Mal wieder Trojaner Vundo und Crypt.xpack

#16 scanne mit f-secure + poste den report hier
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#17 So hier der Report vom Online Scan !! ich bin zufrieden

Scanning Report
Wednesday, May 21, 2008 00:38:55 - 05:39:58

Computer name: B-8D0AB22A49714
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 1 malware found
Tracking Cookie (spyware)

* System

Statistics
Scanned:

* Files: 34444
* System: 3801
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-05-20
* F-Secure AVP: 7.0.171, 2008-05-20
* F-Secure Pegasus: 1.20.0, 2008-04-15
* F-Secure Blacklight: 1.0.68

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
__________
MfG Mangekyou

#18 wende regstuff an + poste den report
http://virus-protect.org/registry_stuff.html
__________
MfG Sabina

rund um die PC-Sicherheit

#19 so das ist der Report:

doesn't exist HKEY_LOCAL_MACHINE\SSYSTEM\CurrentControlSet\Services\windowsnetwork
doesn't exist HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
doesn't exist HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00
"DependOnService"=hex(7):4e,65,74,6d,61,6e,00,57,69,6e,4d,67,6d,74,00,00
"Description"="Bietet allen Computern in Heim- und kleinen Firmennetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."
"DisplayName"="Windows-Firewall/Gemeinsame Nutzung der Internetverbindung"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00002cf3

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\concept design\\onlineTV 2\\onlineTV.exe"="C:\\Programme\\concept design\\onlineTV 2\\onlineTV.exe:*:Enabled:onlineTV"
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"="C:\\Programme\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Warcraft III\\Warcraft III.exe"="C:\\Programme\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Programme\\FRITZ!DSL\\IGDCTRL.EXE"="C:\\Programme\\FRITZ!DSL\\IGDCTRL.EXE:*:Enabled:FRITZ!DSL - igdctrl.exe"
"C:\\Programme\\Windows Media Player\\wmplayer.exe"="C:\\Programme\\Windows Media Player\\wmplayer.exe:*:Enabled:wmplayer"
"C:\\Programme\\Warcraft III\\war3.exe"="C:\\Programme\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Programme\\Electronic Arts\\Die Schlacht um Mittelerde II\\game.dat"="C:\\Programme\\Electronic Arts\\Die Schlacht um Mittelerde II\\game.dat:*:Enabled:Die Schlacht um Mittelerde™ II"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Programme\\Electronic Arts\\Die Schlacht um Mittelerde II\\patchget.dat"="C:\\Programme\\Electronic Arts\\Die Schlacht um Mittelerde II\\patchget.dat:*:Enabled:patchgrabber"
"C:\\Programme\\iTunes\\iTunes.exe"="C:\\Programme\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Programme\\FRITZ!DSL\\FBOXUPD.EXE"="C:\\Programme\\FRITZ!DSL\\FBOXUPD.EXE:*:Enabled:AVM FRITZ!Box Firmware-Update"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Programme\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"="C:\\Programme\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe:*:Enabled:GG E-Sports Platform Client"
"C:\\Programme\\NEXON\\EuropeMapleStory\\Patcher.exe"="C:\\Programme\\NEXON\\EuropeMapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Programme\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"="C:\\Programme\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe:*:Enabled:battlefrontII"
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"="C:\\Programme\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Programme\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Programme\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002"
"3389:TCP"="3389:TCP:*:Enabled:@xpsp2res.dll,-22009"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Sicherheitscenter"
"DependOnService"=hex(7):52,70,63,53,73,00,77,69,6e,6d,67,6d,74,00,00
"ObjectName"="LocalSystem"
"Description"="Überwacht Systemsicherheitseinstellungen und -konfigurationen."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,53,59,53,54,45,4d,52,4f,4f,54,25,5c,73,79,73,74,65,6d,\
33,32,5c,77,73,63,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,4f,4d,4e,41,50,00,43,4f,4d,4e,4f,44,45,00,53,51,\
4c,5c,51,55,45,52,59,00,53,50,4f,4f,4c,53,53,00,4c,4c,53,52,50,43,00,62,72,\
6f,77,73,65,72,00,00
"NullSessionShares"=hex(7):43,4f,4d,43,46,47,00,44,46,53,24,00,00
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,73,72,76,73,76,63,2e,64,6c,6c,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:65,7d,21,a5,9e,80,44,48,99,ae,25,92,f4,09,8a,e9
"AdjustedNullSessionPipes"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,6b,73,73,76,63,2e,64,6c,6c,00
"OtherDomains"=hex(7):00


[HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa]


[HKEY_CURRENT_USER\Software\Microsoft\OLE]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Type"=dword:00000020
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00
"DisplayName"="Nachrichtendienst"
"DependOnService"=hex(7):4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,6e,00,\
4e,65,74,42,49,4f,53,00,50,6c,75,67,50,6c,61,79,00,52,70,63,53,53,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Überträgt NET SEND- und Warndienstnachrichten zwischen Clients und Servern. Dieser Dienst ist nicht mit Windows Messenger verwandt. Der Warndienst überträgt keine Nachrichten, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, können die Dienste, die von diesem Dienst ausschließlich abhängig sind, nicht mehr gestartet werden."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,6d,73,67,73,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:000004d0
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:8d,6d,7f,08,f7,a8,83,9f,b7,9a,3e,1e,28,eb,cc,26,30,64,37,37,61,\
61,37,61,00,fd,07,00,8c,72,00,00,34,fa,07,00,56,82,46,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,a9,b3,82,f8,27,d4,77,da,20,dd,ef,0d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:75,5c,4a,41,c6,38,8d,52,88

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:39,58,78,ea,90,fa

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:f6,03,a4,fd,54,bc,1c,8e,d5,16,5b,70,65,b2,45,c3

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:0e,69,9b,06,62,ba,c8,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

So ich bin jetzt leider für ne Woche in Urlaub ... China ... *freu*
wenn sich aus dem Report was ergibt dann das Thema bitte noch nicht schließen weil ich erst in ner Woche wieder da bin!
__________
MfG Mangekyou

#20 So bin wieder aus China zurück, war super
wie gehts dir denn so?
Nochma danke für die Hilfe
__________
MfG Mangekyou

#21 Hallo
dann kann es ja weiter gehen...
scanne mit Kaspersky + poste den Report (auch die Mails mit scannen lassen)
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#22 Hi ... also ich hab jetzt schon ne Woche rumprobiert aber dieser online scan funktioniert irgendwie nicht bei mir ... also ich hab zwar Firefox und habe es auch mit dem neusten Internet Explorer probiert aber das klappt nicht -.-
soll ich vll nen Kaspersky internet security check machen ?? ... also das Prog zum downlaoden benutzen weil das läuft nicht über nen online scan und funktioniert vll ?
__________
MfG Mangekyou

#23 nimm den bitdefender . (auch die Mails mit scannen lassen)
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#24 Also ich hab mir den Bitdefender runtergeladen und installiert.
Aber dadurch ist mein PC sehr sehr langsam geworden so dass ich nichts mehr machen konnte ... ich hatte auch dann Probleme das wieder zu deinstallieren habs aber letzendlich geschafft und mein PC läuft wieder normal ... soll ich vll noch ein Antivir Scan machen ?
__________
MfG Mangekyou

#25 bitdefender lädt man eigentlich nicht , sondern es ist ein Onlinescan....

«
wende sdfix im normalmodus an :
RunThis.bat doppelt klicken
schreibe rein: A
poste hier den report
http://virus-protect.org/artikel/tools/sdfix.html

««
p.s. falls die Windowsupdates nicht funktionieren, wende dial-fix an
http://virus-protect.org/artikel/tools/dial_a_fix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#26 So hier der Report von Runthis.bat ... Windows Update funktioniert einwandfrei


System Report
*************

Run on 11.06.2008 at 17:28

Microsoft Windows XP [Version 5.1.2600]

Current user is an administrator

Running Processes:

\SystemRoot\System32\smss.exe [1032]
\??\C:\WINDOWS\system32\csrss.exe [1152]
\??\C:\WINDOWS\system32\winlogon.exe [1176]
C:\WINDOWS\system32\services.exe [1220]
C:\WINDOWS\system32\lsass.exe [1232]
C:\WINDOWS\system32\svchost.exe [1372]
C:\WINDOWS\system32\svchost.exe [1452]
C:\WINDOWS\System32\svchost.exe [1488]
C:\WINDOWS\system32\svchost.exe [1540]
C:\WINDOWS\system32\svchost.exe [1624]
C:\WINDOWS\system32\spoolsv.exe [228]
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe [244]
C:\Programme\FRITZ!DSL\IGDCTRL.EXE [364]
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe [464]
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE [528]
C:\WINDOWS\system32\nvsvc32.exe [608]
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe [724]
C:\WINDOWS\system32\svchost.exe [756]
C:\WINDOWS\Explorer.EXE [1932]
C:\WINDOWS\System32\alg.exe [1000]
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe [1340]
C:\Programme\Analog Devices\SoundMAX\SMTray.exe [2212]
C:\WINDOWS\system32\RUNDLL32.EXE [2424]
C:\Programme\HP\HP Software Update\HPWuSchd2.exe [2512]
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe [2600]
C:\Programme\iTunes\iTunesHelper.exe [2684]
C:\Programme\QuickTime\qttask.exe [2752]
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe [2820]
C:\Programme\iPod\bin\iPodService.exe [2956]
C:\Programme\Logitech\QuickCam\Quickcam.exe [2972]
C:\WINDOWS\system32\ctfmon.exe [3036]
C:\Programme\Messenger\msmsgs.exe [3184]
C:\Programme\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE [3444]
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe [3508]
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe [3524]
C:\Programme\FRITZ!DSL\FwebProt.exe [3540]
C:\Programme\FRITZ!DSL\StCenter.EXE [3712]
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe [1124]
C:\Programme\HP\Digital Imaging\Product Assistant\bin\hprblog.exe [2096]
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe [2108]
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe [3316]
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe [3656]
C:\Programme\AntiVir PersonalEdition Classic\sched.exe [2456]
C:\Programme\Mozilla Firefox\firefox.exe [1224]


Drivers - Running:

ACEDRV05
ACPI
aeaudio
AEXPAM
AFD
AmdK7
atapi
audstub
avgntdd
avgntmgr
avipbb
Beep
Cdfs
Cdrom
Disk
Fdc
FETNDIS
Fips
Flpydisk
FltMgr
Ftdisk
gameenum
GEARAspiWDM
Gpc
HidUsb
i8042prt
Imapi
IpNat
IPSec
isapnp
Kbdclass
kmixer
KSecDD
LVPr2Mon
mnmdd
Mouclass
MountMgr
MRxDAV
MRxSmb
Msfs
mssmbios
ms_mpu401
Mup
NDIS
NdisTapi
Ndisuio
NdisWan
NDProxy
NetBIOS
NetBT
nm
NPF
Npfs
npkcrypt
Ntfs
Null
nv
odysseyIM3
Parport
PartMgr
ParVdm
PCI
PptpMiniport
PSched
Ptilink
PxHelp20
RasAcd
Rasl2tp
RasPppoe
Raspti
Rdbss
RDPCDD
redbook
Secdrv
serenum
Serial
sfdrv01
sfhlp02
sfvfs02
smwdm
sptd
sr
Srv
ssmdrv
swenum
sysaudio
Tcpip
TermDD
TNET1130
Update
usbehci
usbhub
usbuhci
VgaSave
viaagp1
ViaIde
VolSnap
Wanarp
wdmaud
WS2IFSL


Drivers - Stopped:

Abiosdsk
abp480n5
ACPIEC
adpu160m
aec
Aha154x
aic78u2
aic78xx
AliIde
amsint
asc
asc3350p
asc3550
AsyncMac
Atdisk
Atmarpc
Bfi02
catchme
cbidf2k
CCDECODE
cd20xrnt
Cdaudio
Changer
CmdIde
Cpqarray
dac960nt
dmboot
dmio
dmload
DMusic
dpti2o
drmkaud
Fastfat
hpn
HTTP
i2omgmt
i2omp
ini910u
IntelIde
Ip6Fw
IpFilterDriver
IpInIp
IRENUM
lbrtfdc
LVcKap
LVMVDrv
LVUSBSta
Modem
mraid35x
MSKSSRV
MSPCLOCK
MSPQM
MSTEE
NABTSFEC
NdisIP
NTSIM
NwlnkFlt
NwlnkFwd
PCANDIS5
PCIDump
PCIIde
Pcmcia
PDCOMP
PDFRAME
PDRELI
PDRFRAME
pepifilter
perc2
perc2hib
PID_PEPI
ql1080
Ql10wnt
ql12160
ql1240
ql1280
RDPWD
Sfloppy
Simbad
SLIP
Sparrow
splitter
streamip
swmidi
symc810
symc8xx
sym_hi
sym_u3
tcpsr
TDPIPE
TDTCP
TosIde
Udfs
ultra
usbaudio
usbccgp
usbprint
USBSTOR
WDICA
WSTCODEC
WudfPf
WudfRd


Services - Running:

ALG
AntiVirScheduler
AntiVirService
AudioSrv
AVM
BITS
CryptSvc
DcomLaunch
Dhcp
Dnscache
ERSvc
Eventlog
EventSystem
FastUserSwitchingCompatibility
helpsvc
iPod
lanmanserver
lanmanworkstation
LmHosts
LVCOMSer
LVPrcSrv
MDM
Netman
Nla
NVSvc
PlugPlay
PolicyAgent
ProtectedStorage
RasMan
RpcSs
SamSs
seclogon
SENS
SharedAccess
ShellHWDetection
SoundMAX
Spooler
srservice
stisvc
TapiSrv
TermService
Themes
TrkWks
W32Time
WebClient
winmgmt
wscsvc
wuauserv
WZCSVC


Services - Stopped:

Alerter
AppMgmt
Browser
CiSvc
ClipSrv
COMSysApp
de_serv
dmadmin
dmserver
FirebirdServerMAGIXInstance
HidServ
HTTPFilter
IDriverT
ImapiService
LVSrvLauncher
Messenger
mnmsrvc
MSDTC
MSIServer
NetDDE
NetDDEdsdm
Netlogon
NMIndexingService
NtLmSsp
NtmsSvc
ose
RasAuto
RDSessMgr
RemoteAccess
rpcapd
RpcLocator
RSVP
SCardSvr
SSDPSRV
SwPrv
SysmonLog
upnphost
UPS
usnjsvc
usprserv
VSS
WLSetupSvc
WmdmPmSN
WmiApSrv
WMPNetworkSvc
WudfSvc
xmlprov


Files Created/Modified - 60 Days:


C:\

20 May 2008 17:09:52 5.616 A.... "C:\avenger.txt"
20 May 2008 18:28:02 3.669 A.... "C:\Bug.txt"
14 May 2008 19:38:38 118.730 A.... "C:\dirdat.txt"
20 May 2008 10:53:24 616 A.... "C:\firstrun6.log"
11 Jun 2008 13:42:44 805.306.368 A.SH. "C:\pagefile.sys"
20 May 2008 11:00:36 751 A.... "C:\RVAXO-results.log"
20 May 2008 11:00:36 4.939 A.... "C:\RVAXO-Vfind.log"


C:\WINDOWS\

11 Jun 2008 13:38:18 121 A.... "C:\WINDOWS\bdagent.INI"
9 May 2008 20:01:24 23 A.... "C:\WINDOWS\BlendSettings.ini"
11 Jun 2008 13:42:54 2.048 A.S.. "C:\WINDOWS\bootstat.dat"
13 May 2008 17:43:06 33.097 A.... "C:\WINDOWS\DIIUnin.dat"
13 May 2008 17:29:24 102.400 A.... "C:\WINDOWS\DIIUnin.exe"
13 May 2008 17:29:24 2.829 A.... "C:\WINDOWS\DIIUnin.pif"
13 May 2008 14:18:52 4.094 A.... "C:\WINDOWS\mozver.dat"
14 May 2008 4:29:42 69 A.... "C:\WINDOWS\NeroDigital.ini"
12 May 2008 15:28:34 54.156 A..H. "C:\WINDOWS\QTFont.qfn"
20 May 2008 15:09:50 227 A.... "C:\WINDOWS\system.ini"
11 Jun 2008 13:43:00 159 ..... "C:\WINDOWS\wiadebug.log"
11 Jun 2008 13:42:58 50 ..... "C:\WINDOWS\wiaservc.log"
11 Jun 2008 16:42:30 2.064.423 ..... "C:\WINDOWS\WindowsUpdate.log"

11 Jun 2008 13:42:54 0 ..... "C:\WINDOWS\Debug\PASSWD.LOG"
20 May 2008 11:45:12 705 ..... "C:\WINDOWS\inf\branches.inf"
11 Jun 2008 12:17:00 4.100 A.... "C:\WINDOWS\inf\branches.PNF"
6 Jun 2008 12:40:26 1.614 A.... "C:\WINDOWS\inf\ieaccess.inf"
6 Jun 2008 12:45:34 4.448 A.... "C:\WINDOWS\inf\ieaccess.PNF"
11 Jun 2008 12:17:04 1.386.312 A.... "C:\WINDOWS\inf\INFCACHE.1"
11 Jun 2008 12:17:00 5.232 A.... "C:\WINDOWS\inf\oem51.PNF"
11 Jun 2008 12:17:04 7.716 A.... "C:\WINDOWS\inf\oem52.PNF"
23 Apr 2008 6:16:30 124.928 A.... "C:\WINDOWS\system32\advpack.dll"
20 May 2008 11:17:14 0 A.... "C:\WINDOWS\system32\clkcnt.txt"
30 May 2008 13:30:30 43.520 A.... "C:\WINDOWS\system32\CmdLineExt03.dll"
23 Apr 2008 6:16:30 347.136 ..... "C:\WINDOWS\system32\dxtmsft.dll"
23 Apr 2008 6:16:30 214.528 ..... "C:\WINDOWS\system32\dxtrans.dll"
23 Apr 2008 6:16:30 133.120 ..... "C:\WINDOWS\system32\extmgr.dll"
11 Apr 2008 14:30:36 300.440 A.... "C:\WINDOWS\system32\FNTCACHE.DAT"
23 Apr 2008 6:16:30 63.488 A.... "C:\WINDOWS\system32\icardie.dll"
22 Apr 2008 9:39:48 70.656 ..... "C:\WINDOWS\system32\ie4uinit.exe"
23 Apr 2008 6:16:30 153.088 ..... "C:\WINDOWS\system32\ieakeng.dll"
23 Apr 2008 6:16:30 230.400 ..... "C:\WINDOWS\system32\ieaksie.dll"
20 Apr 2008 7:07:52 161.792 ..... "C:\WINDOWS\system32\ieakui.dll"
23 Apr 2008 6:16:30 383.488 A.... "C:\WINDOWS\system32\ieapfltr.dll"
23 Apr 2008 6:16:30 384.512 ..... "C:\WINDOWS\system32\iedkcs32.dll"
23 Apr 2008 6:16:30 6.066.176 A.... "C:\WINDOWS\system32\ieframe.dll"
23 Apr 2008 6:16:30 44.544 ..... "C:\WINDOWS\system32\iernonce.dll"
23 Apr 2008 6:16:30 267.776 A.... "C:\WINDOWS\system32\iertutil.dll"
22 Apr 2008 9:39:58 13.824 A.... "C:\WINDOWS\system32\ieudinit.exe"
23 Apr 2008 6:16:30 1.831.424 ..... "C:\WINDOWS\system32\inetcpl.cpl"
23 Apr 2008 6:16:30 27.648 ..... "C:\WINDOWS\system32\jsproxy.dll"
6 Jun 2008 12:37:16 24.080 A.... "C:\WINDOWS\system32\lvcoinst.log"
30 May 2008 1:35:12 17.486.968 A.... "C:\WINDOWS\system32\MRT.exe"
20 May 2008 12:03:36 197 A.... "C:\WINDOWS\system32\MRT.INI"
23 Apr 2008 6:16:30 459.264 A.... "C:\WINDOWS\system32\msfeeds.dll"
23 Apr 2008 6:16:30 52.224 A.... "C:\WINDOWS\system32\msfeedsbs.dll"
23 Apr 2008 22:16:32 3.591.680 A.... "C:\WINDOWS\system32\mshtml.dll"
23 Apr 2008 6:16:32 478.208 ..... "C:\WINDOWS\system32\mshtmled.dll"
23 Apr 2008 6:16:32 193.024 ..... "C:\WINDOWS\system32\msrating.dll"
23 Apr 2008 6:16:32 671.232 ..... "C:\WINDOWS\system32\mstime.dll"
11 Jun 2008 13:43:16 43.573 A.... "C:\WINDOWS\system32\nvapps.xml"
23 Apr 2008 6:16:32 102.912 ..... "C:\WINDOWS\system32\occache.dll"
11 Jun 2008 13:47:02 49.174 A.... "C:\WINDOWS\system32\perfc007.dat"
11 Jun 2008 13:47:02 40.836 A.... "C:\WINDOWS\system32\perfc009.dat"
11 Jun 2008 13:47:02 320.094 A.... "C:\WINDOWS\system32\perfh007.dat"
11 Jun 2008 13:47:02 314.508 A.... "C:\WINDOWS\system32\perfh009.dat"
11 Jun 2008 13:47:02 732.342 A.... "C:\WINDOWS\system32\PerfStringBackup.INI"
23 Apr 2008 6:16:32 44.544 ..... "C:\WINDOWS\system32\pngfilt.dll"
7 May 2008 7:14:46 1.293.312 A.... "C:\WINDOWS\system32\quartz.dll"
20 May 2008 6:42:52 824.759 A.... "C:\WINDOWS\system32\RVAXO.bat"
13 May 2008 17:42:04 12.067 A.... "C:\WINDOWS\system32\SIntf16.dll"
13 May 2008 17:42:04 17.212 A.... "C:\WINDOWS\system32\SIntf32.dll"
13 May 2008 17:42:04 21.840 A.... "C:\WINDOWS\system32\SIntfNT.dll"
23 Apr 2008 6:16:32 105.984 A.... "C:\WINDOWS\system32\url.dll"
23 Apr 2008 6:16:32 1.159.680 A.... "C:\WINDOWS\system32\urlmon.dll"
23 Apr 2008 6:16:32 233.472 A.... "C:\WINDOWS\system32\webcheck.dll"
23 Apr 2008 6:16:32 826.368 A.... "C:\WINDOWS\system32\wininet.dll"
11 Jun 2008 13:43:20 13.646 A.... "C:\WINDOWS\system32\wpa.dbl"
14 May 2008 20:25:04 276 A.... "C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
15 May 2008 15:45:12 248 A.... "C:\WINDOWS\Tasks\Auf Updates f�r Windows Live Toolbar pr�fen.job"
20 May 2008 10:42:36 6 A..H. "C:\WINDOWS\Tasks\SA.DAT"
11 Jun 2008 12:31:14 70.514 A.... "C:\WINDOWS\TEMP\bda52.tmp"
11 Jun 2008 13:36:14 214 A.... "C:\WINDOWS\TEMP\kds.xml"
11 Jun 2008 13:43:12 20.408 A.... "C:\WINDOWS\TEMP\LVCOMSX.LOG"
11 Jun 2008 17:27:42 77.936 A.... "C:\WINDOWS\TEMP\scs5F.tmp"
11 Jun 2008 12:20:30 7.276 A.... "C:\WINDOWS\TEMP\updateop.xml"
11 Jun 2008 13:43:04 255 A.... "C:\WINDOWS\TEMP\WGAErrLog.txt"
11 Jun 2008 13:43:22 409 A.... "C:\WINDOWS\TEMP\WGANotify.settings"

13 May 2008 2:00:52 6.129 A.... "C:\WINDOWS\Downloaded Installations\{E2075F98-0309-4564-B904-0115BE537CB5}\0x0409.ini"
13 May 2008 2:00:52 2.059 A.... "C:\WINDOWS\Downloaded Installations\{E2075F98-0309-4564-B904-0115BE537CB5}\Setup.INI"
13 May 2008 2:00:52 128.625 A.... "C:\WINDOWS\Downloaded Installations\{E2075F98-0309-4564-B904-0115BE537CB5}\setup.isn"
13 May 2008 2:01:00 14.475.264 A.... "C:\WINDOWS\Downloaded Installations\{E2075F98-0309-4564-B904-0115BE537CB5}\veoh.msi"
14 Apr 2008 17:51:00 273.024 ..... "C:\WINDOWS\Driver Cache\i386\bthport.sys"
6 Jun 2008 12:40:26 357.007 A.... "C:\WINDOWS\ie7\spuninst\spuninst.inf"
6 Jun 2008 12:39:28 9.543 A.... "C:\WINDOWS\ie7\spuninst\spuninst.txt"
6 Jun 2008 12:44:56 8.192 A.... "C:\WINDOWS\ie7updates\KB944533-IE7\reg00002"
6 Jun 2008 12:44:56 8.192 A....
23 Apr 2008 6:16:30 124.928 ..... "C:\WINDOWS\system32\dllcache\advpack.dll"
14 Apr 2008 17:51:00 273.024 ..... "C:\WINDOWS\system32\dllcache\bthport.sys"
23 Apr 2008 6:16:30 347.136 ..... "C:\WINDOWS\system32\dllcache\dxtmsft.dll"
23 Apr 2008 6:16:30 214.528 ..... "C:\WINDOWS\system32\dllcache\dxtrans.dll"
23 Apr 2008 6:16:30 133.120 ..... "C:\WINDOWS\system32\dllcache\extmgr.dll"
23 Apr 2008 6:16:30 63.488 ..... "C:\WINDOWS\system32\dllcache\icardie.dll"
22 Apr 2008 9:39:48 70.656 ..... "C:\WINDOWS\system32\dllcache\ie4uinit.exe"
23 Apr 2008 6:16:30 153.088 ..... "C:\WINDOWS\system32\dllcache\ieakeng.dll"
23 Apr 2008 6:16:30 230.400 ..... "C:\WINDOWS\system32\dllcache\ieaksie.dll"
20 Apr 2008 7:07:52 161.792 ..... "C:\WINDOWS\system32\dllcache\ieakui.dll"
23 Apr 2008 6:16:30 383.488 ..... "C:\WINDOWS\system32\dllcache\ieapfltr.dll"
23 Apr 2008 6:16:30 384.512 ..... "C:\WINDOWS\system32\dllcache\iedkcs32.dll"
23 Apr 2008 6:16:30 6.066.176 ..... "C:\WINDOWS\system32\dllcache\ieframe.dll"
23 Apr 2008 6:16:30 44.544 ..... "C:\WINDOWS\system32\dllcache\iernonce.dll"
23 Apr 2008 6:16:30 267.776 ..... "C:\WINDOWS\system32\dllcache\iertutil.dll"
22 Apr 2008 9:39:58 13.824 ..... "C:\WINDOWS\system32\dllcache\ieudinit.exe"
22 Apr 2008 9:40:20 625.664 ..... "C:\WINDOWS\system32\dllcache\iexplore.exe"
23 Apr 2008 6:16:30 1.831.424 ..... "C:\WINDOWS\system32\dllcache\inetcpl.cpl"
23 Apr 2008 6:16:30 27.648 ..... "C:\WINDOWS\system32\dllcache\jsproxy.dll"
23 Apr 2008 6:16:30 459.264 ..... "C:\WINDOWS\system32\dllcache\msfeeds.dll"
23 Apr 2008 6:16:30 52.224 ..... "C:\WINDOWS\system32\dllcache\msfeedsbs.dll"
23 Apr 2008 22:16:32 3.591.680 ..... "C:\WINDOWS\system32\dllcache\mshtml.dll"
23 Apr 2008 6:16:32 478.208 ..... "C:\WINDOWS\system32\dllcache\mshtmled.dll"
23 Apr 2008 6:16:32 193.024 ..... "C:\WINDOWS\system32\dllcache\msrating.dll"
23 Apr 2008 6:16:32 671.232 ..... "C:\WINDOWS\system32\dllcache\mstime.dll"
23 Apr 2008 6:16:32 102.912 ..... "C:\WINDOWS\system32\dllcache\occache.dll"
23 Apr 2008 6:16:32 44.544 ..... "C:\WINDOWS\system32\dllcache\pngfilt.dll"
7 May 2008 7:14:46 1.293.312 A.... "C:\WINDOWS\system32\dllcache\quartz.dll"
8 May 2008 14:28:50 202.752 A.... "C:\WINDOWS\system32\dllcache\rmcast.sys"
23 Apr 2008 6:16:32 105.984 ..... "C:\WINDOWS\system32\dllcache\url.dll"
23 Apr 2008 6:16:32 1.159.680 ..... "C:\WINDOWS\system32\dllcache\urlmon.dll"
23 Apr 2008 6:16:32 233.472 ..... "C:\WINDOWS\system32\dllcache\webcheck.dll"
23 Apr 2008 6:16:32 826.368 ..... "C:\WINDOWS\system32\dllcache\wininet.dll"
14 Apr 2008 17:51:00 273.024 ..... "C:\WINDOWS\system32\drivers\bthport.sys"
5 May 2008 20:46:32 15.864 A.... "C:\WINDOWS\system32\drivers\mbam.sys"
5 May 2008 20:46:36 27.048 A.... "C:\WINDOWS\system32\drivers\mbamcatchme.sys"
8 May 2008 14:28:50 202.752 A.... "C:\WINDOWS\system32\drivers\rmcast.sys"
20 May 2008 18:31:52 78 A.... "C:\WINDOWS\system32\Restore\MachineGuid.txt"
3 Jun 2008 17:49:58 3.338 A.... "C:\WINDOWS\system32\wbem\Outlook_01c8c591788c1dbc.mof"
11 Jun 2008 13:05:54 0 A.... "C:\WINDOWS\TEMP\tmp0000670e\tmp00000000"
11 Jun 2008 12:56:00 0 A.... "C:\WINDOWS\TEMP\tmp00005f7e\tmp00000000"
11 Jun 2008 12:23:40 0 A.... "C:\WINDOWS\TEMP\tmp000046bb\tmp00000000"
11 Jun 2008 12:19:46 0 A.... "C:\WINDOWS\TEMP\tmp000043c2\tmp00000000"
11 Jun 2008 12:32:42 0 A.... "C:\WINDOWS\TEMP\tmp00004dac\tmp00000000"
11 Jun 2008 12:40:18 0 A.... "C:\WINDOWS\TEMP\tmp00005376\tmp00000000"
24 Apr 2008 6:40:54 871 A.... "C:\WINDOWS\$hf_mig$\KB950760\update\branches.inf"
24 Apr 2008 10:11:48 10.439 A.... "C:\WINDOWS\$hf_mig$\KB950760\update\KB950760.CAT"
24 Apr 2008 13:53:14 18 A.... "C:\WINDOWS\$hf_mig$\KB950760\update\update.ver"
24 Apr 2008 6:40:54 496 A.... "C:\WINDOWS\$hf_mig$\KB950760\update\updatebr.inf"
24 Apr 2008 9:47:20 26.887 A.... "C:\WINDOWS\$hf_mig$\KB950760\update\update_SP3QFE.inf"
8 May 2008 14:14:52 203.008 A.... "C:\WINDOWS\$hf_mig$\KB950762\SP2QFE\rmcast.sys"
8 May 2008 16:02:52 203.136 A.... "C:\WINDOWS\$hf_mig$\KB950762\SP3GDR\rmcast.sys"
8 May 2008 15:58:18 203.136 A.... "C:\WINDOWS\$hf_mig$\KB950762\SP3QFE\rmcast.sys"
8 May 2008 22:07:20 926 A.... "C:\WINDOWS\$hf_mig$\KB950762\update\branches.inf"
8 May 2008 23:25:26 12.431 A.... "C:\WINDOWS\$hf_mig$\KB950762\update\KB950762.CAT"
9 May 2008 0:12:28 386 A.... "C:\WINDOWS\$hf_mig$\KB950762\update\update.ver"
15 Apr 2008 18:25:40 678 A.... "C:\WINDOWS\$hf_mig$\KB950762\update\updatebr.inf"
8 May 2008 23:27:36 23.978 A.... "C:\WINDOWS\$hf_mig$\KB950762\update\update_SP2QFE.inf"
8 May 2008 23:48:58 26.289 A.... "C:\WINDOWS\$hf_mig$\KB950762\update\update_SP3GDR.inf"
8 May 2008 23:26:08 26.289 A.... "C:\WINDOWS\$hf_mig$\KB950762\update\update_SP3QFE.inf" "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB950760.cat"
8 May 2008 23:25:26 12.431 ..S.. "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB950762.cat"
20 May 2008 14:57:20 32.215 ..S.. "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB950759-IE7.cat"
14 Apr 2008 18:54:08 12.431 ..S.. "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB951376.cat"
7 May 2008 8:02:50 12.431 ..S.. "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB951698.cat"
11 Jun 2008 12:17:04 8 A.... "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TimeStamp"
20 May 2008 15:09:40 27 A.... "C:\WINDOWS\system32\drivers\etc\hosts"
13 May 2008 15:49:06 149.398 A.... "C:\WINDOWS\system32\wbem\AutoRecover\6206B6CE9414EC69B957659CDA0CB60B.mof"


C:\Programme\

11 Jun 2008 14:01:40 168.310 A.... "C:\Programme\AntiVir PersonalEdition Classic\aecore.dll"

20 May 2008 10:22:42 111.005 A.... "C:\Programme\CCleaner\uninst.exe"

22 Apr 2008 9:40:20 625.664 ..... "C:\Programme\Internet Explorer\iexplore.exe"
11 Jun 2008 16:50:28 52 A.... "C:\Programme\Lescos\LWT.dat"
5 May 2008 20:46:30 65.144 A.... "C:\Programme\Malwarebytes' Anti-Malware\mbam.dll"

9 May 2008 16:57:10 4.113.688 A.... "C:\Programme\PokerStars\PokerStars.exe"
9 May 2008 16:57:12 578.448 A.... "C:\Programme\PokerStars\PokerStarsCommunicate.exe"
9 May 2008 16:57:12 294.912 A.... "C:\Programme\PokerStars\PokerStarsUninstall.exe"
9 May 2008 16:57:12 435.088 A.... "C:\Programme\PokerStars\PokerStarsUpdate.exe"
9 May 2008 16:57:14 36.864 A.... "C:\Programme\PokerStars\Stub.exe"
9 May 2008 16:57:16 191 A.... "C:\Programme\PokerStars\tinfo.dat"
9 May 2008 16:57:14 172.032 A.... "C:\Programme\PokerStars\Tracer.exe"
9 May 2008 16:57:38 163 A.... "C:\Programme\PokerStars\_update2rare.dat"
9 May 2008 16:57:38 431 A.... "C:\Programme\PokerStars\_update2s.dat"
9 May 2008 16:57:38 74 A.... "C:\Programme\PokerStars\_update2def.dat"
9 May 2008 16:57:38 31.350 A.... "C:\Programme\PokerStars\_update2g.dat"
9 May 2008 16:57:38 28.746 A.... "C:\Programme\PokerStars\_update2gcd.dat"
9 May 2008 16:57:38 934 A.... "C:\Programme\PokerStars\_update2ni.dat"
11 May 2008 16:20:52 77.371 A.... "C:\Programme\PokerStars\_updcache.dat"
11 Jun 2008 16:49:08 2.245.040 A.... "C:\Programme\Warcraft III\bncache.dat"
11 Jun 2008 16:49:54 5 A.... "C:\Programme\WC3Banlist\autokick.dat"
11 Jun 2008 16:49:54 5 A.... "C:\Programme\WC3Banlist\comments.dat"
11 Jun 2008 16:49:54 338 A.... "C:\Programme\WC3Banlist\phrases.dat"
11 Jun 2008 16:49:38 3.364 A.... "C:\Programme\WC3Banlist\pinfo.dat"
11 Jun 2008 16:49:54 126 A.... "C:\Programme\WC3Banlist\serverlists.dat"
3 Jun 2008 2:54:54 103.780 A.... "C:\Programme\WinPcap\Uninstall.exe"

13 May 2008 2:03:30 1.991.481 A.... "C:\Programme\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\ISSetup.dll"
13 May 2008 2:01:40 294.912 A.... "C:\Programme\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\setup.exe"
28 Apr 2008 10:01:30 3.612.656 A.... "C:\Programme\Microsoft Office\OFFICE11\OUTLFLTR.DAT"
11 Apr 2008 19:42:58 12.313.096 A.... "C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE"
18 Apr 2008 12:14:56 67.696 A.... "C:\Programme\Mozilla Firefox\components\jar50.dll"
18 Apr 2008 12:14:56 54.376 A.... "C:\Programme\Mozilla Firefox\components\jsd3250.dll"
18 Apr 2008 12:14:56 34.952 A.... "C:\Programme\Mozilla Firefox\components\myspell.dll"
18 Apr 2008 12:14:56 46.720 A.... "C:\Programme\Mozilla Firefox\components\spellchk.dll"
18 Apr 2008 12:14:56 172.144 A.... "C:\Programme\Mozilla Firefox\components\xpinstal.dll"
18 Apr 2008 12:15:02 22.664 A.... "C:\Programme\Mozilla Firefox\plugins\npnul32.dll"
18 Apr 2008 12:15:04 451.928 A.... "C:\Programme\Mozilla Firefox\uninstall\helper.exe"
9 May 2008 16:57:38 163 A.... "C:\Programme\PokerStars\update\_update2rare.dat"
9 May 2008 16:57:38 431 A.... "C:\Programme\PokerStars\update\_update2s.dat"
11 May 2008 16:20:50 3.727 A.... "C:\Programme\PokerStars\update\_update2.dat"
9 May 2008 16:57:38 74 A.... "C:\Programme\PokerStars\update\_update2def.dat"
9 May 2008 16:57:38 31.350 A.... "C:\Programme\PokerStars\update\_update2g.dat"
9 May 2008 16:57:38 28.746 A.... "C:\Programme\PokerStars\update\_update2gcd.dat"
9 May 2008 16:57:38 934 A.... "C:\Programme\PokerStars\update\_update2ni.dat"

Files with hidden attributes:

Sat 27 Jan 2007 56 ..SHR --- "C:\WINDOWS\system32\2A01FEA211.sys"
Sat 27 Jan 2007 900 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 4 Aug 2006 4,348 ..SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak"
Mon 11 Dec 2006 0 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\Cache\Indiv01.tmp"
Sat 22 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5738cdd16dbca4079cb3b3de6eaf620f\BIT7E5.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ccba472a05828aa2a3ee32c96c6466ca\BITAD6.tmp"


Program Folders:

C:\Programme\

Adobe
Ahead
Analog Devices
AntiVir PersonalEdition Classic
Apple Software Update
Bethesda Softworks
CCleaner
DAEMON Tools
Diablo II
DivX
D-Link
Electronic Arts
FRITZ!Box
FRITZ!DSL
Gemeinsame Dateien
Hewlett-Packard
Hi-Net Software
HP
Infogrames
InstallShield Installation Information
Internet Explorer
InterVideo
iPod
IrfanView
iTunes
Java
Konsolen
Labtec
Lavasoft
Lescos
Logitech
LucasArts
Malwarebytes' Anti-Malware
Messenger
Microsoft CAPICOM 2.1.0.2
microsoft frontpage
Microsoft Games
Microsoft Office
Microsoft Visual Studio
Microsoft Works
Microsoft.NET
Movie Maker
Mozilla Firefox
MSN
MSN Gaming Zone
neoSoftware
Nero
NetMeeting
NEXON
Ocean Technology
Online Services
Online-Dienste
Outlook Express
PartyGaming
Philips Flat Panel Adjust
PhotoFiltre
PokerStars
QuickDic
QuickTime
Teamspeak2_RC2
Ubisoft
Uninstall Information
Warcraft III
WC3Banlist
Windows Live
Windows Live Favorites
Windows Live Safety Center
Windows Live Toolbar
Windows Media Connect 2
Windows Media Player
Windows NT
WindowsUpdate
WinPcap
WinRAR
xerox
XP Codec Pack

C:\Programme\Gemeinsame Dateien\

Adobe
Ahead
AVM
BitDefender
DESIGNER
Dienste
HP
InstallShield
Java
LogiShrd
Logitech
MAGIX Shared
Microsoft Shared
MSSoap
NSV
ODBC
Real
SpeechEngines
System
WindowsLiveInstaller


Add/Remove Programs:

Ad-Aware SE Personal
Adobe Flash Player Plugin
Avira AntiVir Personal – Free Antivirus
FRITZ!Box
CCleaner (remove only)
Der Clou!2
Diablo II
DEUTSCHLAND SPIELT GAME CENTER
AVM FRITZ!DSL
Frontschweine
HP Imaging Device Functions 5.0
HP Solution Center & Imaging Support Tools 5.0
HP Extended Capabilities 5.0
Icy Tower v1.3.1
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
VeohTV BETA
Age of Empires III
Far Cry
IrfanView (remove only)
Kaspersky Online Scanner

Labtec Desktop V5.1
Logitech Legacy USB Camera-Treiberpaket
Logitech QuickCam-Treiberpaket
Macromedia Shockwave Player
MAGIX Online Druck Service (D)
Malwarebytes' Anti-Malware
Mozilla Firefox (2.0.0.14)
Microsoft Compression Client Pack 1.0 for Windows XP
MSN
Microsoft National Language Support Downlevel APIs
NVIDIA Drivers
Oblivion
Oblivion User Patch
Oblivion User Patch
Oblivion User Patch
Oblivion-Schilder-Mod-v0.5
Oblivion User Patch v0.10.5
PhotoFiltre
PokerStars
Adobe Flash Player 9 ActiveX
TeamSpeak 2 RC2
Windows Genuine Advantage Validation Tool
Windows Genuine Advantage Notifications (KB905474)
Winamp Toolbar for Internet Explorer
Windows Live OneCare safety scanner
Windows Live Toolbar
Windows Media Format 11 runtime
Windows Media Player 11
WinPcap 4.0.2
WinRAR Archivierer
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
XP Codec Pack
ZoneAlarm
MSXML4 Parser
Destinations
Windows Live Toolbar
Security Update for CAPICOM (KB931906)
HP Software Update
Windows Live Toolbar-Erweiterung (Windows Live Toolbar)
Philips Flat Panel Adjust
Die Schlacht um Mittelerde™ II
Windows Live Messenger
Smart Menus (Windows Live Toolbar)
TrayApp
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 10
Java(TM) 6 Update 3
Browsen mit Registerkarten (Windows Live Toolbar)
MVision
Oblivion
MSXML 4.0 SP2 (KB927978)
HP Deskjet 3900 series
OneCare Advisor (Windows Live Toolbar)
Star Wars Battlefront II
HPDeskjet3900Series
iTunes
QuickTime
WebReg
MarketResearch
DeviceFunctionQFolder
eSupportQFolder
CustomerResearchQFolder
Popupblocker (Windows Live Toolbar)
Windows Live Favorites für Windows Live Toolbar
Windows Live installer
Text-To-Speech-Runtime
Nero 7 Essentials
SpeechRedist
GG E-Sports Platform
Microsoft Silverlight
Microsoft Office Professional Edition 2003
Logitech QuickCam
Project64 1.6
InterVideo WinDVD 4
D-Link AirPlus G+ Wireless Adapter Utility
Microsoft Visual C++ 2005 Redistributable
Nero - Burning Rom
Apple Software Update
Age of Empires III
DeviceManagementQFolder
Adobe Reader 7.0.8 - Deutsch
Windows Live Anmelde-Assistent
BufferChm
Logitech Audio Echo Cancellation Component
MSXML 4.0 SP2 (KB936181)
Microsoft XML Parser
EuropeMapleStory
Far Cry
Altiris Philips SmartManage Agent
HPProductAssistant
SolutionCenter
Logitech Video Enumerator
Feederkennung (Windows Live Toolbar)
Windows Live Outlook-Toolbar (Windows Live Toolbar)
SoundMAX
WC3Banlist
Status
HP Image Zone Express
Sun Java Runtime Environment and JMF
Warcraft III: All Products


Run Values:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Smapp"="C:\\Programme\\Analog Devices\\SoundMAX\\SMTray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Programme\\Ahead\\InCD\\InCD.exe"
"HP Software Update"="C:\\Programme\\HP\\HP Software Update\\HPWuSchd2.exe"
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Programme\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"LogitechCommunicationsManager"="\"C:\\Programme\\Gemeinsame Dateien\\LogiShrd\\LComMgr\\Communications_Helper.exe\""
"LogitechQuickCamRibbon"="\"C:\\Programme\\Logitech\\QuickCam\\Quickcam.exe\" /hide"
"NeroFilterCheck"="C:\\Programme\\Gemeinsame Dateien\\Ahead\\Lib\\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"


Bot Check:

SERVICE_NAME: wscsvc
DISPLAY_NAME : Sicherheitscenter
START_TYPE : 2 AUTO_START

SERVICE_NAME: sharedaccess
DISPLAY_NAME : Windows-Firewall/Gemeinsame Nutzung der Internetverbindung
START_TYPE : 2 AUTO_START

SERVICE_NAME: wuauserv
DISPLAY_NAME : Automatische Updates
START_TYPE : 2 AUTO_START

SERVICE_NAME: srservice
DISPLAY_NAME : Systemwiederherstellungsdienst
START_TYPE : 2 AUTO_START

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"WaitToKillServiceTimeout"="20000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"TransportBindName"="\\Device\\"


ShellExecuteHooks:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Environment:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_EXPAND_SZ %systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Programme\QuickTime\QTSystem
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
CLASSPATH REG_SZ .;C:\Programme\Java\jre1.5.0_10\lib\ext\QTJava.zip
QTJAVA REG_SZ C:\Programme\Java\jre1.5.0_10\lib\ext\QTJava.zip

SecurityProviders:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Authentication Packages:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0


Subsystem Startup:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"


Midi Drivers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi"="wdmaud.drv"
"midi1"="wdmaud.drv"
"MIDI2"="SYNCOR11.DLL"
"midi3"="wdmaud.drv"
"midi4"="wdmaud.drv"
"midi5"="wdmaud.drv"


Non-Default IFEO Debugger:


Non-Default Installed Components:


Non-Default Safeboot Minimal:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\bfi02.sys
<NO NAME> REG_SZ Driver


File Associations:


[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\shell\open\command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Programme\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"


Finished!
__________
MfG Mangekyou

#27 ich dachte schon, ich finde nichts mehr... aber zum schluss war doch noch ein rootkit sichtbar

http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

bfi02

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit

#28 So ich hoffe du findest langsam nichts mehr

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 12.06.2008 00:56:29 for strings:
; 'bfi02'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Bfi02.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Bfi02.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bfi02]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bfi02]
"ImagePath"="System32\\Drivers\\Bfi02.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bfi02\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Bfi02.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\Bfi02.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Bfi02]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Bfi02]
"ImagePath"="System32\\Drivers\\Bfi02.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Bfi02\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bfi02.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Bfi02.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Bfi02]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Bfi02]
"ImagePath"="System32\\Drivers\\Bfi02.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Bfi02\Security]

; End Of The Log...
__________
MfG Mangekyou

#29 schau erst mal, ob die sys noch drauf ist:

Virustotal http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\drivers\Bfi02.sys

Auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren mit Strg V) --> Klick auf die zu prüfende Datei und öffnen--> klick auf "Senden der Datei"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren
__________
MfG Sabina

rund um die PC-Sicherheit

#30 dann weg mit der Zecke ...

Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere in das weisse Feld:

Zitat

Drivers to disable:
Bfi02
Drivers to delete:
Bfi02
Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Bfi02.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Bfi02.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bfi02
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Bfi02.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\Bfi02.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Bfi02
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bfi02.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Bfi02.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Bfi02
Files to delete:
C:\WINDOWS\system32\drivers\Bfi02.sys

schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)

Klicke: Execute

bestätige, dass der Rechner neu gestartet wird - klicke "yes"
__________
MfG Sabina

rund um die PC-Sicherheit