log.txt
20.07.2004 21:37 0 CONFIG.SYS
20.07.2004 21:37 0 MSDOS.SYS
20.07.2004 21:37 0 AUTOEXEC.BAT
20.07.2004 21:37 0 IO.SYS
02.04.2003 13:00 4.952 bootfont.bin

hijackthis.log

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 10:07:31, on 28.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Dokumente und Einstellungen\Meike\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://einwahl.oleco.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Anwendungen\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132860669343
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe

#12 kopiere in regsearch:

AOL Instant Messanger


-----------------------------------------------------------------------
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
__________
MfG Sabina

rund um die PC-Sicherheit

#13 AOL Instant Messanger

Zitat

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AIM\0000]
"DeviceDesc"="AOL Instant Messanger"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AIM]
"DisplayName"="AOL Instant Messanger"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AIM]
"Description"="AOL Instant Messanger"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_AIM\0000]
"DeviceDesc"="AOL Instant Messanger"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AIM]
"DisplayName"="AOL Instant Messanger"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AIM]
"Description"="AOL Instant Messanger"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIM\0000]
"DeviceDesc"="AOL Instant Messanger"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AIM]
"DisplayName"="AOL Instant Messanger"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AIM]
"Description"="AOL Instant Messanger"

#14 Avenger

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AIM\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AIM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AIM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_AIM\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_AIM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AIM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIM\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AIM

Files to delete:
C:\WINDOWS\aim.exe

deinstalliere vorruebergehend den Antivirenscanner (AVPersonal) + Symantec und lade
Kaspersky Anti-Virus 6.0
http://virus-protect.org/antivirenfree.html

scanne , klar - im abgesicherten modus + berichte

dann , da der scanner nur trial ist, lade , vorher deinstalliere den kaspersky aber wieder.
http://virus-protect.org/antivirus.html
__________
MfG Sabina

rund um die PC-Sicherheit

#15 avenger log

Zitat

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hwmxovkt

*******************

Script file located at: \??\C:\WINDOWS\qtvdedcv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AIM\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AIM deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AIM deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_AIM\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_AIM deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AIM deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIM\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIM\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIM\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIM not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIM failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AIM
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AIM not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AIM failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AIM
Status: 0xc0000034



File C:\WINDOWS\aim.exe not found!
Deletion of file C:\WINDOWS\aim.exe failed!

Could not process line:
C:\WINDOWS\aim.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Kaspersky fand 0