ASC Antispy, hartnäckig und hinterhältig? |
||
---|---|---|
#0
| ||
27.06.2008, 00:23
...neu hier
Beiträge: 3 |
||
|
||
27.06.2008, 00:46
Ehrenmitglied
Beiträge: 29434 |
#2
Hallo, hoddel
wende systemscan an + poste den report http://virus-protect.org/artikel/tools/systemscan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
27.06.2008, 11:37
...neu hier
Themenstarter Beiträge: 3 |
#3
Ich habe jetzt einen neuen Benutzer (Maikes) erstellt (Abgesicherter Modus) Und ihn nach Neustart aktiviert. Hier habe ich die Rechte wieder. Aber eben nur in diesem Konto.
Hier die Daten: SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn) Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1) System directory: C:\WINDOWS SystemScan file: C:\Dokumente und Einstellungen\Maikes\Desktop\sys77280.exe Running in: User mode Date: 27.06.2008 Time: 11:14:04 Output limited to: -PC accounts -Recent files -Duplicates in BAK folders -Registry Run Keys -Autoplay settings (autorun.inf) -Scheduled jobs -Services and Drivers (all) -Svchost.exe instances -Loaded Dlls -Alternate Data Sreams -Encrypted Files -Hidden objects -Master Boot Record -Network settings -Include HOSTS file -Suspicious Files -Installed Applications ===================== ACCOUNTS ON THIS PC ===================== Users on this computer: Is Admin? | Username ------------------ Yes | Administrator | Gast | Hilfeassistent (Disabled) Yes | Maikes Yes | Simon | SUPPORT_388945a0 (Disabled) ### users folders ### startup files in users folders ===================== RECENT FILES ===================== Showing files newer than 60 days ----- recent files in C:\ 18.06.2008 21:50:23 188 byte 9 days old -- LxDasi.Log 26.06.2008 18:57:11 211 byte 1 days old -- boot.ini 26.06.2008 19:56:31 19153264 byte 1 days old -- aaw2008_10.exe 26.06.2008 22:25:38 (DIR) 0 byte 1 days old -- WINDOWS 26.06.2008 22:28:19 (DIR) 0 byte 1 days old -- Programme 27.06.2008 00:10:35 (DIR) 0 byte 0 days old -- System Volume Information 27.06.2008 09:39:06 (DIR) 0 byte 0 days old -- RECYCLER 27.06.2008 09:41:59 (DIR) 0 byte 0 days old -- Dokumente und Einstellungen 27.06.2008 11:01:09 176160768 byte 0 days old -- pagefile.sys ----- recent files in C:\WINDOWS\ 27.05.2008 19:16:36 2890 byte 31 days old -- mozver.dat 18.06.2008 20:02:20 35 byte 9 days old -- tdf.dii 18.06.2008 20:02:20 253 byte 9 days old -- tm.ini 18.06.2008 21:50:24 373 byte 9 days old -- LXfoIn54.INI 24.06.2008 18:51:32 180224 byte 3 days old -- qegbdmwf.dll 24.06.2008 18:51:32 233472 byte 3 days old -- pntqkflv.dll 24.06.2008 18:51:34 245760 byte 3 days old -- gfetqaxstmk.dll 24.06.2008 18:51:34 155648 byte 3 days old -- gxvpsafm.dll 26.06.2008 18:46:25 (DIR) 0 byte 1 days old -- Registration 26.06.2008 18:57:08 (DIR) 0 byte 1 days old -- pss 26.06.2008 18:57:11 573 byte 1 days old -- win.ini 26.06.2008 18:57:11 227 byte 1 days old -- system.ini 26.06.2008 20:23:34 (DIR) 0 byte 1 days old -- system32 26.06.2008 22:22:03 263737 byte 1 days old -- setupapi.log 27.06.2008 09:38:17 519190 byte 0 days old -- ntbtlog.txt 27.06.2008 09:44:50 97507 byte 0 days old -- WindowsUpdate.log 27.06.2008 11:01:18 2048 byte 0 days old -- bootstat.dat 27.06.2008 11:01:36 0 byte 0 days old -- 0.log 27.06.2008 11:02:42 (DIR) 0 byte 0 days old -- Temp 27.06.2008 11:03:38 1519 byte 0 days old -- OEWABLog.txt 27.06.2008 11:03:38 2109 byte 0 days old -- wmsetup.log 27.06.2008 11:03:49 (DIR) 0 byte 0 days old -- Installer 27.06.2008 11:05:04 159 byte 0 days old -- wiadebug.log 27.06.2008 11:05:04 0 byte 0 days old -- wiaservc.log ----- recent files in C:\WINDOWS\Downloaded Program Files\ ----- recent files in C:\WINDOWS\system\ ----- recent files in C:\WINDOWS\system32\ 16.05.2008 11:58:04 12632 byte 42 days old -- lsdelete.exe 24.06.2008 20:22:41 19456 byte 3 days old -- opus16.dll 24.06.2008 20:23:22 19456 byte 3 days old -- nada32.dll 24.06.2008 20:24:52 28288 byte 3 days old -- khfCuULC.dll 25.06.2008 18:14:28 321920 byte 2 days old -- hgGwVNeb.dll 25.06.2008 18:18:15 0 byte 2 days old -- clkcnt.txt 26.06.2008 18:46:27 (DIR) 0 byte 1 days old -- wbem 26.06.2008 18:46:50 (DIR) 0 byte 1 days old -- config 26.06.2008 19:44:32 (DIR) 0 byte 1 days old -- dllcache 26.06.2008 20:23:35 (DIR) 0 byte 1 days old -- drivers 26.06.2008 23:00:13 2422 byte 1 days old -- wpa.dbl 26.06.2008 23:44:54 (DIR) 0 byte 1 days old -- CatRoot2 27.06.2008 00:10:35 (DIR) 0 byte 0 days old -- Restore 27.06.2008 11:11:17 2341 byte 0 days old -- beNVwGgh.ini2 27.06.2008 11:12:54 2341 byte 0 days old -- beNVwGgh.ini ----- recent files in C:\WINDOWS\system32\drivers\ 29.04.2008 11:19:50 12960 byte 59 days old -- Awrtpd.sys 29.04.2008 11:19:54 15648 byte 59 days old -- Awrtrd.sys 29.04.2008 11:20:00 15648 byte 59 days old -- NSDriver.sys 20.05.2008 21:50:05 21248 byte 38 days old -- ssmdrv.sys 20.05.2008 21:50:05 79424 byte 38 days old -- avipbb.sys ----- recent files in C:\WINDOWS\temp\ 25.06.2008 18:26:10 (DIR) 0 byte 2 days old -- Temporary Internet Files 25.06.2008 18:26:13 (DIR) 0 byte 2 days old -- Verlauf 25.06.2008 18:26:13 (DIR) 0 byte 2 days old -- Cookies 26.06.2008 18:36:39 16384 byte 1 days old -- Perflib_Perfdata_288.dat 26.06.2008 21:51:25 512 byte 1 days old -- etilqs_gP3P8zRJMZbN3Sf-journal 26.06.2008 21:51:25 0 byte 1 days old -- etilqs_q7YfhZSvk2ygWY8 27.06.2008 08:47:44 16384 byte 0 days old -- Perflib_Perfdata_fec.dat ----- recent files in C:\Programme\ 25.06.2008 18:12:38 0 byte 2 days old -- uninstall.dat 25.06.2008 18:12:38 62910 byte 2 days old -- Uninstall.exe 26.06.2008 19:02:37 (DIR) 0 byte 1 days old -- ICQToolbar 26.06.2008 19:17:24 (DIR) 0 byte 1 days old -- Mozilla Firefox 26.06.2008 19:52:07 (DIR) 0 byte 1 days old -- Q-Dir 26.06.2008 20:23:35 (DIR) 0 byte 1 days old -- Lavasoft ----- recent files in C:\Programme\Gemeinsame Dateien\ 26.06.2008 20:00:49 (DIR) 0 byte 1 days old -- Wise Installation Wizard ----- recent files in C:\Dokumente und Einstellungen\Maikes\Anwendungsdaten\ 27.06.2008 11:03:29 (DIR) 0 byte 0 days old -- Identities 27.06.2008 11:04:39 (DIR) 0 byte 0 days old -- Adobe 27.06.2008 11:05:20 (DIR) 0 byte 0 days old -- Lexware 27.06.2008 11:10:30 (DIR) 0 byte 0 days old -- Microsoft ----- recent files in C:\DOKUME~1\Maikes\LOKALE~1\Temp\ 27.06.2008 11:10:03 514 byte 0 days old -- jusched.log 27.06.2008 11:11:52 2 byte 0 days old -- Twain001.Mtx 27.06.2008 11:11:52 156 byte 0 days old -- Twunk001.MTX 27.06.2008 11:11:52 0 byte 0 days old -- Twunk002.MTX 27.06.2008 11:11:53 723 byte 0 days old -- TWAIN.LOG 27.06.2008 11:12:58 58 byte 0 days old -- systemscan.ini 27.06.2008 11:13:02 16384 byte 0 days old -- ~DF51C7.tmp 27.06.2008 11:14:06 (DIR) 0 byte 0 days old -- nsdC.tmp ===================== DUPLICATE FILES IN BAK FOLDERS ===================== No BAK folders found ===================== REGISTRY SCAN ===================== -----HKLM\Software\Microsoft\Windows\CurrentVersion\Run----- [Run] "Adobe Photo Downloader"="\"C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe\"" "avgnt"="\"C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe\" /min" "SunJavaUpdateSched"="\"C:\Programme\Java\jre1.6.0_02\bin\jusched.exe\"" "LexwareInfoService"="C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart" "D-Link AirPlus G"="C:\Programme\D-Link\AirPlus G\AirGCFG.exe" "ANIWZCS2Service"="C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [Run\OptionalComponents] [Run\OptionalComponents\IMAIL] "Installed"="1" [Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [Run\OptionalComponents\MSFS] "Installed"="1" -----HKCU\Software\Microsoft\Windows\CurrentVersion\Run----- [Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" -----HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run----- [Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" -----HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run----- -----HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run----- -----HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows----- [Windows] "AppInit_DLLs"="" -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad----- [ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" HKCR\CLSID\{704256A8-EB18-4FBB-943D-0843F08DD20A}\InprocServer32 @="C:\WINDOWS\qegbdmwf.dll" "pntqkflv"="{F33F7155-384B-404D-865C-994967DD0B12}" #### HKCR\CLSID\{F33F7155-384B-404D-865C-994967DD0B12}\InprocServer32 @="C:\WINDOWS\pntqkflv.dll" -----HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks----- [ShellExecuteHooks] #### HKCR\CLSID\{84AA61C2-A977-4FD8-9E2F-C768F0387572}\InprocServer32 @="C:\WINDOWS\system32\khfCuULC.dll" -----HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon----- [Winlogon] "Shell"="Explorer.exe" "System"="" "Userinit"="C:\WINDOWS\system32\userinit.exe," "VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\"" "UIHost"=expand:"logonui.exe" "LogonType"=dword:00000001 "WinStationsDisabled"="0" [Winlogon\GPExtensions] [Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}] "@="Microsoft-Datenträgerkontingent" "DllName"=expand:"dskquota.dll" [Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}] "@="Internet Explorer-Zonenzuordnung" "DllName"=expand:"iedkcs32.dll" [Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}] "DllName"=expand:"scecli.dll" "@="Security" [Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}] "DllName"=expand:"iedkcs32.dll" "@="Internet Explorer-Branding" [Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}] "DllName"=expand:"scecli.dll" "@="EFS recovery" [Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}] "@="Microsoft Offline Files" "DllName"=expand:"%SystemRoot%\System32\cscui.dll" [Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}] "@="Softwareinstallation" "DllName"=expand:"appmgmts.dll" [Winlogon\Notify] [Winlogon\Notify\crypt32chain] "DllName"=expand:"crypt32.dll" [Winlogon\Notify\cryptnet] "DllName"=expand:"cryptnet.dll" [Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" [Winlogon\Notify\khfCuULC] "DllName"="khfCuULC.dll" [Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" [Winlogon\Notify\Schedule] "DllName"=expand:"wlnotify.dll" [Winlogon\Notify\sclgntfy] "DllName"=expand:"sclgntfy.dll" [Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" [Winlogon\Notify\termsrv] "DllName"=expand:"wlnotify.dll" [Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" [Winlogon\SpecialAccounts] [Winlogon\SpecialAccounts\UserList] "Hilfeassistent"=dword:00000000 "TsInternetUser"=dword:00000000 "SQLAgentCmdExec"=dword:00000000 "NetShowServices"=dword:00000000 "HelpAssistant"=dword:00000000 "IWAM_"=dword:00010000 "IUSR_"=dword:00010000 "VUSR_"=dword:00010000 -----HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon----- [Winlogon] "ParseAutoexec"="1" "ExcludeProfileDirs"="Lokale Einstellungen;Temporary Internet Files;Verlauf;Temp" "BuildNumber"=dword:00000a28 -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options----- [Image File Execution Options\Your Image File Name Here without a path] "Debugger"="ntsd -d" -----HKLM\System\CurrentControlSet\Control\Session Manager\----- [Session Manager] "BootExecute"=multi:"autocheck autochk *\00lsdelete\00\00" [Session Manager\SubSystems] "Windows"=expand:"%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16" -----HKLM\SYSTEM\CurrentControlSet\Control\WOW----- [WOW] "cmdline"=expand:"%SystemRoot%\system32\ntvdm.exe" "wowcmdline"=expand:"%SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386" -----HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run----- -----HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce----- [RunOnce] -----HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx----- [RunOnceEx] -----HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices----- -----HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce----- -----HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce----- -----HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx----- -----HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices----- -----HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run----- -----HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce----- -----HKLM\Software\Microsoft\Command Processor\Autorun----- -----HKCU\Software\Microsoft\Command Processor\Autorun----- -----HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load----- -----HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup----- -----HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon----- -----HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon----- -----HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce----- -----HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run----- -----HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms----- -----HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce----- -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler----- [SharedTaskScheduler] -----HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects----- [Browser Helper Objects] [Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] @="" [Browser Helper Objects\{2FF811E6-8925-4084-A649-C159955E67E8}] #### HKCR\CLSID\{2FF811E6-8925-4084-A649-C159955E67E8}\InprocServer32 @="C:\WINDOWS\system32\nada32.dll" [Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] #### HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32 @="C:\Programme\Java\jre1.6.0_02\bin\ssv.dll" "NoExplorer"=dword:00000001 [Browser Helper Objects\{84AA61C2-A977-4FD8-9E2F-C768F0387572}] #### HKCR\CLSID\{84AA61C2-A977-4FD8-9E2F-C768F0387572}\InprocServer32 @="C:\WINDOWS\system32\khfCuULC.dll" [Browser Helper Objects\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}] #### HKCR\CLSID\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}\InprocServer32 @="C:\WINDOWS\gfetqaxstmk.dll" [Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] #### HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32 @="C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" [Browser Helper Objects\{D1D81E18-4363-484D-92CB-D5A8F33BF4E0}] #### HKCR\CLSID\{D1D81E18-4363-484D-92CB-D5A8F33BF4E0}\InprocServer32 @="C:\WINDOWS\system32\hgGwVNeb.dll" -----HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks----- [URLSearchHooks] "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="" #### HKCR\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InprocServer32 @=expand:"%SystemRoot%\system32\shdocvw.dll" -----HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig----- [MSConfig] [MSConfig\services] [MSConfig\startupfolder] [MSConfig\startupreg] [MSConfig\startupreg\WinSpywareProtect] "key"="SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "item"="winspywareprotect" "hkey"="HKCU" "command"="\"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe\" /autorun" "inimapping"="0" [MSConfig\state] "system.ini"=dword:00000000 "win.ini"=dword:00000000 "bootini"=dword:00000000 "services"=dword:00000000 "startup"=dword:00000002 -----HKCU\Control Panel\Desktop\----- [Desktop] "SCRNSAVE.EXE"="C:\WINDOWS\system32\logon.scr" [Desktop\WindowMetrics] -----HKEY_CLASSES_ROOT\exefile\shell\open\command----- [command] @="\"%1\" %*" -----HKEY_CLASSES_ROOT\comfile\shell\open\command----- [command] @="\"%1\" %*" -----HKEY_CLASSES_ROOT\batfile\shell\open\command----- [command] @="\"%1\" %*" -----HKEY_CLASSES_ROOT\piffile\shell\open\command----- [command] @="\"%1\" %*" -----HKEY_CLASSES_ROOT\scrFile\shell\open\command----- [command] @="\"%1\" /S" -----HKEY_CLASSES_ROOT\htafile\shell\open\command----- [Command] @="C:\WINDOWS\system32\mshta.exe \"%1\" %*" -----HKEY_CLASSES_ROOT\logfile\shell\open\command----- -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL----- [URL] [URL\DefaultPrefix] @="http://" [URL\Prefixes] "ftp"="ftp://" "gopher"="gopher://" "home"="http://" "mosaic"="http://" "www"="http://" -----HKLM\SYSTEM\CurrentControlSet\Control\Lsa----- [Lsa] [Lsa\AccessProviders] [Lsa\AccessProviders\Windows NT Access Provider] "ProviderPath"=expand:"%SystemRoot%\system32\ntmarta.dll" [Lsa\Audit] [Lsa\Audit\PerUserAuditing] [Lsa\Audit\PerUserAuditing\System] [Lsa\Data] [Lsa\SSO] [Lsa\SSO\Passport1.4] "SSOURL"="http://www.passport.com" [Lsa\SspiCache] [Lsa\SspiCache\digest.dll] "Name"="Digest" "Comment"="Digest SSPI Authentication Package" [Lsa\SspiCache\msapsspc.dll] "Name"="DPA" "Comment"="DPA Security Package" [Lsa\SspiCache\msnsspc.dll] "Name"="MSN" "Comment"="MSN Security Package" -----HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess----- [SharedAccess] "DependOnGroup"=multi:"\00" "DependOnService"=multi:"Netman\00WinMgmt\00\00" "Description"="Bietet allen Computern in Heim- und kleinen Firmennetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz." "DisplayName"="Windows-Firewall/Gemeinsame Nutzung der Internetverbindung" "ErrorControl"=dword:00000001 "ImagePath"=expand:"%SystemRoot%\system32\svchost.exe -k netsvcs" "ObjectName"="LocalSystem" "Start"=dword:00000002 "Type"=dword:00000020 "Group"="" [SharedAccess\Epoch] "Epoch"=dword:000001b3 [SharedAccess\Parameters] "ServiceDll"=expand:"%SystemRoot%\System32\ipnathlp.dll" [SharedAccess\Parameters\FirewallPolicy] [SharedAccess\Parameters\FirewallPolicy\DomainProfile] [SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications] [SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enaxxxxx@xxxxxres.dll,-22019" [SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts] [SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP"="139:TCP:*:Enaxxxxx@xxxxxres.dll,-22004" "445:TCP"="445:TCP:*:Enaxxxxx@xxxxxres.dll,-22005" "137:UDP"="137:UDP:*:Enaxxxxx@xxxxxres.dll,-22001" "138:UDP"="138:UDP:*:Enaxxxxx@xxxxxres.dll,-22002" [SharedAccess\Parameters\FirewallPolicy\StandardProfile] [SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications] [SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enaxxxxx@xxxxxres.dll,-22019" "C:\Programme\Messenger\msmsgs.exe"="C:\Programme\Messenger\msmsgs.exe:*:Enabled:Windows Messenger" "C:\Programme\ICQ6\ICQ.exe"="C:\Programme\ICQ6\ICQ.exe:*:Enabled:ICQ6" [SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts] [SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP"="1900:UDP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22007" "2869:TCP"="2869:TCP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22008" "139:TCP"="139:TCP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22004" "445:TCP"="445:TCP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22005" "137:UDP"="137:UDP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22001" "138:UDP"="138:UDP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22002" [SharedAccess\Setup] "ServiceUpgrade"=dword:00000001 [SharedAccess\Setup\InterfacesUnfirewalledAtUpdate] "All"=dword:00000001 -----HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Firewall\----- -----HKEY_LOCAL_MACHINE\SOFTWARE\Winsock2----- -----HKLM\Software\Microsoft\Ole----- [Ole] "DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\ "MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\ "MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\ "EnableDCOM"="Y" [Ole\AppCompat] [Ole\AppCompat\ActivationSecurityCheckExemptionList] "{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1" "{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1" "{0040D221-54A1-11D1-9DE0-006097042D69}"="1" "{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1" -----HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\----- -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\----- [Security Center] "FirstRunDisabled"=dword:00000001 "AntiVirusDisableNotify"=dword:00000000 "FirewallDisableNotify"=dword:00000000 "UpdatesDisableNotify"=dword:00000000 "AntiVirusOverride"=dword:00000000 "FirewallOverride"=dword:00000000 [Security Center\Monitoring] [Security Center\Monitoring\AhnlabAntiVirus] [Security Center\Monitoring\ComputerAssociatesAntiVirus] [Security Center\Monitoring\KasperskyAntiVirus] [Security Center\Monitoring\McAfeeAntiVirus] [Security Center\Monitoring\McAfeeFirewall] [Security Center\Monitoring\PandaAntiVirus] [Security Center\Monitoring\PandaFirewall] [Security Center\Monitoring\SophosAntiVirus] [Security Center\Monitoring\SymantecAntiVirus] [Security Center\Monitoring\SymantecFirewall] [Security Center\Monitoring\TinyFirewall] [Security Center\Monitoring\TrendAntiVirus] [Security Center\Monitoring\TrendFirewall] [Security Center\Monitoring\ZoneLabsFirewall] -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\----- [SystemRestore] "DisableSR"=dword:00000000 "CreateFirstRunRp"=dword:00000001 "DSMin"=dword:000000c8 "DSMax"=dword:00000190 "RPSessionInterval"=dword:00000000 "RPGlobalInterval"=dword:00015180 "RPLifeInterval"=dword:0076a700 "CompressionBurst"=dword:0000003c "TimerInterval"=dword:00000078 "DiskPercent"=dword:0000000c "ThawInterval"=dword:00000384 "RestoreDiskSpaceError"=dword:00000000 "RestoreStatus"=dword:00000001 "RestoreSafeModeStatus"=dword:00000000 [SystemRestore\Cfg] "DiskPercent"=dword:0000000c "MachineGuid"="{64AB1029-AC96-4312-9A81-A0ACDF6ECA81}" [SystemRestore\SnapshotCallbacks] @="" -----HKEY_CURRENT_USER\Software\VB and VBA Program Settings----- -----HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\----- -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions----- [AdvancedOptions] -----HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions----- -----HKLM\Software\Microsoft\Active Setup\Installed Components----- [Installed Components] [Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] #### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll" "Stubpath"="C:\WINDOWS\inf\unregmp2.exe /ShowWMP" "@="Microsoft Windows Media Player" "ComponentID"="WMPACCESS" [Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}] "@="Internet Explorer" "ComponentID"="IEACCESS" "StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE" [Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] "@="Browseranpassungen" "ComponentID"="BRANDING.CAB" "StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] "@="Outlook Express" "ComponentID"="OEACCESS" "StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE" [Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}] "@="Java (Sun)" "ComponentID"="JAVAVM" "KeyFileName"="C:\Programme\Java\jre1.6.0_02\bin\regutils.dll" [Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}] "@="Vektorgrafik-Rendering (VML)" "ComponentID"="MSVML" [Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}] #### HKCR\CLSID\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll" "ComponentID"="NetShow" "StubPath"="" [Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] #### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll" "ComponentID"="Microsoft Windows Media Player" "StubPath"="" "@="Microsoft Windows Media Player 6.4" [Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}] #### HKCR\CLSID\{283807B5-2C60-11D0-A31D-00AA00B92C03}\InprocServer32 @="C:\WINDOWS\system32\danim.dll" "@="DirectAnimation" "ComponentID"="DirectAnimation" [Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] "@="Themes Setup" "ComponentID"="Theme Component" "StubPath"=expand:"%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll" [Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}] "@="Dynamic HTML-Datenbindung für Java" "ComponentID"="TridataJava" [Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}] "@="Offlinebrowsingpaket" "ComponentID"="MobilePk" [Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}] "@="Uniscribe" "ComponentID"="USP10" [Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}] "@="Erweitertes Authoring" "ComponentID"="AdvAuth" [Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "@="Microsoft Outlook Express 6" "ComponentID"="MailNews" "StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:OE /CALLER:WINNT /user /install" [Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] "@="NetMeeting 3.01" "ComponentID"="NetMeeting" "StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT" [Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}] "@="DirectShow" "ComponentID"="activemovie" [Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}] "@="DirectDrawEx" "ComponentID"="DirectDrawEx" [Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}] "@="Internet Explorer-Hilfe" "ComponentID"="HelpCont" [Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}] "@="DirectAnimation Java Classes" "ComponentID"="DAJava" [Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}] "@="Microsoft Windows Script 5.6" "ComponentID"="MSVBScript" [Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}] "KeyFileName"="C:\Programme\Messenger\msmsgs.exe" "@="Windows Messenger 4.7" "ComponentID"="Messenger" "StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}] "(Default)"="Internet Connection Wizard" "ComponentID"="ICW" [Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}] "@="Internet Explorer Setup Tools" "ComponentID"="GenSetup" [Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}] "@="Browsererweiterungen" "ComponentID"="ExtraPack" "KeyFileName"="C:\WINDOWS\system32\msieftp.dll" [Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}] #### HKCR\CLSID\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\InprocServer32 @="C:\WINDOWS\system32\wmp.dll" "@="Microsoft Windows Media Player" "ComponentID"="Microsoft Windows Media Player" "StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub" [Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}] "@="Zugang zu MSN Site" "ComponentID"="MSN_Auth" [Installed Components\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}] "ComponentID"=".NETFramework" "@=".NET Framework" [Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "@="Adressbuch 6" "ComponentID"="WAB" "StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:WAB /CALLER:WINNT /user /install" [Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}] "@="Windows Desktop-Update" "ComponentID"="IE4Shell_NT" "StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll" [Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}] "@="Internet Explorer 6" "ComponentID"="BASEIE40_W2K" "StubPath"=expand:"%SystemRoot%\system32\ie4uinit.exe" [Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix] [Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}] "StubPath"="C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install" "ComponentID"="DOTNETFRAMEWORKS" [Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}] "@="Dynamic HTML-Datenbindung" "ComponentID"="Tridata" [Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] [Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}] "@="Internet Explorer-Hauptschriftarten" "ComponentID"="Fontcore" [Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}] "@="Taskplaner" "ComponentID"="MSTASK" [Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}] "ComponentID"="Windows Movie Maker v2.1" [Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}] "@="Adobe Flash Player 9 ActiveX" "ComponentID"="Flash" [Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}] "@="HTML-Hilfe" "ComponentID"="HTMLHelp" [Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}] "@="Active Directory Service Interface" "ComponentID"="ADSI" -----Comparing registry keys CCS1 vs CCS2 ----- > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\DS > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\LSA > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\NetDDE Object > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\SC Manager > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security Account Manager > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Spooler > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\MRxDAV\EncryptedDirectories < Value: HKEY_LOCAL_MACHINE\system\controlset001\services\mssmbios\Data < Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 435 (0x1B3) > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\SharedAccess\Epoch Epoch REG_DWORD 432 (0x1B0) < Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} NTEContextList REG_MULTI_SZ \0 > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} NTEContextList REG_MULTI_SZ 0x00000003\0\0 > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} DhcpNameServer REG_SZ 213.191.74.18 192.168.0.1 > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} DhcpDomain REG_SZ > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} DhcpDefaultGateway REG_MULTI_SZ 192.168.0.1\0\0 > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} DhcpSubnetMaskOpt REG_MULTI_SZ 255.255.255.0\0\0 > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\{C637C02F-67B6-487C-BE6A-5980BADADFEA}\Parameters\Tcpip DhcpDefaultGateway REG_MULTI_SZ 192.168.0.1\0\0 > Value: HKEY_LOCAL_MACHINE\system\controlset002\services\{C637C02F-67B6-487C-BE6A-5980BADADFEA}\Parameters\Tcpip DhcpSubnetMaskOpt REG_MULTI_SZ 255.255.255.0\0\0 Result compared: Different -----Comparing registry keys CCS1 vs CCS3 ----- < Value: HKEY_LOCAL_MACHINE\system\controlset001\services Result compared: Identical ===================== AUTOPLAY SETTINGS ===================== ~~~~~~~~~~~~~~~~~~~~~ Registry setting ~~~~~~~~~~~~~~~~~~~~~ (note: default values should be 91 or 95) -----HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer----- [Explorer] "NoDriveTypeAutoRun"=dword:00000091 -----HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer----- [Explorer] "NoDriveTypeAutoRun"=dword:00000091 Autorun is enabled on: DRIVE_UNKNOWN = Falsch DRIVE_NO_ROOT_DIR = Wahr DRIVE_REMOVABLE = Wahr DRIVE_FIXED = Wahr DRIVE_REMOTE = Falsch DRIVE_CDROM = Wahr DRIVE_RAMDISK = Wahr RESERVED = Falsch ~~~~~~~~~~~~~~~~~~~~~ Autorun.inf files ~~~~~~~~~~~~~~~~~~~~~ ### C:\Dokumente und Einstellungen\Simon\Desktop\BWV Prüfungsprogramm\autorun.inf open=setup.exe ===================== SCHEDULED JOBS ===================== jobs found in C:\WINDOWS: 01.01.2000 00:12:08 6 byte 3100 days old -- C:\WINDOWS\tasks\SA.DAT 28.02.2006 14:00:00 65 byte 850 days old -- C:\WINDOWS\tasks\desktop.ini ~~~~~~~~~~~~~~~~~~~~~ Active jobs: ~~~~~~~~~~~~~~~~~~~~~ Most recent (50) lines in jobs scheduled log: ===================== LIST OF ALL SERVICES & DRIVERS ===================== ------------------------------------------------------------------------------ System pid: 4 Command line: <no command line> ------------------------------------------------------------------------------ smss.exe pid: 568 Command line: \SystemRoot\System32\smss.exe Base Size Version Path 0x48580000 0xf000 \SystemRoot\System32\smss.exe ------------------------------------------------------------------------------ csrss.exe pid: 800 Command line: C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 Base Size Version Path 0x4a680000 0x5000 \??\C:\WINDOWS\system32\csrss.exe 0x75ae0000 0xb000 5.01.2600.2180 C:\WINDOWS\system32\CSRSRV.dll 0x75af0000 0x10000 5.01.2600.2180 C:\WINDOWS\system32\basesrv.dll 0x75b00000 0x4a000 5.01.2600.2180 C:\WINDOWS\system32\winsrv.dll ------------------------------------------------------------------------------ winlogon.exe pid: 824 Command line: winlogon.exe Base Size Version Path 0x01000000 0x81000 \??\C:\WINDOWS\system32\winlogon.exe 0x77690000 0x11000 5.01.2600.2180 C:\WINDOWS\system32\AUTHZ.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x10000000 0x10000 C:\WINDOWS\system32\khfCuULC.dll 0x76ad0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL ------------------------------------------------------------------------------ services.exe pid: 868 Command line: C:\WINDOWS\system32\services.exe Base Size Version Path 0x01000000 0x1c000 5.01.2600.2180 C:\WINDOWS\system32\services.exe 0x77b40000 0x53000 5.01.2600.2180 C:\WINDOWS\system32\SCESRV.dll 0x77690000 0x11000 5.01.2600.2180 C:\WINDOWS\system32\AUTHZ.dll 0x75850000 0x1f000 5.01.2600.2180 C:\WINDOWS\system32\umpnpmgr.dll 0x76020000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x772d0000 0x11000 5.01.2600.2180 C:\WINDOWS\system32\eventlog.dll ------------------------------------------------------------------------------ lsass.exe pid: 880 Command line: C:\WINDOWS\system32\lsass.exe Base Size Version Path 0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\lsass.exe 0x753d0000 0xb6000 5.01.2600.2180 C:\WINDOWS\system32\LSASRV.dll 0x743c0000 0x6e000 5.01.2600.2180 C:\WINDOWS\system32\SAMSRV.dll 0x76740000 0xc000 5.01.2600.2180 C:\WINDOWS\system32\cryptdll.dll 0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll 0x76750000 0x13000 5.01.2600.2180 C:\WINDOWS\system32\NTDSAPI.dll 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x20000000 0xe000 5.01.2600.2180 C:\WINDOWS\system32\msprivs.dll 0x71c70000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\kerberos.dll 0x74430000 0x65000 5.01.2600.2180 C:\WINDOWS\system32\netlogon.dll 0x76770000 0x2d000 5.01.2600.2180 C:\WINDOWS\system32\w32time.dll 0x76020000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll 0x767a0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\schannel.dll 0x742f0000 0xf000 5.01.2600.2180 C:\WINDOWS\system32\wdigest.dll 0x10000000 0x9d000 C:\WINDOWS\system32\hgGwVNeb.dll 0x74380000 0x30000 5.01.2600.2180 C:\WINDOWS\system32\scecli.dll 0x74350000 0x30000 5.01.2600.2180 C:\WINDOWS\system32\ipsecsvc.dll 0x77690000 0x11000 5.01.2600.2180 C:\WINDOWS\system32\AUTHZ.dll 0x756c0000 0xce000 5.01.2600.2180 C:\WINDOWS\system32\oakley.DLL 0x742e0000 0xb000 5.01.2600.2180 C:\WINDOWS\system32\WINIPSEC.DLL 0x74310000 0xb000 5.01.2600.2180 C:\WINDOWS\system32\pstorsvc.dll 0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll 0x74330000 0x1b000 5.01.2600.2180 C:\WINDOWS\system32\psbase.dll 0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll 0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll 0x68100000 0x24000 5.01.2600.2133 C:\WINDOWS\system32\dssenh.dll ------------------------------------------------------------------------------ svchost.exe pid: 1048 Command line: C:\WINDOWS\system32\svchost -k DcomLaunch Base Size Version Path 0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x77690000 0x11000 5.01.2600.2180 c:\windows\system32\AUTHZ.dll 0x76ad0000 0x11000 3.05.2284.0000 c:\windows\system32\ATL.DLL ------------------------------------------------------------------------------ svchost.exe pid: 1132 Command line: C:\WINDOWS\system32\svchost -k rpcss Base Size Version Path 0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll 0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll 0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll 0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll ------------------------------------------------------------------------------ svchost.exe pid: 1172 Command line: C:\WINDOWS\System32\svchost.exe -k netsvcs Base Size Version Path 0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\svchost.exe 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\System32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x76ee0000 0x27000 5.01.2600.2180 c:\windows\system32\DNSAPI.dll 0x76ad0000 0x11000 3.05.2284.0000 c:\windows\system32\ATL.DLL 0x663a0000 0xc000 5.01.2600.2180 c:\windows\system32\irmon.dll 0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll 0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\System32\hnetcfg.dll 0x590a0000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\wshirda.dll 0x767a0000 0x27000 5.01.2600.2180 C:\WINDOWS\System32\SCHANNEL.dll 0x76020000 0x65000 6.02.3104.0000 C:\WINDOWS\System32\MSVCP60.dll 0x76750000 0x13000 5.01.2600.2180 c:\windows\system32\NTDSAPI.dll 0x776e0000 0x41000 2001.12.4414.0258 c:\windows\system32\es.dll 0x74ec0000 0xc000 5.01.2600.2180 c:\windows\pchealth\helpctr\binaries\pchsvc.dll 0x4f110000 0x28000 5.01.2600.2180 c:\windows\system32\wbem\wmisvc.dll 0x76770000 0x2d000 5.01.2600.2180 c:\windows\system32\w32time.dll 0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll 0x76bc0000 0x2f000 5.01.2600.2180 c:\windows\system32\credui.dll 0x68d80000 0x9000 5.01.2600.2180 c:\windows\system32\hidserv.dll 0x77690000 0x11000 5.01.2600.2180 c:\windows\system32\AUTHZ.dll 0x742e0000 0xb000 5.01.2600.2180 c:\windows\system32\WINIPSEC.DLL 0x58030000 0x36000 5.01.2600.2180 C:\WINDOWS\System32\unimdm.tsp 0x5b3f0000 0x16000 5.01.2600.2180 C:\WINDOWS\System32\unimdmat.dll 0x61a70000 0x29000 5.01.2600.2180 C:\WINDOWS\system32\modemui.dll 0x580b0000 0xb000 5.01.2600.2180 C:\WINDOWS\System32\kmddsp.tsp 0x58090000 0x10000 5.01.2600.2180 C:\WINDOWS\System32\ndptsp.tsp 0x580c0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\ipconf.tsp 0x580e0000 0x46000 5.01.2600.2180 C:\WINDOWS\System32\h323.tsp 0x580d0000 0xa000 5.01.2600.2180 C:\WINDOWS\System32\hidphone.tsp 0x71c70000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\kerberos.dll 0x76740000 0xc000 5.01.2600.2180 C:\WINDOWS\System32\cryptdll.dll 0x5af90000 0x64000 6.06.2600.2180 c:\windows\system32\qmgr.dll 0x74e50000 0xe000 5.01.2600.2180 C:\WINDOWS\system32\wbem\wbemsvc.dll ------------------------------------------------------------------------------ svchost.exe pid: 1252 Command line: C:\WINDOWS\system32\svchost.exe -k NetworkService Base Size Version Path 0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x76ee0000 0x27000 5.01.2600.2180 c:\windows\system32\DNSAPI.dll ------------------------------------------------------------------------------ svchost.exe pid: 1352 Command line: C:\WINDOWS\system32\svchost.exe -k LocalService Base Size Version Path 0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll 0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll 0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll ------------------------------------------------------------------------------ aawservice.exe pid: 1624 Command line: C:\Programme\Lavasoft\Ad-Aware\aawservice.exe Base Size Version Path 0x00400000 0x97000 7.01.0000.0003 C:\Programme\Lavasoft\Ad-Aware\aawservice.exe 0x10000000 0xc5000 7.01.0000.0007 C:\Programme\Lavasoft\Ad-Aware\CEAPI.dll 0x004a0000 0x21b000 8.04.1045.0000 C:\Programme\Lavasoft\Ad-Aware\PKArchive85u.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll ------------------------------------------------------------------------------ spoolsv.exe pid: 2036 Command line: C:\WINDOWS\system32\spoolsv.exe Base Size Version Path 0x01000000 0x10000 5.01.2600.2180 C:\WINDOWS\system32\spoolsv.exe 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll 0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll 0x76750000 0x13000 5.01.2600.2180 C:\WINDOWS\system32\NTDSAPI.dll ------------------------------------------------------------------------------ explorer.exe pid: 2044 Command line: C:\WINDOWS\Explorer.EXE Base Size Version Path 0x01000000 0xff000 6.00.2900.2180 C:\WINDOWS\Explorer.EXE 0x75f20000 0xfd000 6.00.2900.2853 C:\WINDOWS\system32\BROWSEUI.dll 0x77730000 0x16e000 6.00.2900.2853 C:\WINDOWS\system32\SHDOCVW.dll 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x10000000 0x9d000 C:\WINDOWS\system32\hgGwVNeb.dll 0x55df0000 0xd000 17.01.0051.0000 C:\WINDOWS\system32\AcSignIcon.dll 0x782e0000 0x10f000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL 0x78130000 0x9b000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll 0x5d360000 0x10000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\MFC80DEU.DLL 0x5b9b0000 0x72000 6.00.2900.2180 C:\WINDOWS\system32\themeui.dll 0x76320000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\MSIMG32.dll 0x01230000 0x8e000 6.00.2900.2180 C:\WINDOWS\system32\shdoclc.dll 0x00ff0000 0x10000 C:\WINDOWS\system32\khfCuULC.dll 0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\mswsock.dll 0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll 0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\sensapi.dll 0x74e70000 0x8000 5.01.2600.2180 C:\WINDOWS\system32\wbem\wbemprox.dll 0x74e50000 0xe000 5.01.2600.2180 C:\WINDOWS\system32\wbem\wbemsvc.dll 0x76020000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll 0x76750000 0x13000 5.01.2600.2180 C:\WINDOWS\system32\NTDSAPI.dll 0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll 0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll 0x71cc0000 0x1c000 6.00.2900.2180 C:\WINDOWS\system32\actxprxy.dll 0x55fe0000 0x52000 17.01.0051.0000 C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcSignCore16.dll 0x7c420000 0x87000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll 0x76930000 0x8000 5.01.2600.2180 C:\WINDOWS\system32\LINKINFO.dll 0x76ad0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL 0x765c0000 0x21000 5.01.2600.2180 C:\WINDOWS\system32\stobject.dll 0x74a70000 0xa000 6.00.2900.2180 C:\WINDOWS\system32\BatMeter.dll 0x76bc0000 0x2f000 5.01.2600.2180 C:\WINDOWS\system32\credui.dll 0x01930000 0x2d000 C:\WINDOWS\qegbdmwf.dll 0x01860000 0x3b000 C:\WINDOWS\pntqkflv.dll 0x00f40000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll 0x60010000 0x33000 5.01.2600.2180 C:\WINDOWS\system32\msutb.dll 0x75f00000 0x7000 5.01.2600.2180 C:\WINDOWS\System32\drprov.dll 0x71b90000 0xe000 5.01.2600.2180 C:\WINDOWS\System32\ntlanman.dll 0x71c50000 0x17000 5.01.2600.2180 C:\WINDOWS\System32\NETUI0.dll 0x71c10000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\NETUI1.dll 0x75f10000 0x9000 5.01.2600.2180 C:\WINDOWS\System32\davclnt.dll 0x4f4a0000 0x5f000 5.01.2600.2180 C:\WINDOWS\system32\wzcdlg.dll 0x55ee0000 0x1b000 17.01.0051.0000 C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll 0x7c630000 0x1b000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.DLL 0x02350000 0x5b000 8.00.0000.0000 C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll 0x01ee0000 0x4c000 8.00.0000.0000 C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.DEU 0x5b2e0000 0x15000 5.01.2600.2180 C:\WINDOWS\system32\usbui.dll 0x01df0000 0x13000 6.00.2900.2180 C:\WINDOWS\system32\browselc.dll 0x02000000 0x11000 1.00.0000.0001 C:\WINDOWS\system32\nada32.dll 0x4eba0000 0x1a3000 5.01.3102.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 0x5ce90000 0x6e000 6.00.2900.2180 C:\WINDOWS\system32\shimgvw.dll 0x6c670000 0x4d000 5.01.2600.2180 C:\WINDOWS\system32\DUSER.dll 0x73b10000 0x14000 5.01.2600.2180 C:\WINDOWS\system32\sti.dll 0x74a60000 0x7000 5.01.2600.2180 C:\WINDOWS\system32\CFGMGR32.dll ------------------------------------------------------------------------------ avguard.exe pid: 188 Command line: "C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe" ------------------------------------------------------------------------------ sched.exe pid: 676 Command line: "C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe" ------------------------------------------------------------------------------ GoogleUpdaterService.exe pid: 712 Command line: "C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe" Base Size Version Path 0x00400000 0x25000 2.02.0824.5515 C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll ------------------------------------------------------------------------------ alg.exe pid: 1104 Command line: C:\WINDOWS\System32\alg.exe Base Size Version Path 0x01000000 0xd000 5.01.2600.2180 C:\WINDOWS\System32\alg.exe 0x76ad0000 0x11000 3.05.2284.0000 C:\WINDOWS\System32\ATL.DLL 0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\MSWSOCK.DLL 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\System32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll 0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll ------------------------------------------------------------------------------ apdproxy.exe pid: 200 Command line: "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" Base Size Version Path 0x00400000 0xe000 3.00.0000.50878 C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe 0x10000000 0x1d000 3.00.0000.50878 C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdboot.dll 0x7c3a0000 0x7b000 7.10.3077.0000 C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\MSVCP71.dll 0x7c340000 0x56000 7.10.3052.0004 C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\MSVCR71.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x73e70000 0x5c000 5.03.2600.2180 C:\WINDOWS\system32\DSOUND.dll 0x73b10000 0x14000 5.01.2600.2180 C:\WINDOWS\system32\sti.dll 0x74a60000 0x7000 5.01.2600.2180 C:\WINDOWS\system32\CFGMGR32.dll 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll ------------------------------------------------------------------------------ avgnt.exe pid: 792 Command line: "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min Base Size Version Path 0x00400000 0x40000 8.00.0000.0007 C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe 0x7c250000 0x102000 7.10.3077.0000 C:\Programme\Avira\AntiVir PersonalEdition Classic\MFC71U.DLL 0x00320000 0x56000 7.10.3052.0004 C:\Programme\Avira\AntiVir PersonalEdition Classic\MSVCR71.dll 0x10000000 0x2a000 8.00.0001.0018 C:\Programme\Avira\AntiVir PersonalEdition Classic\cclib.dll 0x7c3a0000 0x7b000 7.10.3077.0000 C:\Programme\Avira\AntiVir PersonalEdition Classic\MSVCP71.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x00af0000 0x44000 8.00.0000.0020 c:\programme\avira\antivir personaledition classic\ccgen.dll 0x00b40000 0x7000 8.00.0012.0000 c:\programme\avira\antivir personaledition classic\ccgenrc.dll 0x00b50000 0x37000 8.00.0000.0016 c:\programme\avira\antivir personaledition classic\ccguard.dll 0x00b90000 0x8000 8.00.0003.0000 c:\programme\avira\antivir personaledition classic\ccgrdrc.dll 0x00ba0000 0x14000 1.00.0006.0000 c:\programme\avira\antivir personaledition classic\avipc.dll 0x00bd0000 0x1e000 8.00.0000.0014 c:\programme\avira\antivir personaledition classic\ccupdate.dll 0x00bf0000 0x6000 8.00.0003.0000 c:\programme\avira\antivir personaledition classic\ccupdrc.dll 0x00c00000 0x11000 8.00.0000.0009 c:\programme\avira\antivir personaledition classic\cclic.dll 0x00c20000 0x4000 8.00.0002.0000 c:\programme\avira\antivir personaledition classic\cclicrc.dll 0x00c30000 0x28000 8.00.0000.0004 c:\programme\avira\antivir personaledition classic\ccmsg.dll 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll ------------------------------------------------------------------------------ jusched.exe pid: 240 Command line: "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe" Base Size Version Path 0x00400000 0x21000 6.00.0020.0006 C:\Programme\Java\jre1.6.0_02\bin\jusched.exe 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x10000000 0x10000 C:\WINDOWS\system32\khfCuULC.dll ------------------------------------------------------------------------------ LxUpdateManager.exe pid: 1520 Command line: "C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" /autostart Base Size Version Path 0x00400000 0x86000 2.50.0033.0812 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe 0x79000000 0x45000 2.00.50727.0042 C:\WINDOWS\system32\mscoree.dll 0x79e70000 0x561000 2.00.50727.0042 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll 0x78130000 0x9b000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x790c0000 0xae6000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\a4b747a8051d7342a743014a44592ed4\mscorlib.ni.dll 0x64020000 0x13000 2.00.50727.0042 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll 0x73240000 0x5000 5.131.2600.0000 C:\WINDOWS\system32\SOFTPUB.DLL 0x76580000 0x13000 5.131.2600.2180 C:\WINDOWS\system32\cryptnet.dll 0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\SensApi.dll 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll 0x7a440000 0x7be000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\2ec52b74b63689418313a2fdaca5276f\System.ni.dll 0x7ade0000 0x194000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\8d686761485e4a4bbc23cf69543c9f12\System.Drawing.ni.dll 0x7afd0000 0xc86000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\e634ca373fe9e94bb2f0a7d5e5b39b8f\System.Windows.Forms.ni.dll 0x79060000 0x53000 2.00.50727.0042 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll 0x03300000 0x42000 2.50.0033.0812 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\Lexware.Lisa.dll 0x03620000 0x3e000 1.00.0000.0000 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\NLog.dll 0x035c0000 0x8000 1.00.0000.0001 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\Lexware.Lisa.Interfaces.dll 0x64890000 0xee000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\1d3505dcf8265b4db7168cbaa060fdf9\System.Configuration.ni.dll 0x69be0000 0x568000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\606a7789ef03a2498313c4df185923c6\System.Xml.ni.dll 0x685c0000 0xb4a000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\0e67da8edef45a45ba2ee08f120ec08b\System.Web.ni.dll 0x67670000 0x42000 2.00.50727.0042 C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll 0x4eba0000 0x1a3000 5.01.3102.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 0x60500000 0x28000 2.50.0033.0812 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\lxiuum10.dll 0x781d0000 0x10f000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL 0x7c420000 0x87000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll 0x5d360000 0x10000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\MFC80DEU.DLL 0x74900000 0x130000 8.50.2162.0000 C:\WINDOWS\system32\msxml3.dll ------------------------------------------------------------------------------ AirGCFG.exe pid: 1540 Command line: "C:\Programme\D-Link\AirPlus G\AirGCFG.exe" Base Size Version Path 0x00400000 0x17e000 3.03.0001.51123 C:\Programme\D-Link\AirPlus G\AirGCFG.exe 0x10000000 0x3c000 1.03.0036.51122 C:\WINDOWS\system32\wlanapi.dll 0x00320000 0xa000 2.00.0003.51006 C:\WINDOWS\system32\ANIOApi.dll 0x00330000 0xd000 1.00.0000.30603 C:\WINDOWS\system32\AQCKGen.dll 0x00340000 0x29000 1.00.0015.51118 C:\WINDOWS\system32\WlanApp.dll 0x5f1a0000 0x17000 5.01.2600.2180 C:\WINDOWS\system32\OLEPRO32.DLL 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x00b40000 0x19000 3.03.0001.50907 C:\Programme\D-Link\AirPlus G\WlanMon.dll 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll ------------------------------------------------------------------------------ WZCSLDR2.exe pid: 1532 Command line: "C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" Base Size Version Path 0x00400000 0xd000 1.00.0006.41216 C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe 0x10000000 0x9e000 2.04.0038.51122 C:\WINDOWS\system32\ANIWZCS2.DLL 0x00850000 0xd000 1.00.0000.30603 C:\WINDOWS\system32\AQCKGen.dll 0x00860000 0xa000 2.00.0003.51006 C:\WINDOWS\system32\ANIOApi.dll 0x00870000 0x29000 1.00.0015.51118 C:\WINDOWS\system32\WlanApp.dll 0x008a0000 0x3c000 1.03.0036.51122 C:\WINDOWS\system32\wlanapi.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll ------------------------------------------------------------------------------ ctfmon.exe pid: 1432 Command line: "C:\WINDOWS\system32\CTFMON.EXE" Base Size Version Path 0x00400000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\CTFMON.EXE 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll 0x60010000 0x33000 5.01.2600.2180 C:\WINDOWS\system32\MSUTB.dll 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll ------------------------------------------------------------------------------ GoogleUpdater.exe pid: 2184 Command line: "C:\Programme\Google\Google Updater\GoogleUpdater.exe" -systray -startup Base Size Version Path 0x00400000 0x20000 2.02.1111.1511 C:\Programme\Google\Google Updater\GoogleUpdater.exe 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll 0x60000000 0xdc000 2.02.1111.1511 C:\Programme\Google\Google Updater\2.2.1111.1511\ci.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x10000000 0xa3000 2.01.1119.1736 C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll 0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\sensapi.dll 0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\mswsock.dll 0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll 0x76ad0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL ------------------------------------------------------------------------------ svchost.exe pid: 3908 Command line: C:\WINDOWS\system32\svchost.exe -k imgsvc Base Size Version Path 0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x75b50000 0x55000 5.01.2600.2180 c:\windows\system32\wiaservc.dll 0x74a60000 0x7000 5.01.2600.2180 c:\windows\system32\CFGMGR32.dll 0x73aa0000 0x14000 5.01.2600.2180 c:\windows\system32\mscms.dll 0x71cc0000 0x1c000 6.00.2900.2180 C:\WINDOWS\system32\actxprxy.dll 0x73b10000 0x14000 5.01.2600.2180 C:\WINDOWS\system32\sti.dll ------------------------------------------------------------------------------ jucheck.exe pid: 2140 Command line: "C:\Programme\Java\jre1.6.0_02\bin\jucheck.exe" -auto Base Size Version Path 0x00400000 0x50000 6.00.0020.0006 C:\Programme\Java\jre1.6.0_02\bin\jucheck.exe 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll 0x5e190000 0x9000 6.06.2600.2180 C:\WINDOWS\system32\qmgrprxy.dll 0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\sensapi.dll ------------------------------------------------------------------------------ sys77280.exe pid: 2924 Command line: "C:\Dokumente und Einstellungen\Maikes\Desktop\sys77280.exe" Base Size Version Path 0x00400000 0x39000 C:\Dokumente und Einstellungen\Maikes\Desktop\sys77280.exe 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll ------------------------------------------------------------------------------ runme.exe pid: 2936 Command line: runme.exe Base Size Version Path 0x00400000 0x63000 3.05.0000.0005 C:\DOKUME~1\Maikes\LOKALE~1\Temp\nsdC.tmp\runme.exe 0x66000000 0x152000 6.00.0097.0082 C:\WINDOWS\system32\MSVBVM60.DLL 0x66630000 0x22000 6.00.0089.0088 C:\WINDOWS\system32\VB6DE.DLL 0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\sensapi.dll 0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\mswsock.dll ------------------------------------------------------------------------------ cmd.exe pid: 2460 Command line: cmd /c uuoywfrygn.exe > tempd.txt Base Size Version Path 0x4ad00000 0x64000 5.01.2600.2180 C:\WINDOWS\system32\cmd.exe 0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll ------------------------------------------------------------------------------ uuoywfrygn.exe pid: 2448 Command line: uuoywfrygn.exe Base Size Version Path 0x00400000 0x14000 2.25.0000.0000 C:\DOKUME~1\Maikes\LOKALE~1\Temp\nsdC.tmp\uuoywfrygn.exe 0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll ===================== NTFS ADS ===================== c:\Dokumente und Einstellungen\Simon\Eigene Dateien\Eigene Bilder\Thumbs.db:encryptable 0 bytes c:\Dokumente und Einstellungen\Simon\Eigene Dateien\lach\Thumbs.db:encryptable 0 bytes c:\Dokumente und Einstellungen\Simon\Eigene Dateien\Videos\Thumbs.db:encryptable 0 bytes ===================== ENCRYPTED FILES ===================== ===================== HIDDEN OBJECTS ===================== scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ===================== RUSTOCK ROOTKIT DETECTION ===================== #### NOTHING FOUND #### ===================== MASTER BOOT RECORD ===================== device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK ===================== NETWORK SETTINGS ===================== ~~~~~~~~~~~~~~~~~~~~~ Winsock Parameters ~~~~~~~~~~~~~~~~~~~~~ -----HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\----- [Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] "LibraryPath"="%SystemRoot%\System32\mswsock.dll" ~~~~~~~~~~~~~~~~~~~~~ TCP/IP network configuration ~~~~~~~~~~~~~~~~~~~~~ Hostname. . . . . . . . . . . . . : MAIKE Primäres DNS-Suffix . . . . . . . : Knotentyp . . . . . . . . . . . . : Gemischt WINS-Proxy aktiviert. . . . . . . : Nein Ethernetadapter LAN-Verbindung: Medienstatus. . . . . . . . . . . : Es besteht keine Verbindung Beschreibung. . . . . . . . . . . : Intel 8255x-basierter PCI-Ethernetadapter (10/100) Physikalische Adresse . . . . . . : 00-00-39-E3-F7-AA -----HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces ~~~~~~~~~~~~~~~~~~~~~ Open ports ~~~~~~~~~~~~~~~~~~~~~ Aktive Verbindungen Proto Lokale Adresse Remoteadresse Status PID TCP MAIKE:epmap 0.0.0.0:0 ABH™REN 1132 c:\windows\system32\WS2_32.dll C:\WINDOWS\system32\RPCRT4.dll c:\windows\system32\rpcss.dll C:\WINDOWS\system32\svchost.exe -- unbekannte Komponente(n) -- [svchost.exe] TCP MAIKE:microsoft-ds 0.0.0.0:0 ABH™REN 4 [System] TCP MAIKE:1026 0.0.0.0:0 ABH™REN 1104 [alg.exe] UDP MAIKE:microsoft-ds *:* 4 [System] UDP MAIKE:4500 *:* 880 [lsass.exe] UDP MAIKE:isakmp *:* 880 [lsass.exe] UDP MAIKE:1900 *:* 1352 c:\windows\system32\WS2_32.dll c:\windows\system32\ssdpsrv.dll ntdll.dll C:\WINDOWS\system32\kernel32.dll [svchost.exe] UDP MAIKE:ntp *:* 1172 c:\windows\system32\WS2_32.dll c:\windows\system32\w32time.dll ntdll.dll C:\WINDOWS\system32\kernel32.dll [svchost.exe] ~~~~~~~~~~~~~~~~~~~~~ Shared Resources ~~~~~~~~~~~~~~~~~~~~~ Name Ressource Beschreibung print$ C:\WINDOWS\system32\spool\drivers Druckertreiber IPC$ Remote-IPC SharedDocs C:\DOKUMENTE UND EINSTELLUNGEN\ALL USERS\DOKUMENTE Drucker LPT1: Spooler Lexware PDF-Export 3 Drucker2 LPT1: Spooler AGFA-AccuSet v52.3 Der Befehl wurde erfolgreich ausgefhrt. ~~~~~~~~~~~~~~~~~~~~~ TRUSTED DOMAINS ~~~~~~~~~~~~~~~~~~~~~ -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -----HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ~~~~~~~~~~~~~~~~~~~~~ TRUSTED IPs ~~~~~~~~~~~~~~~~~~~~~ -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -----HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ~~~~~~~~~~~~~~~~~~~~~ RAS active connections ~~~~~~~~~~~~~~~~~~~~~ Keine Verbindungen Der Befehl wurde erfolgreich ausgefhrt. ~~~~~~~~~~~~~~~~~~~~~ Rasphone.pbk content ~~~~~~~~~~~~~~~~~~~~~ -----C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk ===================== HOSTS FILE ===================== 127.0.0.1 localhost ===================== SUSPICIOUS FILES ===================== EXE and DLL files packed with runtime packers, found in: C:\; C:\WINDOWS\; C:\WINDOWS\system32\ C:\WINDOWS\system32\nada32.dll --> is compressed with UPX C:\WINDOWS\system32\opus16.dll --> is compressed with UPX ===================== UNINSTALL LIST ===================== -----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall----- [Uninstall] [Uninstall\AddressBook] [Uninstall\AntiVir PersonalEdition Classic] "DisplayIcon"="C:\Programme\Avira\AntiVir PersonalEdition Classic\rcimage.dll,1" "DisplayName"="Avira AntiVir Personal – Free Antivirus" "UninstallString"="C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE" [Uninstall\Branding] [Uninstall\Connection Manager] [Uninstall\DirectAnimation] [Uninstall\DirectDrawEx] [Uninstall\DWG TrueView 2008] "DisplayIcon"="C:\WINDOWS\Installer\{B1A9CD45-A702-4E3B-91ED-8CD562869901}\Aoem162_icon.exe" "UninstallString"="C:\Programme\DWG TrueView 2008\Setup\Setup.exe /P {B1A9CD45-A702-4E3B-91ED-8CD562869901} /M AOEM" "DisplayName"="DWG TrueView 2008" [Uninstall\DXM_Runtime] [Uninstall\Fontcore] [Uninstall\Google Updater] "DisplayIcon"="C:\Programme\Google\Google Updater\GoogleUpdater.exe" "DisplayName"="Google Updater" "UninstallString"="\"C:\Programme\Google\Google Updater\GoogleUpdater.exe\" -uninstall" [Uninstall\ICW] [Uninstall\IE40] [Uninstall\IE4Data] [Uninstall\IE5BAKEX] [Uninstall\IEData] [Uninstall\InstallShield Uninstall Information] [Uninstall\InstallShield Uninstall Information\{2B7E4354-0492-460A-BDB1-1F59EE141025}] [Uninstall\InstallShield_{2B7E4354-0492-460A-BDB1-1F59EE141025}] "UninstallString"="C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{2B7E4354-0492-460A-BDB1-1F59EE141025} /l1031 " "DisplayName"="AirPlus G" "InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\_is4\" "DisplayIcon"="" [Uninstall\KB884016] [Uninstall\KB893803] [Uninstall\KB893803v2] "DisplayName"="Windows Installer 3.1 (KB893803)" "UninstallString"="\"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe\"" "DisplayIcon"=expand:"%windir%\system32\msiexec.exe" [Uninstall\KB911164] "DisplayName"="Update für Windows XP (KB911164)" "UninstallString"="" [Uninstall\Lexmark_HostCD] "UninstallString"="C:\Programme\Lexmark_HostCD\Install\Uninstall.exe" "DisplayIcon"="C:\Programme\Lexmark_HostCD\Install\Uninstall.exe" "DisplayName"="Lexmark Software deinstallieren" [Uninstall\Microsoft .NET Framework 2.0] "DisplayIcon"="C:\WINDOWS\system32\msiexec.exe" "DisplayName"="Microsoft .NET Framework 2.0" "UninstallString"="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe" [Uninstall\MobileOptionPack] [Uninstall\Mozilla Firefox (2.0.0.12)] "DisplayIcon"="C:\Programme\Mozilla Firefox\firefox.exe,0" "DisplayName"="Mozilla Firefox (2.0.0.12)" "UninstallString"="C:\Programme\Mozilla Firefox\uninstall\helper.exe" [Uninstall\MPlayer2] [Uninstall\MSI30-Beta1] [Uninstall\MSI30-Beta2] [Uninstall\MSI30-KB884016] [Uninstall\MSI30-RC1] [Uninstall\MSI30-RC2] [Uninstall\MSI30a-KB884016] [Uninstall\MSI31-Beta] [Uninstall\MSI31-RC1] [Uninstall\NetMeeting] [Uninstall\OutlookExpress] [Uninstall\PCHealth] "UninstallString"="rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf" [Uninstall\SchedulingAgent] [Uninstall\ShockwaveFlash] "DisplayName"="Adobe Flash Player 9 ActiveX" "UninstallString"="C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q" [Uninstall\Toshiba Soft Modem] "DisplayName"="Toshiba Soft Modem AMR" [Uninstall\XTTB00001.XTTB00001Toolbar] "DisplayName"="ICQ Toolbar" "UninstallString"="regsvr32 /u /s \"C:\PROGRA~1\ICQTOO~1\toolbaru.dll\" " [Uninstall\{00000407-78E1-11D2-B60F-006097C998E7}] "InstallSource"="D:\" "UninstallString"=expand:"MsiExec.exe /I{00000407-78E1-11D2-B60F-006097C998E7}" "DisplayName"="Microsoft Office 2000 Premium" [Uninstall\{102C0111-5FEA-425C-88AC-B0BB6E60EC33}] "InstallSource"="C:\WINDOWS\Installer\{29D4CE6D-B616-4282-9228-C6469D1FE8A4\" "DisplayName"="Lexware financial office 2008" [Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}] #### HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32 @="c:\programme\google\googletoolbar1.dll" "DisplayName"="Google Toolbar for Internet Explorer" "UninstallString"="regsvr32 /u /s \"c:\programme\google\googletoolbar1.dll\"" "DisplayIcon"="c:\programme\google\googletoolbar1.dll" [Uninstall\{2B7E4354-0492-460A-BDB1-1F59EE141025}] "InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\_is4\" "DisplayName"="AirPlus G" [Uninstall\{2CCBABCB-6427-4A55-B091-49864623C43F}] "InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\GGSB.tmp\" "UninstallString"=expand:"MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}" "DisplayName"="Google Toolbar for Firefox" [Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160020}] "DisplayIcon"="C:\Programme\Java\jre1.6.0_02\\bin\javaws.exe" "InstallSource"="d:\Data\java_runtime\" "UninstallString"=expand:"MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}" "DisplayName"="Java(TM) 6 Update 2" [Uninstall\{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}] "InstallSource"="C:\WINDOWS\system32\" "DisplayName"="WebFldrs XP" [Uninstall\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}] "UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe\" -l0x7 -removeonly" "InstallSource"="C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater\cache\installers_ci_earth_de_4.0.2740.0_setup_2007.02.21_14.46.09.exe" "DisplayName"="Google Earth" [Uninstall\{41EBCCBE-1FAD-40AD-A8B6-BD292DB683A4}] "UninstallString"="C:\Programme\InstallShield Installation Information\{41EBCCBE-1FAD-40AD-A8B6-BD292DB683A4}\setup.exe -runfromtemp -l0x0007 -removeonly" "InstallSource"="C:\Programme\Gemeinsame Dateien\Lexware\Aktualisierung2008\lexware_aktualisierung_financial_office_2008_12_20\" "DisplayName"="Lexware financial office Aktualisierung Februar 2008, Version 12.20" "DisplayIcon"="C:\Programme\Lexware\office\lfo.ico,0" [Uninstall\{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}] "DisplayIcon"="C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\Photoshop Album Starter Edition.exe,-111" "InstallSource"="C:\WINDOWS\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\" "UninstallString"=expand:"MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" "DisplayName"="Adobe® Photoshop® Album Starter Edition 3.0" [Uninstall\{4C590030-7469-453E-8589-D15DA9D03F52}] "UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe\" " "DisplayName"="ANIWZCS2 Service" [Uninstall\{520CC748-9867-498E-A257-B6112952A65E}] "UninstallString"="C:\Programme\InstallShield Installation Information\{520CC748-9867-498E-A257-B6112952A65E}\setup.exe -runfromtemp -l0x0007 -removeonly" "InstallSource"="d:\DATA\financial_office\" "DisplayName"="Lexware financial office 2008" "DisplayIcon"="C:\Programme\Lexware\office\lfo.ico,0" [Uninstall\{5DB88ED8-3487-4BDE-A8C5-7F4D016BE737}] "InstallSource"="C:\WINDOWS\Installer\FA3FE437-8DC5-4556-B384-F3C0AC81B1B0\" "DisplayName"="Lexware financial office Aktualisierung Februar 2008, Version 12.20" [Uninstall\{60DE4033-9503-48D1-A483-7846BD217CA9}] "UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe\" -l0x9 -removeonly" "InstallSource"="C:\Dokumente und Einstellungen\Simon\Desktop\Install_ICQ6.exe" "DisplayName"="ICQ6" "DisplayIcon"="<PATH_TO_AKIVA_FILES>\icq\icq6_install.ico,0" [Uninstall\{6845AE3B-EB95-46DE-A190-EAB8D7764C60}] "InstallSource"="C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lexware\Elster\Daten\Download\" "UninstallString"=expand:"MsiExec.exe /I{6845AE3B-EB95-46DE-A190-EAB8D7764C60}" "DisplayName"="Lexware Elster" [Uninstall\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}] "DisplayIcon"="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ndpsetup.ico" "InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\IXP000.TMP\" "DisplayName"="Microsoft .NET Framework 2.0" [Uninstall\{7299052b-02a4-4627-81f2-1818da5d550d}] "InstallSource"="C:\Dokumente und Einstellungen\Simon\Lokale Einstellungen\Anwendungsdaten\Lexware\LxSetupTemp\Data\visual_studio_runtime_8\" "UninstallString"=expand:"MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}" "DisplayName"="Microsoft Visual C++ 2005 Redistributable" [Uninstall\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}] "UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe\" " "DisplayName"="ANIO Service" [Uninstall\{7C4BCD17-BDBA-4078-9D8C-8CA8B7EABE77}] "DisplayName"="" "UninstallString"="\"C:\Programme\Uninstall.exe\"" [Uninstall\{AC76BA86-7AD7-1031-7B44-A80000000002}] "InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\Adobe Reader 8.0\" "UninstallString"=expand:"MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A80000000002}" "DisplayName"="Adobe Reader 8 - Deutsch" [Uninstall\{AEB9948B-4FF2-47C9-990E-47014492A0FE}] "InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\WZSE1.TMP\support\msxml\" "UninstallString"=expand:"MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}" "DisplayName"="MSXML 6.0 Parser" [Uninstall\{B1A9CD45-A702-4E3B-91ED-8CD562869901}] "InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\WZSE1.TMP\" "DisplayName"="DWG TrueView 2008" [Uninstall\{B480BD2A-F1BA-4FE6-8C8E-34C6111B72C9}] "UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{B480BD2A-F1BA-4FE6-8C8E-34C6111B72C9}\setup.exe\" -l0x7 -removeonly" "InstallSource"="C:\Dokumente und Einstellungen\Simon\Desktop\ElsterFormular2007-Setup.exe" "DisplayName"="ElsterFormular 2007/2008" "DisplayIcon"="<ISPROJECTDIR>\setup files\compressed files\language independent\os independent\Elfo.ico" [Uninstall\{BEDFB0D0-CA1E-4CBA-9664-B25A74019D0C}] "InstallSource"="d:\Data\lisa_2_50\" "UninstallString"=expand:"MsiExec.exe /I{BEDFB0D0-CA1E-4CBA-9664-B25A74019D0C}" "DisplayName"="Lexware Info Service" [Uninstall\{DBEA1034-5882-4A88-8033-81C4EF0CFA29}] "InstallSource"="C:\Programme\Google\Installers\" "UninstallString"=expand:"MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" "DisplayName"="Google Toolbar for Internet Explorer" [Uninstall\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}] "InstallSource"="C:\Programme\Gemeinsame Dateien\Wise Installation Wizard\" "UninstallString"=expand:"MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" "DisplayName"="Ad-Aware" [Uninstall\{FF748561-FFFE-11D3-A06B-00E02939A7B1}] "UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{FF748561-FFFE-11D3-A06B-00E02939A7B1}\Setup.exe\" -l0x7 -removeonly" "InstallSource"="d:\Data\dakota_4_0\" "DisplayName"="dakota.ag" -----HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall----- ========================================== Scan completed in 19 minutes End of report ~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~ SystemScan uses some freeware tools that remain property of their authors: * SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts " * dumphive (Markus Stephany)--> "Registry scan" * Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules" * Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record" ---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log Thanks to all of them for their hard work Dieser Beitrag wurde am 27.06.2008 um 11:41 Uhr von hoddel editiert.
|
|
|
||
27.06.2008, 12:17
Ehrenmitglied
Beiträge: 29434 |
#4
Hallo,
1. http://virus-protect.org/artikel/tools/otmoveIt.html öffne: OTMoveIt.exe OTMoveIt Kopiere rein: im linken Fenster ,wo steht: Paste List of Files/Folders to Move Zitat C:\WINDOWS\system32\clkcnt.txtKlicke auf den Roten MoveIt! 2. lade HijacktHis http://virus-protect.org/hjtkurz.html Beim Erststart: Do a system scan and save a logfile - es öffnet sich der Editor nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und hier mit rechtem Mausklick "einfügen" 3. lade Combofix, es erscheint eine Warnmeldung, keine Angst, es geht nichts schief, poste den report, der erscheint http://virus-protect.org/artikel/tools/combofix.html --------------------------------------------------------------------- ist für mich [Browser Helper Objects\{2FF811E6-8925-4084-A649-C159955E67E8}] HKCR\CLSID\{2FF811E6-8925-4084-A649-C159955E67E8}\InprocServer32 [Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] [Browser Helper Objects\{84AA61C2-A977-4FD8-9E2F-C768F0387572}] HKCR\CLSID\{84AA61C2-A977-4FD8-9E2F-C768F0387572} [Browser Helper Objects\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}] HKCR\CLSID\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}\InprocServer32 [ShellServiceObjectDelayLoad] "qegbdmwf"="{704256A8-EB18-4FBB-943D-0843F08DD20A}" #### HKCR\CLSID\{704256A8-EB18-4FBB-943D-0843F08DD20A}\InprocServer32 @="C:\WINDOWS\qegbdmwf.dll" "pntqkflv"="{F33F7155-384B-404D-865C-994967DD0B12}" #### HKCR\CLSID\{F33F7155-384B-404D-865C-994967DD0B12}\InprocServer32 @="C:\WINDOWS\pntqkflv.dll" -----HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks----- [ShellExecuteHooks] "{84AA61C2-A977-4FD8-9E2F-C768F0387572}"="" #### HKCR\CLSID\{84AA61C2-A977-4FD8-9E2F-C768F0387572}\InprocServer32 @="C:\WINDOWS\system32\khfCuULC.dll" __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
27.06.2008, 14:10
...neu hier
Themenstarter Beiträge: 3 |
#5
Hier das Log:
ComboFix 08-06-20.4 - Maikes 2008-06-27 13:52:38.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.404 [GMT 2:00] ausgeführt von:: C:\Dokumente und Einstellungen\Maikes\Desktop\ComboFix.exe * Neuer Wiederherstellungspunkt wurde erstellt [color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color] . (((((((((((((((((((((((((((((((((((( Weitere L”schungen )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Dokumente und Einstellungen\Simon\Desktop\Error Cleaner.url C:\Dokumente und Einstellungen\Simon\Desktop\Privacy Protector.url C:\Dokumente und Einstellungen\Simon\Desktop\Spyware&Malware Protection.url C:\Dokumente und Einstellungen\Simon\Favoriten\Error Cleaner.url C:\Dokumente und Einstellungen\Simon\Favoriten\Privacy Protector.url C:\Dokumente und Einstellungen\Simon\Favoriten\Spyware&Malware Protection.url C:\WINDOWS\csrss.exe C:\WINDOWS\system32\apgrdnqv.ini C:\WINDOWS\system32\beNVwGgh.ini C:\WINDOWS\system32\beNVwGgh.ini2 C:\WINDOWS\system32\hgGwVNeb.dll C:\WINDOWS\system32\mcrh.tmp . ((((((((((((((((((((((( Dateien erstellt von 2008-05-27 bis 2008-06-27 )))))))))))))))))))))))))))))) . 2008-06-27 13:06 . 2008-06-27 13:06 92,032 --a------ C:\WINDOWS\system32\vqndrgpa.dll 2008-06-27 12:53 . 2008-06-27 12:53 <DIR> d-------- C:\_OTMoveIt 2008-06-27 12:35 . 2008-06-27 12:41 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{C637C02F-67B6-487C-BE6A-5980BADADFEA} 2008-06-27 12:14 . 2008-06-27 12:14 <DIR> d-------- C:\Dokumente und Einstellungen\Maikes\Anwendungsdaten\ICQ Toolbar 2008-06-27 11:05 . 2008-06-27 11:05 <DIR> d-------- C:\Dokumente und Einstellungen\Maikes\Anwendungsdaten\Lexware 2008-06-27 11:02 . 2008-06-27 11:03 <DIR> dr------- C:\Dokumente und Einstellungen\Maikes\Eigene Dateien 2008-06-27 09:42 . 2000-04-09 02:02 <DIR> d--h----- C:\Dokumente und Einstellungen\Maikes\Vorlagen 2008-06-27 09:42 . 2000-04-09 01:53 <DIR> dr------- C:\Dokumente und Einstellungen\Maikes\Startmen 2008-06-27 09:42 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Maikes\Netzwerkumgebung 2008-06-27 09:42 . 2008-06-27 13:56 <DIR> d--h----- C:\Dokumente und Einstellungen\Maikes\Lokale Einstellungen 2008-06-27 09:42 . 2008-06-27 11:03 <DIR> dr------- C:\Dokumente und Einstellungen\Maikes\Favoriten 2008-06-27 09:42 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Maikes\Druckumgebung 2008-06-27 09:42 . 2008-06-27 12:16 <DIR> dr-h----- C:\Dokumente und Einstellungen\Maikes\Anwendungsdaten 2008-06-27 09:41 . 2008-06-27 11:02 <DIR> d-------- C:\Dokumente und Einstellungen\Maikes 2008-06-26 22:22 . 2008-06-26 22:22 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien 2008-06-26 20:23 . 2008-06-26 20:23 <DIR> d-------- C:\Programme\Lavasoft 2008-06-26 20:23 . 2008-06-26 20:27 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft 2008-06-26 20:19 . 2008-06-26 19:56 19,153,264 --a------ C:\aaw2008_10.exe 2008-06-26 20:07 . 2006-02-28 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-06-26 20:00 . 2008-06-26 20:00 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard 2008-06-26 19:44 . 2003-10-09 17:55 20,966,970 --a------ C:\WINDOWS\cfdemo.exe 2008-06-26 19:44 . 2005-10-11 22:33 2,807,808 --a------ C:\WINDOWS\alcwzrd.exe 2008-06-26 19:44 . 2007-04-10 14:05 372,736 --a------ C:\WINDOWS\suinsta4001.exe 2008-06-26 19:44 . 2006-03-21 05:23 23,040 --a------ C:\WINDOWS\kb913800.exe 2008-06-26 18:48 . 2000-04-09 02:02 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen 2008-06-26 18:48 . 2000-04-09 01:53 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmen 2008-06-26 18:48 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung 2008-06-26 18:48 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen 2008-06-26 18:48 . 2000-04-09 01:53 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Favoriten 2008-06-26 18:48 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung 2008-06-26 18:48 . 2000-04-09 01:53 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten 2008-06-26 18:48 . 2008-06-26 22:22 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator 2008-06-25 18:12 . 2008-06-25 18:12 62,910 --a------ C:\Programme\Uninstall.exe 2008-06-25 18:12 . 2008-06-25 18:12 0 --a------ C:\Programme\uninstall.dat 2008-06-25 18:09 . 2008-06-26 18:46 <DIR> d-------- C:\Dokumente und Einstellungen\Simon\Anwendungsdaten\TmpRecentIcons 2008-06-24 20:24 . 2008-06-24 20:24 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ADSL Software Ltd 2008-06-24 20:24 . 2008-06-24 18:51 245,760 --a------ C:\WINDOWS\gfetqaxstmk.dll 2008-06-24 20:24 . 2008-06-24 18:51 233,472 --a------ C:\WINDOWS\pntqkflv.dll 2008-06-24 20:24 . 2008-06-24 18:51 180,224 --a------ C:\WINDOWS\qegbdmwf.dll 2008-06-24 20:24 . 2008-06-24 18:51 155,648 --a------ C:\WINDOWS\gxvpsafm.dll 2008-06-24 20:24 . 2008-06-24 20:24 28,288 --a------ C:\WINDOWS\system32\khfCuULC.dll 2008-06-24 20:23 . 2008-06-24 20:23 19,456 --a------ C:\WINDOWS\system32\nada32.dll 2008-06-24 20:22 . 2008-06-24 20:22 19,456 --a------ C:\WINDOWS\system32\opus16.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-27 10:31 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira 2008-06-27 10:16 --------- d-----w C:\Programme\ICQToolbar 2008-06-26 17:52 --------- d-----w C:\Programme\Q-Dir 2008-06-26 17:08 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater 2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84AA61C2-A977-4FD8-9E2F-C768F0387572}] 2008-06-24 20:24 28288 --a------ C:\WINDOWS\system32\khfCuULC.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}] 2008-06-24 18:51 245760 --a------ C:\WINDOWS\gfetqaxstmk.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{866A4717-E246-4FDC-B2AA-14607C905E3A}"= "C:\WINDOWS\gxvpsafm.dll" [2008-06-24 18:51 155648] [HKEY_CLASSES_ROOT\clsid\{866a4717-e246-4fdc-b2aa-14607c905e3a}] [HKEY_CLASSES_ROOT\gxvpsafm.1] [HKEY_CLASSES_ROOT\TypeLib\{F260EB6B-9B1E-450F-AB15-905E5FAF6BE7}] [HKEY_CLASSES_ROOT\gxvpsafm] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Photo Downloader"="C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-23 20:33 57344] "SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496] "LexwareInfoService"="C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" [2007-09-25 14:59 532776] "D-Link AirPlus G"="C:\Programme\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 16:04 1544192] "ANIWZCS2Service"="C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 19:19 49152] "c02927a3"="C:\WINDOWS\system32\vqndrgpa.dll" [2008-06-27 13:06 92032] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 14:00 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{84AA61C2-A977-4FD8-9E2F-C768F0387572}"= C:\WINDOWS\system32\khfCuULC.dll [2008-06-24 20:24 28288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "qegbdmwf"= {704256A8-EB18-4FBB-943D-0843F08DD20A} - C:\WINDOWS\qegbdmwf.dll [2008-06-24 18:51 180224] "pntqkflv"= {F33F7155-384B-404D-865C-994967DD0B12} - C:\WINDOWS\pntqkflv.dll [2008-06-24 18:51 233472] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfCuULC] khfCuULC.dll 2008-06-24 20:24 28288 C:\WINDOWS\system32\khfCuULC.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect] --a------ 2008-06-24 20:24 1159168 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programme\\Messenger\\msmsgs.exe"= "C:\\Programme\\ICQ6\\ICQ.exe"= R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2001-09-26 21:42] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-27 14:00:49 Windows 5.1.2600 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostart Eintr„ge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\khfCuULC.dll PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\vqndrgpa.dll -> C:\WINDOWS\system32\opnklmJA.dll -> C:\WINDOWS\qegbdmwf.dll -> C:\WINDOWS\pntqkflv.dll . ------------------------ Other Running Processes ------------------------ . C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Programme\Google\Google Updater\GoogleUpdater.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Java\jre1.6.0_02\bin\jucheck.exe . ************************************************************************** . Zeit der Fertigstellung: 2008-06-27 14:05:35 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-27 12:05:13 7 Verzeichnis(se), 24,872,697,856 Bytes frei 9 Verzeichnis(se), 24,956,108,800 Bytes frei 155 |
|
|
||
27.06.2008, 14:31
Ehrenmitglied
Beiträge: 29434 |
#6
Hallo,
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als cfscript.txt mit 'Speichern unter' auf dem Desktop. Gib an "Alle Dateien" - Speichern Zitat KILLALL::Man sollte jetzt auf dem Desktop diese Datei cfscript.txt finden. cfscript.txt und mit der rechten Maustaste auf das Symbol von Combofix ziehen danach: Combofix noch einmal anwenden ------ poste das neue Log von Combofix __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
Ich nahm mir den Rechner vor und musste feststellen, dass kein Zugriff auf den Taskmanager möglich war (Der Administrator hat den Zugriff verweigert) Ebenso war die Systemsteuerung und das Laufwerk c verschwunden.
Ich bin dann in den abgesicherten Modus geganen und sah lediglich einen schwarzen Bildschirm.
Wieder normal hochgefahren habe ich mich mit Geduld und Spucke in die DOS-Eingabeaufforderung gehangelt. Dort stellte ich mit den guten alten DOS-Befehlen fest, dass im Ordner "Windows" diverse .exe-Dateien fehlten. Diese habe ich dann von meinem Laptop per CD und Copy-Befehl wieder reinkopiert.
Danach kam ich in den abgesicherten Modus rein und konnte über die Administratoranmeldung einige Ungereimtheiten in der Registri beseitigen.
Das in der Überschrift genannte Programm ist jetzt verschwunden und auch die Meldungen und die Versuche, ins Internet zu kommen sind jetzt weg.
Nun hab ich aber das Problem, wenn ich den Rechner normal hochfahre, fehlen mir immer noch die Rechte für die Registri, Taskmanager und die Anzeige des Laufwerks c.
Wo in der Registri kann man die Berechtigungen ändern?
Der Rechner ist für meine Tochter sehr wichtig, da auf diesem diverse Steuererklärungen ihrer Mandanten sind, es wäre eine Katastrophe, wenn das verschwindet. Ebenso die entsprechenden Programme.
Danke schon mal für jeden guten Tipp