TR/DLdr.Swizzor.Gen! wie werde ich den los?

#1 ich habe heute den ganzen tag schon die meldung von antivir das ich diesen trojaner habe....jetzt weiß ich nicht, wie ich den wieder los werden kann...

hab auch schon die logdaten vo hijackthis geholt....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:29, on 13.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
H:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
H:\Programme\Sidebar\Thoosje Vista Sidebar.exe
H:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programme\Gemeinsame Dateien\Sonic Shared\cinetray.exe
H:\Programme\FRITZ!DSL\FwebProt.exe
H:\Programme\FRITZ!DSL\StCenter.exe
H:\Programme\Vista Inspirat 2\RocketDock\RocketDock.exe
H:\Programme\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
H:\Programme\Vista Inspirat 2\YzShadow\YzShadow.exe
H:\Programme\AntiVir PersonalEdition Classic\sched.exe
H:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
H:\Programme\Firefox\firefox.exe
H:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.epowars.de/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - H:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adssite Search Assistant - {1648E328-3E5A-4EA5-A9C6-E5F09EE272DA} - C:\WINDOWS\system32\adssite_sidebar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: rightonadz browser optimizer - {971C3384-F75E-4562-95B3-CBE7417529BC} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: MySidesearch Search Assistant - {DDFA1356-E6ED-42a5-9D62-93211D424A90} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - H:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "H:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Thoosje Vista Sidebar] H:\Programme\Sidebar\Thoosje Vista Sidebar.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FRITZ!DSL Protect.lnk = H:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Startup: FRITZ!DSL Startcenter.lnk = H:\Programme\FRITZ!DSL\StCenter.exe
O4 - Startup: RocketDock.lnk = H:\Programme\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = H:\Programme\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = H:\Programme\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = H:\Programme\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://H:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - H:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - H:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD89D1E5-D2D2-4AAA-8750-9C1CFE79312D}: NameServer = 192.168.2.1
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - H:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - H:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - H:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe

--
End of file - 7400 bytes

bitte um hilfe...
danke^^

#2 RVAXO

http://virus-protect.org/artikel/tools/rvaxo.html
RVAXO by Smeenk,zum Desktop RVAXO.zip entpacken
Starte dein Recher in abgesicherten Modus

Öffne die Datei RVAXO und doppelklick “RunMe.cmd”
Moeglich startet der Uninstaller von ein Roquescanner schliesse es nicht ab aber lass es seine Arbeit tun
Dein Rechner wird neu gestartet, das cmd-fenster von RVAXO oeffnet sich von neuem
Und warte bis ein logfile sich oeffnet:C:\RVAXO-results.log
Poste dessen inhalt hier ins Forum
Wenn dein Rechner nicht neu startet mach es manuel sowie auch RunMe.cmd

Und ein Log von Hijack This
__________
MfG Argus

#3 Hi, ich habe ebenfalls den Trojaner TR/DLdr.Swizzr.Gen und bin inzwischen durch die ständigen hinweise von Antivir mächtig genervt.
Bitte helft mir...
danke im vorraus
Melle21

#4 @Melle21

http://virus-protect.org/hjtkurz.html
Download: Trend Micro Hijack This™
Doppelklick HJTInstall.exe und installiere das Tool in C:\Programme\Trend Micro\Hijack This
Am Ende steht auf dein Desktop eine verknüpfung

Starte Hijack This und klicke “Do a system scan and safe a logfile”
Save log --> hijackthis.log - Save - es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Argus

#5 Das ging ja mal schnell.... Punkt 1 erledigt ;-)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:05, on 13.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Lappy\AppData\Local\njzsadlaq.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iesearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [TQ566808] "D:\Setup.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [njzsadlaq] c:\users\lappy\appdata\local\njzsadlaq.exe njzsadlaq
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 5948 bytes

#6 Hallo,

wende Cleaner an (nicht die cookies anhaken)
http://www.ccleaner.de/?protecus.de

wende Combofix an , klicke die Warnmeldung weg + poste den report
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#7 @Melle21

Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

O4 - HKCU\..\Run: [njzsadlaq] c:\users\lappy\appdata\local\njzsadlaq.exe njzsadlaq

klicke: Fix checked
Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst

Poste ein log von ComboFix
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Argus

#8 Ich hoffe jetz hat alles so geklappt wie wir es uns erhofft haben...


ComboFix 08-04-12.7 - Lappy 2008-04-13 13:30:58.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1031.18.442 [GMT 2:00]
ausgeführt von:: C:\Users\Lappy\Desktop\ComboFix.exe
.

((((((((((((((((((((((( Dateien erstellt von 2008-03-13 bis 2008-04-13 ))))))))))))))))))))))))))))))
.

2008-04-13 13:12 . 2008-04-13 13:12 <DIR> d-------- C:\Program Files\CCleaner
2008-04-13 12:31 . 2008-04-13 12:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-10 01:35 . 2008-04-10 01:35 <DIR> d-------- C:\Users\Lappy\AppData\Roaming\Gamelab
2008-04-09 20:08 . 2008-04-09 20:08 <DIR> d-------- C:\Users\All Users\HipSoft
2008-04-09 20:08 . 2008-04-09 20:08 <DIR> d-------- C:\ProgramData\HipSoft
2008-04-08 23:57 . 2008-02-15 01:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-08 23:57 . 2008-02-19 07:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-08 23:57 . 2008-02-29 08:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-08 23:57 . 2008-02-29 08:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-08 23:57 . 2008-02-29 08:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-08 23:57 . 2008-02-29 08:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-08 23:57 . 2008-02-29 08:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-08 23:57 . 2008-02-29 08:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-08 23:57 . 2008-02-29 08:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-08 23:56 . 2008-02-29 06:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-08 23:56 . 2008-02-21 06:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-08 23:56 . 2007-12-16 13:42 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-08 23:56 . 2007-12-16 13:41 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-07 21:05 . 2008-04-07 21:05 <DIR> d-------- C:\Program Files\Veoh Networks
2008-04-05 23:48 . 2008-04-05 23:48 <DIR> d-------- C:\Users\All Users\Playrix Entertainment
2008-04-05 23:48 . 2008-04-05 23:48 <DIR> d-------- C:\ProgramData\Playrix Entertainment
2008-04-05 23:46 . 2008-04-09 17:38 <DIR> d-------- C:\Program Files\DEUTSCHLAND SPIELT
2008-04-05 23:45 . 2008-04-05 23:45 <DIR> d-------- C:\Program Files\OXXOGames
2008-04-05 21:54 . 2008-04-13 01:12 <DIR> d-------- C:\Users\Lappy\AppData\Roaming\ChessBase
2008-04-05 21:53 . 2008-04-09 15:48 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-05 21:53 . 2008-04-05 21:53 <DIR> d-------- C:\Program Files\ChessBase
2008-04-05 17:53 . 2008-04-05 17:53 <DIR> d-------- C:\Users\Lappy\AppData\Roaming\Nokia Multimedia Player
2008-04-05 17:30 . 2008-04-05 17:52 <DIR> d-------- C:\Users\Lappy\AppData\Roaming\Nokia
2008-04-04 21:38 . 2008-04-04 21:38 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-04-04 21:38 . 2008-04-04 21:38 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-04-04 21:38 . 2002-01-05 14:37 344,064 --a------ C:\Windows\System32\msvcr70.dll
2008-04-04 03:00 . 2008-04-04 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-03 21:13 . 2008-04-03 21:13 <DIR> d-------- C:\Users\All Users\Nokia
2008-04-03 21:13 . 2008-04-03 21:13 <DIR> d-------- C:\ProgramData\Nokia
2008-04-03 21:05 . 2008-04-03 21:05 <DIR> d-------- C:\Users\All Users\Installations
2008-04-03 21:05 . 2008-04-03 21:05 <DIR> d-------- C:\ProgramData\Installations
2008-04-02 17:51 . 2008-04-03 21:15 <DIR> d-------- C:\Users\Lappy\AppData\Roaming\PC Suite
2008-04-02 17:51 . 2008-04-03 21:15 <DIR> d-------- C:\Users\All Users\PC Suite
2008-04-02 17:51 . 2008-04-03 21:15 <DIR> d-------- C:\ProgramData\PC Suite
2008-04-02 17:51 . 2008-04-03 21:08 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-02 17:49 . 2007-02-22 10:15 90,624 --a------ C:\Windows\System32\nmwcdcls.dll
2008-04-02 17:48 . 2008-04-02 17:48 <DIR> d-------- C:\Users\All Users\Downloaded Installations
2008-04-02 17:48 . 2008-04-02 17:48 <DIR> d-------- C:\ProgramData\Downloaded Installations
2008-04-02 17:47 . 2008-04-03 21:10 <DIR> d-------- C:\Program Files\Nokia
2008-04-02 17:47 . 2008-04-02 17:52 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-03-26 22:21 . 2008-04-10 00:04 <DIR> d-------- C:\Users\Lappy\AppData\Roaming\skypePM
2008-03-26 22:21 . 2008-03-26 22:21 32 --a------ C:\Users\All Users\ezsid.dat
2008-03-26 22:21 . 2008-03-26 22:21 32 --a------ C:\ProgramData\ezsid.dat
2008-03-26 22:18 . 2008-04-12 18:06 <DIR> d-------- C:\Users\Lappy\AppData\Roaming\Skype
2008-03-26 22:18 . 2008-03-26 22:18 <DIR> d-------- C:\Program Files\Skype
2008-03-26 22:18 . 2008-03-26 22:18 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-26 22:17 . 2008-03-26 22:18 <DIR> d-------- C:\Users\All Users\Skype
2008-03-26 22:17 . 2008-03-26 22:18 <DIR> d-------- C:\ProgramData\Skype

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 10:53 --------- d-----w C:\Users\Lappy\AppData\Roaming\Azureus
2008-04-09 01:17 --------- d-----w C:\Program Files\Google
2008-04-09 01:15 --------- d-----w C:\Program Files\Windows Mail
2008-04-06 23:34 --------- d-----w C:\Program Files\PacificPoker4
2008-04-05 21:45 --------- d-----w C:\Program Files\Der Schreibtrainer
2008-04-05 21:41 --------- d-----w C:\Program Files\Cradle Of Rome
2008-04-05 19:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-05 15:28 --------- d-----w C:\Program Files\Azureus
2008-04-03 20:12 --------- d-----w C:\Program Files\MSN Messenger
2008-04-03 20:12 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-23 12:52 --------- d-----w C:\Users\Lappy\AppData\Roaming\LimeWire
2008-03-16 06:33 --------- d-----w C:\Program Files\Java
2008-03-10 06:49 --------- d-----w C:\ProgramData\hps
2008-03-10 06:48 --------- d-----w C:\Program Files\SCHLECKER
2008-03-09 16:11 --------- d-----w C:\Program Files\Pantheon
2008-03-08 17:43 --------- d-----w C:\ProgramData\Azureus
2008-03-08 17:31 --------- d-----w C:\Program Files\BitDownload
2008-03-07 23:25 --------- d-----w C:\Users\Lappy\AppData\Roaming\Ahead
2008-03-07 22:19 --------- d-----w C:\Users\Lappy\AppData\Roaming\Zylom
2008-03-07 22:01 --------- d-----w C:\Program Files\BitLocker
2008-03-07 21:58 --------- d-----w C:\Program Files\Microsoft Games
2008-03-06 15:32 --------- d-----w C:\Program Files\BitComet
2008-03-03 23:30 --------- d-----w C:\Program Files\Nero
2008-03-03 23:30 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-02 02:36 --------- d-----w C:\Program Files\Photo Story 3 for Windows
2008-03-02 00:05 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-02 00:04 --------- d-----w C:\Program Files\Windows Live
2008-03-02 00:03 --------- d-----w C:\ProgramData\WLInstaller
2008-03-01 23:07 230,432 ----a-w C:\PA207.DAT
2008-03-01 23:00 --------- d-----w C:\Program Files\Trust
2008-03-01 23:00 --------- d-----w C:\Program Files\Common Files\PAC207
2008-02-25 00:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-24 14:49 --------- d-----w C:\ProgramData\ScreenSeven
2008-02-24 14:49 --------- d-----w C:\ProgramData\Intenium
2008-02-23 22:16 --------- d-----w C:\Users\Lappy\AppData\Roaming\Legends of pirates
2008-02-23 01:22 --------- d-----w C:\Program Files\LimeWire
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 18:29 --------- d-----w C:\ProgramData\Messenger Plus!
2008-02-19 03:27 --------- d-----w C:\Users\Lappy\AppData\Roaming\Yahoo!
2008-02-19 03:27 --------- d-----w C:\ProgramData\Yahoo! Companion
2008-02-19 01:49 --------- d-----w C:\ProgramData\Yahoo!
2008-02-19 01:48 --------- d-----w C:\Program Files\Yahoo!
2008-02-18 23:34 --------- d-----w C:\Program Files\Common Files\Java
2008-02-15 14:10 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-02-14 10:31 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-14 10:31 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-14 10:26 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-14 10:26 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-14 10:26 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-14 10:26 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-14 10:26 25,656 ----a-w C:\Windows\system32\drivers\msahci.sys
2008-02-14 10:26 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-14 10:26 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-14 10:26 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-14 10:26 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-14 10:26 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-02-14 10:26 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-14 10:26 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-14 10:26 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-14 10:25 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 10:25 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 10:25 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 10:25 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-14 10:25 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 10:25 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 10:25 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2007-09-23 16:22 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-04-13_13.01.30.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-13 10:54:40 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-13 10:54:40 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-13 10:21:48 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-13 11:10:36 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-13 10:56:09 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-13 11:31:10 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-13 10:55:49 151,552 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-13 10:56:38 151,552 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-04-13 06:08:20 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-13 11:12:33 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-13 06:08:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-13 11:12:33 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-13 06:08:20 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-13 11:12:33 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-12 16:11:21 116,706 ----a-w C:\Windows\System32\perfc007.dat
+ 2008-04-13 11:01:38 116,706 ----a-w C:\Windows\System32\perfc007.dat
- 2008-04-12 16:11:21 103,924 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-13 11:01:38 103,924 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-12 16:11:21 641,344 ----a-w C:\Windows\System32\perfh007.dat
+ 2008-04-13 11:01:38 641,344 ----a-w C:\Windows\System32\perfh007.dat
- 2008-04-12 16:11:21 610,142 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-13 11:01:39 610,142 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-12 16:08:53 6,872 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1847020291-3617319696-1939263042-1000_UserData.bin
+ 2008-04-13 10:57:03 7,284 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1847020291-3617319696-1939263042-1000_UserData.bin
- 2008-04-12 16:08:53 49,372 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-13 10:57:02 49,528 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55 5674352]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:33 201728]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 11:45 222208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Monitor"="C:\Windows\PixArt\PAC207\Monitor.exe" [2006-11-03 12:01 319488]
"TQ566808"="D:\Setup.exe" [ ]
"NeroFilterCheck"="C:\Windows\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12 2658304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2007-10-11 04:45 249896 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-11 23:55 1232896 C:\Program Files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Users\Lappy\Desktop\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-09-18 22:09 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2006-11-02 14:32 2159104 C:\Windows\System32\oobefldr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4166B353-DC71-4BC3-8935-021F70F406CE}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{F8ACFEA9-76A4-40F2-8F44-28666115057F}C:\\program files\\internet camera\\admin\\admin.exe"= UDP:C:\program files\internet camera\admin\admin.exe:admin
"UDP Query User{8C4CE61B-F7BF-4D9E-A92C-E20E314E0CE5}C:\\program files\\internet camera\\admin\\admin.exe"= TCP:C:\program files\internet camera\admin\admin.exe:admin
"TCP Query User{7FCB40C0-B70A-4B28-BEE4-0EF32DA76001}C:\\program files\\internet camera\\util\\util.exe"= UDP:C:\program files\internet camera\util\util.exe:util
"UDP Query User{77784FDD-E5D8-4BEA-B854-6FAC0E876E0A}C:\\program files\\internet camera\\util\\util.exe"= TCP:C:\program files\internet camera\util\util.exe:util
"TCP Query User{5C640B9A-06D5-4A2E-B96D-428DD5CCFEA1}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{0DF54BCE-8FD2-424E-B7CB-324FCA55686C}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{D03F60C9-62A5-495C-B734-C54AFD703AEA}"= UDP:C:\Program Files\DNA\btdna.exeNA
"{C5F9A4C7-2F32-4E2A-B9BD-B347DCC7F5AC}"= TCP:C:\Program Files\DNA\btdna.exeNA
"{26A7C619-C713-4185-B83F-7A4373431343}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{B9E4235F-9C8C-482A-BF3F-B3A1ABCB8990}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{DE3EBE62-7AA2-45D9-B4D9-1B89B77333D5}C:\\program files\\bearshare\\bearshare.exe"= UDP:C:\program files\bearshare\bearshare.exe:BearShare
"UDP Query User{135B244E-8533-45FA-93BC-8A4C71EDD08B}C:\\program files\\bearshare\\bearshare.exe"= TCP:C:\program files\bearshare\bearshare.exe:BearShare
"TCP Query User{47685685-0BAC-4E0A-95C9-342E1D788DC8}C:\\program files\\steam\\steamapps\\countermosh444\\counter-strike\\hl.exe"= UDP:C:\program files\steam\steamapps\countermosh444\counter-strike\hl.exe:Half-Life Launcher
"UDP Query User{F4170531-17C2-49B0-A6EC-0F111543DDAF}C:\\program files\\steam\\steamapps\\countermosh444\\counter-strike\\hl.exe"= TCP:C:\program files\steam\steamapps\countermosh444\counter-strike\hl.exe:Half-Life Launcher
"TCP Query User{4CCD6B7E-510F-4F3E-9C19-7FF9CEDE6E3F}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{03A81EF3-8C58-45B8-92FD-263D1C9C0FCC}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{6054679C-C2C0-472A-9F8F-83E393F93EC7}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{9D867EDC-196C-4F38-BAD0-B364D2E09FB2}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FE8C5770-DB29-48D5-99F5-B231A45C5A7A}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{4B04C573-4F7D-4CBC-A8B8-86E36D914214}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{3AAB1C94-3F2B-4719-A898-ABFBE495FD52}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{68768432-318C-4176-B853-FD4D2E8FA7C0}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{C1B92828-4A7F-48C2-9B16-420536E306BE}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{5E65DEAD-19A7-4D01-931E-F207DDEC78F4}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{D26FBA9B-443D-478B-B2E8-347383C48AC4}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{8F8D9442-8DE4-4B62-B908-66B30B052162}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{F1DF5A88-E0C8-4F16-8913-189F1EB3C951}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{1BD06429-7722-4618-881C-C7B02B1D197F}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{1FFFE3D5-1123-40BE-9DF5-5DC1F9C96F6E}C:\\program files\\webmediaplayer\\webmediaplayer.exe"= UDP:C:\program files\webmediaplayer\webmediaplayer.exe:WebMediaPlayer
"UDP Query User{43CA744F-69B7-4B2E-82A5-8D881AE69683}C:\\program files\\webmediaplayer\\webmediaplayer.exe"= TCP:C:\program files\webmediaplayer\webmediaplayer.exe:WebMediaPlayer
"TCP Query User{16F4EE89-5BB4-4B4E-AC3C-C4A7CA6B2B40}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{489FEF60-2AA0-484C-88D4-896370A1B972}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{8160811F-B0F6-4DE9-B987-352FCA097B5C}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{3F2C0571-2A00-47AF-8D3A-5C05196C044E}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{23EF73AB-1C0F-4B75-8D01-28594CC83862}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{3AD50C83-3EEE-413C-A7E7-D8EC84BDDEBB}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"{66718ADA-2C3C-47F0-BB8B-FCC1D578D61A}"= UDP:6002:schach.de
"TCP Query User{B9D1679B-E617-4ACF-8D54-5F24DAC63390}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{BB0C7958-F472-4840-9029-A5D34426F9CB}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{5AFC6334-748F-4803-9141-677400D98D94}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{826ABB2A-FC39-4599-B921-10585800A1C9}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 UxTuneUp;TuneUp Designerweiterung;C:\Windows\System32\svchost.exe [2006-11-02 11:45]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-01-19 01:03]
S0 OemBiosDevice;Royalty OEM Bios Extension;C:\Windows\system32\drivers\royal.sys [2007-09-18 21:11]
S3 PAC207;Trust WB-1400T Webcam;C:\Windows\system32\DRIVERS\PFC027.SYS [2007-05-14 11:26]
S4 TuneUp.Defrag;TuneUp Drive Defrag-Dienst;C:\Windows\System32\TuneUpDefragService.exe [2007-12-14 23:53]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Inhalt des "geplante Tasks" Ordners
"2008-04-11 15:21:09 C:\Windows\Tasks\1-Klick-Wartung.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-04-12 18:04:23 C:\Windows\Tasks\User_Feed_Synchronization-{EC2C2C5C-0EDD-4BBB-949E-4A46A77BEE1B}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 13:33:57
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-04-13 13:35:03
ComboFix-quarantined-files.txt 2008-04-13 11:34:55
ComboFix2.txt 2008-04-13 11:02:27
7 Verzeichnis(se), 57,998,110,720 Bytes frei
14 Verzeichnis(se), 57,948,454,912 Bytes frei
.
2008-04-09 01:09:00 --- E O F ---

#9 ---RVAXO.exe Updated: 2008-04-13---first run---
Uninstallers:

Files found:
C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\mysidesearch_sidebar.dll
C:\WINDOWS\wininit.ini
C:\WINDOWS\SwSys1.bmp
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\adssite_sidebar.dll
C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\adssite-remove.exe

Folders Found:
C:\Programme\Adssite Advanced Toolbar
C:\Programme\Adssite Games Collection

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------
Not deleted items:

--------------RVAXO.exe finished----------------

so und jetzt?

#10 @McLovin
Oeffne die Datei RVAXO auf dein Desktop
Doppleklick Uninstall.cmd um alles von RVAXO zu entfernen

Und nochmal ein Log von Hijack This
__________
MfG Argus

#11 Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:22:03, on 13.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
H:\Programme\AntiVir PersonalEdition Classic\sched.exe
H:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
H:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
H:\Programme\Sidebar\Thoosje Vista Sidebar.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programme\Gemeinsame Dateien\Sonic Shared\cinetray.exe
H:\Programme\FRITZ!DSL\FwebProt.exe
H:\Programme\FRITZ!DSL\StCenter.exe
H:\Programme\Vista Inspirat 2\RocketDock\RocketDock.exe
H:\Programme\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
H:\Programme\Vista Inspirat 2\YzShadow\YzShadow.exe
H:\Programme\Firefox\firefox.exe
H:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.epowars.de/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - H:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - H:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "H:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Thoosje Vista Sidebar] H:\Programme\Sidebar\Thoosje Vista Sidebar.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kmbmzgbgs] c:\dokumente und einstellungen\malte f\lokale einstellungen\anwendungsdaten\kmbmzgbgs.exe kmbmzgbgs
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FRITZ!DSL Protect.lnk = H:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Startup: FRITZ!DSL Startcenter.lnk = H:\Programme\FRITZ!DSL\StCenter.exe
O4 - Startup: RocketDock.lnk = H:\Programme\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = H:\Programme\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = H:\Programme\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = H:\Programme\Vista Inspirat 2\YzShadow\YzShadow.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://H:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - H:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - H:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD89D1E5-D2D2-4AAA-8750-9C1CFE79312D}: NameServer = 192.168.2.1
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - H:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - H:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - H:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe

--
End of file - 7064 bytes

#12 @McLovin

Bitte den TeaTimer von Spybot S & D deaktivieren:

Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

O4 - HKCU\..\Run: [kmbmzgbgs] c:\dokumente und einstellungen\malte f\lokale einstellungen\anwendungsdaten\kmbmzgbgs.exe kmbmzgbgs

klicke: Fix checked
Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst

««
wende Cleaner an (nicht die cookies anhaken)
http://www.ccleaner.de/?protecus.de

««
wende Combofix an , klicke die Warnmeldung weg + poste den report
http://virus-protect.org/artikel/tools/combofix.html

Edit:Sabina uebernimmt,ich muss an die Arbeit
__________
MfG Argus

#13 ComboFix 08-04-12.7 - Malte F 2008-04-13 14:44:53.1 - NTFSx86
ausgeführt von:: C:\Dokumente und Einstellungen\Malte F\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\All Users\Desktop\webmediaplayer.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Datenschutzrichtlinien.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Deinstallieren.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Geschäftsbedingungen.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\WebMediaPlayer.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\WebMediaPlayer\Website.url
C:\Dokumente und Einstellungen\Malte F\Anwendungsdaten\Adssite Advanced Toolbar
C:\Dokumente und Einstellungen\Malte F\Anwendungsdaten\Adssite Advanced Toolbar\selected.xml
C:\Dokumente und Einstellungen\Malte F\Lokale Einstellungen\Anwendungsdaten\kmbmzgbgs.dat
C:\Dokumente und Einstellungen\Malte F\Lokale Einstellungen\Anwendungsdaten\kmbmzgbgs.exe
C:\Dokumente und Einstellungen\Malte F\Lokale Einstellungen\Anwendungsdaten\kmbmzgbgs_nav.dat
C:\Dokumente und Einstellungen\Malte F\Lokale Einstellungen\Anwendungsdaten\kmbmzgbgs_navps.dat
C:\Programme\webmediaplayer
C:\Programme\webmediaplayer\dxva_sig.txt
C:\Programme\webmediaplayer\resources\languages_v2.xml
C:\Programme\webmediaplayer\resources\webmedias
C:\Programme\webmediaplayer\skins\classic.skn
C:\Programme\webmediaplayer\sqlite3.dll
C:\Programme\webmediaplayer\uninst.exe
C:\Programme\webmediaplayer\WebMediaPlayer.exe
C:\WINDOWS\system32\nss12.dll

.
((((((((((((((((((((((( Dateien erstellt von 2008-03-13 bis 2008-04-13 ))))))))))))))))))))))))))))))
.

2008-04-13 09:35 . 2008-04-13 09:35 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService\Eigene Dateien
2008-04-12 20:37 . 2008-04-12 20:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 20:37 . 2008-04-12 20:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 12:38 . 2008-03-21 13:00 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 11:55 --------- d-----w C:\Dokumente und Einstellungen\Malte F\Anwendungsdaten\FRITZ!
2008-04-12 21:19 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater
2008-04-12 17:44 --------- d-----w C:\Dokumente und Einstellungen\Malte F\Anwendungsdaten\teamspeak2
2008-04-10 16:13 --------- d-----w C:\Dokumente und Einstellungen\Malte F\Anwendungsdaten\mIRC
2008-03-01 16:30 --------- d-----w C:\Dokumente und Einstellungen\Malte F\Anwendungsdaten\dvdcss
2008-02-28 12:27 --------- d-----w C:\Dokumente und Einstellungen\Malte F\Anwendungsdaten\LimeWire
2008-02-26 17:12 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2008-02-20 18:53 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-02-20 18:05 59,208 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-02-20 18:05 5,400 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-02-20 18:05 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-02-08 21:16 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-28 16:15 27,272 -c--a-w C:\Dokumente und Einstellungen\Malte F\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-10-16 22:19 56 --sh--r C:\WINDOWS\system32\6C30315300.sys
2007-10-16 22:19 2,306 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2007-01-04 16:02 670720 04a670155a6d86dfbf562f45544e1908 C:\WINDOWS\$hf_mig$\KB928090\SP2QFE\wininet.dll
2004-08-04 00:57 662016 b1a1da99c4a6ebfd59f86a453bf02f39 C:\WINDOWS\$NtUninstallKB928090$\wininet.dll
2007-01-04 15:41 698880 12dfff417f569c5649389a7573acf6d2 C:\WINDOWS\system32\wininet.dll
2007-01-04 15:41 698880 12dfff417f569c5649389a7573acf6d2 C:\WINDOWS\system32\dllcache\wininet.dll

2004-08-04 00:57 977920 255895ec24d86fe41116c82b3a63b99b C:\WINDOWS\explorer.exe
2004-08-04 00:57 977920 255895ec24d86fe41116c82b3a63b99b C:\WINDOWS\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:57 15360]
"Thoosje Vista Sidebar"="H:\Programme\Sidebar\Thoosje Vista Sidebar.exe" [2007-10-22 02:26 524288]
"SpybotSD TeaTimer"="H:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"avgnt"="H:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 17:03 249896]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Adobe Reader Speed Launcher"="H:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:57 15360]

C:\Dokumente und Einstellungen\Malte F\Startmen�\Programme\Autostart\
FRITZ!DSL Protect.lnk - H:\Programme\FRITZ!DSL\FwebProt.exe [2007-05-28 14:35:00 917504]
FRITZ!DSL Startcenter.lnk - H:\Programme\FRITZ!DSL\StCenter.exe [2007-05-28 14:35:00 679936]
RocketDock.lnk - H:\Programme\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 00:05:02 630784]
TransBar.lnk - H:\Programme\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 21:41:18 65536]
UberIcon.lnk - H:\Programme\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 09:43:08 180224]
Y'z Shadow.lnk - H:\Programme\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 09:43:14 155648]

C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart\
Microsoft Office.lnk - H:\Programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Sonic CinePlayer Quick Launch.lnk - C:\Programme\Gemeinsame Dateien\Sonic Shared\cinetray.exe [2002-09-18 14:16:30 98304]

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RSShutdown]
--a--c--- 2004-06-24 17:16 20480 H:\Programme\Shutdown\Autostart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunAfterBoot]
--a--c--- 2005-11-14 03:24 121064 G:\Computer\TS_Sky_Star 2 PCI_440a\Install\Setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UxTuneUp"=2 (0x2)
"TapiSrv"=3 (0x3)
"Spooler"=2 (0x2)
"SharedAccess"=2 (0x2)
"RSShutdown"=2 (0x2)
"ImapiService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="H:\Programme\DAEMON Tools\daemon.exe" -lang 1033
"AdobeUpdater"=C:\Programme\Gemeinsame Dateien\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_01\bin\jusched.exe"
"ICQ Lite"="H:\Programme\ICQLite\ICQLite.exe" -minimize
"hid_start"=C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify
"DAEMON Tools"="H:\Programme\DAEMON Tools\daemon.exe" -lang 1033
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="H:\Programme\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="H:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\\Programme\\FRITZ!DSL\\IGDCTRL.EXE"=
"H:\\Programme\\FRITZ!DSL\\FBOXUPD.EXE"=
"H:\\Programme\\ICQLite\\ICQLite.exe"=
"H:\\Programme\\DVBViewerTE\\ts_winlirc.exe"=
"H:\\SPIELE\\WarcraftIII\\war3.exe"=
"H:\\Programme\\LimeWire\\LimeWire.exe"=
"H:\\Programme\\BitDownload\\BitDownload.exe"=
"H:\\Programme\\iTunes\\iTunes.exe"=

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\cinemsup.sys [2002-07-19 08:10]
R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2007-10-13 20:11]
S3 SKYNET;TechniSat DVB-PC TV Star PCI;C:\WINDOWS\system32\DRIVERS\SkyNET.SYS [2004-10-13 11:56]
S4 RSShutdown;RichiStudios Shutdown;H:\Programme\Shutdown\service.exe [2004-06-24 17:16]
S4 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:58]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Inhalt des "geplante Tasks" Ordners
"2008-03-21 16:15:00 C:\WINDOWS\Tasks\1-Klick-Wartung.job"
- H:\Programme\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 14:45:51
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-04-13 14:46:16
ComboFix-quarantined-files.txt 2008-04-13 12:46:05
12 Verzeichnis(se), 1,017,831,424 Bytes frei
15 Verzeichnis(se), 1,012,371,456 Bytes frei


aber irgentwie hab ich jetzt unten keine startleiste und keine sachen auf dem desktop mehr?!...ist das wieder da wenn ich einen restart mache?

#14 wende silentrunner an + poste den report
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

#15 "Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Thoosje Vista Sidebar" = "H:\Programme\Sidebar\Thoosje Vista Sidebar.exe" [null data]
"SpybotSD TeaTimer" = "H:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"avgnt" = ""H:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"StartCCC" = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [null data]
"Adobe Reader Speed Launcher" = ""H:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "H:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "H:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "H:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "H:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}" = "ICCompPropPage"
-> {HKLM...CLSID} = "ImageComposer.CompositionPropertyPage"
\InProcServer32\(Default) = "H:\Programme\Microsoft Image Composer\SERVER.DLL" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "H:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "H:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "H:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{ABC70703-32AF-11d4-90C4-D483A70F4825}" = "CMenuExtender"
-> {HKLM...CLSID} = "CMenuExtender"
\InProcServer32\(Default) = "H:\Programme\Vista Inspirat 2\iColorFolder\CMExt.dll" ["Revenger inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "H:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "H:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "H:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
CMenuExtender\(Default) = "{ABC70703-32AF-11d4-90C4-D483A70F4825}"
-> {HKLM...CLSID} = "CMenuExtender"
\InProcServer32\(Default) = "H:\Programme\Vista Inspirat 2\iColorFolder\CMExt.dll" ["Revenger inc."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "H:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "H:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "H:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "H:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Malte F\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "Malte F" & "All Users" startup folders:
---------------------------------------------------------

C:\Dokumente und Einstellungen\Malte F\Startmenü\Programme\Autostart
"FRITZ!DSL Protect" -> shortcut to: "H:\Programme\FRITZ!DSL\FwebProt.exe" ["AVM Berlin"]
"FRITZ!DSL Startcenter" -> shortcut to: "H:\Programme\FRITZ!DSL\StCenter.exe" ["AVM Berlin"]
"RocketDock" -> shortcut to: "H:\Programme\Vista Inspirat 2\RocketDock\RocketDock.exe" [null data]
"TransBar" -> shortcut to: "H:\Programme\Vista Inspirat 2\TransBar\TransBar.exe /s" ["AKSoftware"]
"UberIcon" -> shortcut to: "H:\Programme\Vista Inspirat 2\UberIcon\UberIcon Manager.exe" [null data]
"Y'z Shadow" -> shortcut to: "H:\Programme\Vista Inspirat 2\YzShadow\YzShadow.exe" ["Y'z@Home"]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Microsoft Office" -> shortcut to: "H:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Sonic CinePlayer Quick Launch" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Sonic Shared\cinetray.exe" ["Sonic Solutions"]


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "H:\Programme\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "H:\Programme\FRITZ!DSL\sarah.dll" ["AVM Berlin"]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
H:\Programme\FRITZ!DSL\sarah.dll ["AVM Berlin"], 01 - 03, 09
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 10 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "H:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "H:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SE Sidebar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\adssite_sidebar.dll" [file not found]
{C0B0250E-ED5D-4234-802D-AC0DA30CEC25}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ADPanel"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mysidesearch_sidebar.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "H:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "H:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "H:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, "H:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "H:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVM IGD CTRL Service, AVM IGD CTRL Service, "H:\Programme\FRITZ!DSL\IGDCTRL.EXE" ["AVM Berlin"]
Google Updater Service, gusvc, ""C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]


---------- (launch time: 2008-04-13 15:09:57)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 51 seconds, including 5 seconds for message boxes)