ASC Antispy, hartnäckig und hinterhältig?

#1 Meine Tochter hatte sich sich etwas auf den Rechner eingefangen. Es kam sofort nach dem Hochfahren ein Programm mit Namen ASC Antispy hoch und erzählte von vielen Vieren, die angeblich auf dem Rechner sind. Sie sollte sich im Internet die Lizenz für das Programm kaufen, damit der Rechner bereinigt werden kann. Hat sie natürlich nicht gemacht, nur es gab auch keine Möglichkeit, das Programm weg zu schalten. Ein Arbeiten am Rechner war nicht mehr möglich, da er sich in kurzen Abständen ins Internet einloggen wollte. Alle Augenblicke kamen neue Warnmeldungen.

Ich nahm mir den Rechner vor und musste feststellen, dass kein Zugriff auf den Taskmanager möglich war (Der Administrator hat den Zugriff verweigert) Ebenso war die Systemsteuerung und das Laufwerk c verschwunden.

Ich bin dann in den abgesicherten Modus geganen und sah lediglich einen schwarzen Bildschirm.

Wieder normal hochgefahren habe ich mich mit Geduld und Spucke in die DOS-Eingabeaufforderung gehangelt. Dort stellte ich mit den guten alten DOS-Befehlen fest, dass im Ordner "Windows" diverse .exe-Dateien fehlten. Diese habe ich dann von meinem Laptop per CD und Copy-Befehl wieder reinkopiert.
Danach kam ich in den abgesicherten Modus rein und konnte über die Administratoranmeldung einige Ungereimtheiten in der Registri beseitigen.
Das in der Überschrift genannte Programm ist jetzt verschwunden und auch die Meldungen und die Versuche, ins Internet zu kommen sind jetzt weg.

Nun hab ich aber das Problem, wenn ich den Rechner normal hochfahre, fehlen mir immer noch die Rechte für die Registri, Taskmanager und die Anzeige des Laufwerks c.

Wo in der Registri kann man die Berechtigungen ändern?

Der Rechner ist für meine Tochter sehr wichtig, da auf diesem diverse Steuererklärungen ihrer Mandanten sind, es wäre eine Katastrophe, wenn das verschwindet. Ebenso die entsprechenden Programme.

Danke schon mal für jeden guten Tipp

#2 Hallo, hoddel

wende systemscan an + poste den report
http://virus-protect.org/artikel/tools/systemscan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Ich habe jetzt einen neuen Benutzer (Maikes) erstellt (Abgesicherter Modus) Und ihn nach Neustart aktiviert. Hier habe ich die Rechte wieder. Aber eben nur in diesem Konto.

Hier die Daten:

SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Dokumente und Einstellungen\Maikes\Desktop\sys77280.exe
Running in: User mode
Date: 27.06.2008
Time: 11:14:04

Output limited to:
-PC accounts
-Recent files
-Duplicates in BAK folders
-Registry Run Keys
-Autoplay settings (autorun.inf)
-Scheduled jobs
-Services and Drivers (all)
-Svchost.exe instances
-Loaded Dlls
-Alternate Data Sreams
-Encrypted Files
-Hidden objects
-Master Boot Record
-Network settings
-Include HOSTS file
-Suspicious Files
-Installed Applications

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| Gast
| Hilfeassistent (Disabled)
Yes | Maikes
Yes | Simon
| SUPPORT_388945a0 (Disabled)

### users folders


### startup files in users folders


===================== RECENT FILES =====================

Showing files newer than 60 days

----- recent files in C:\
18.06.2008 21:50:23 188 byte 9 days old -- LxDasi.Log
26.06.2008 18:57:11 211 byte 1 days old -- boot.ini
26.06.2008 19:56:31 19153264 byte 1 days old -- aaw2008_10.exe
26.06.2008 22:25:38 (DIR) 0 byte 1 days old -- WINDOWS
26.06.2008 22:28:19 (DIR) 0 byte 1 days old -- Programme
27.06.2008 00:10:35 (DIR) 0 byte 0 days old -- System Volume Information
27.06.2008 09:39:06 (DIR) 0 byte 0 days old -- RECYCLER
27.06.2008 09:41:59 (DIR) 0 byte 0 days old -- Dokumente und Einstellungen
27.06.2008 11:01:09 176160768 byte 0 days old -- pagefile.sys

----- recent files in C:\WINDOWS\
27.05.2008 19:16:36 2890 byte 31 days old -- mozver.dat
18.06.2008 20:02:20 35 byte 9 days old -- tdf.dii
18.06.2008 20:02:20 253 byte 9 days old -- tm.ini
18.06.2008 21:50:24 373 byte 9 days old -- LXfoIn54.INI
24.06.2008 18:51:32 180224 byte 3 days old -- qegbdmwf.dll
24.06.2008 18:51:32 233472 byte 3 days old -- pntqkflv.dll
24.06.2008 18:51:34 245760 byte 3 days old -- gfetqaxstmk.dll
24.06.2008 18:51:34 155648 byte 3 days old -- gxvpsafm.dll
26.06.2008 18:46:25 (DIR) 0 byte 1 days old -- Registration
26.06.2008 18:57:08 (DIR) 0 byte 1 days old -- pss
26.06.2008 18:57:11 573 byte 1 days old -- win.ini
26.06.2008 18:57:11 227 byte 1 days old -- system.ini
26.06.2008 20:23:34 (DIR) 0 byte 1 days old -- system32
26.06.2008 22:22:03 263737 byte 1 days old -- setupapi.log
27.06.2008 09:38:17 519190 byte 0 days old -- ntbtlog.txt
27.06.2008 09:44:50 97507 byte 0 days old -- WindowsUpdate.log
27.06.2008 11:01:18 2048 byte 0 days old -- bootstat.dat
27.06.2008 11:01:36 0 byte 0 days old -- 0.log
27.06.2008 11:02:42 (DIR) 0 byte 0 days old -- Temp
27.06.2008 11:03:38 1519 byte 0 days old -- OEWABLog.txt
27.06.2008 11:03:38 2109 byte 0 days old -- wmsetup.log
27.06.2008 11:03:49 (DIR) 0 byte 0 days old -- Installer
27.06.2008 11:05:04 159 byte 0 days old -- wiadebug.log
27.06.2008 11:05:04 0 byte 0 days old -- wiaservc.log

----- recent files in C:\WINDOWS\Downloaded Program Files\

----- recent files in C:\WINDOWS\system\

----- recent files in C:\WINDOWS\system32\
16.05.2008 11:58:04 12632 byte 42 days old -- lsdelete.exe
24.06.2008 20:22:41 19456 byte 3 days old -- opus16.dll
24.06.2008 20:23:22 19456 byte 3 days old -- nada32.dll
24.06.2008 20:24:52 28288 byte 3 days old -- khfCuULC.dll
25.06.2008 18:14:28 321920 byte 2 days old -- hgGwVNeb.dll
25.06.2008 18:18:15 0 byte 2 days old -- clkcnt.txt
26.06.2008 18:46:27 (DIR) 0 byte 1 days old -- wbem
26.06.2008 18:46:50 (DIR) 0 byte 1 days old -- config
26.06.2008 19:44:32 (DIR) 0 byte 1 days old -- dllcache
26.06.2008 20:23:35 (DIR) 0 byte 1 days old -- drivers
26.06.2008 23:00:13 2422 byte 1 days old -- wpa.dbl
26.06.2008 23:44:54 (DIR) 0 byte 1 days old -- CatRoot2
27.06.2008 00:10:35 (DIR) 0 byte 0 days old -- Restore
27.06.2008 11:11:17 2341 byte 0 days old -- beNVwGgh.ini2
27.06.2008 11:12:54 2341 byte 0 days old -- beNVwGgh.ini

----- recent files in C:\WINDOWS\system32\drivers\
29.04.2008 11:19:50 12960 byte 59 days old -- Awrtpd.sys
29.04.2008 11:19:54 15648 byte 59 days old -- Awrtrd.sys
29.04.2008 11:20:00 15648 byte 59 days old -- NSDriver.sys
20.05.2008 21:50:05 21248 byte 38 days old -- ssmdrv.sys
20.05.2008 21:50:05 79424 byte 38 days old -- avipbb.sys

----- recent files in C:\WINDOWS\temp\
25.06.2008 18:26:10 (DIR) 0 byte 2 days old -- Temporary Internet Files
25.06.2008 18:26:13 (DIR) 0 byte 2 days old -- Verlauf
25.06.2008 18:26:13 (DIR) 0 byte 2 days old -- Cookies
26.06.2008 18:36:39 16384 byte 1 days old -- Perflib_Perfdata_288.dat
26.06.2008 21:51:25 512 byte 1 days old -- etilqs_gP3P8zRJMZbN3Sf-journal
26.06.2008 21:51:25 0 byte 1 days old -- etilqs_q7YfhZSvk2ygWY8
27.06.2008 08:47:44 16384 byte 0 days old -- Perflib_Perfdata_fec.dat

----- recent files in C:\Programme\
25.06.2008 18:12:38 0 byte 2 days old -- uninstall.dat
25.06.2008 18:12:38 62910 byte 2 days old -- Uninstall.exe
26.06.2008 19:02:37 (DIR) 0 byte 1 days old -- ICQToolbar
26.06.2008 19:17:24 (DIR) 0 byte 1 days old -- Mozilla Firefox
26.06.2008 19:52:07 (DIR) 0 byte 1 days old -- Q-Dir
26.06.2008 20:23:35 (DIR) 0 byte 1 days old -- Lavasoft

----- recent files in C:\Programme\Gemeinsame Dateien\
26.06.2008 20:00:49 (DIR) 0 byte 1 days old -- Wise Installation Wizard

----- recent files in C:\Dokumente und Einstellungen\Maikes\Anwendungsdaten\
27.06.2008 11:03:29 (DIR) 0 byte 0 days old -- Identities
27.06.2008 11:04:39 (DIR) 0 byte 0 days old -- Adobe
27.06.2008 11:05:20 (DIR) 0 byte 0 days old -- Lexware
27.06.2008 11:10:30 (DIR) 0 byte 0 days old -- Microsoft

----- recent files in C:\DOKUME~1\Maikes\LOKALE~1\Temp\
27.06.2008 11:10:03 514 byte 0 days old -- jusched.log
27.06.2008 11:11:52 2 byte 0 days old -- Twain001.Mtx
27.06.2008 11:11:52 156 byte 0 days old -- Twunk001.MTX
27.06.2008 11:11:52 0 byte 0 days old -- Twunk002.MTX
27.06.2008 11:11:53 723 byte 0 days old -- TWAIN.LOG
27.06.2008 11:12:58 58 byte 0 days old -- systemscan.ini
27.06.2008 11:13:02 16384 byte 0 days old -- ~DF51C7.tmp
27.06.2008 11:14:06 (DIR) 0 byte 0 days old -- nsdC.tmp

===================== DUPLICATE FILES IN BAK FOLDERS =====================

No BAK folders found

===================== REGISTRY SCAN =====================


-----HKLM\Software\Microsoft\Windows\CurrentVersion\Run-----

[Run]
"Adobe Photo Downloader"="\"C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe\""
"avgnt"="\"C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe\" /min"
"SunJavaUpdateSched"="\"C:\Programme\Java\jre1.6.0_02\bin\jusched.exe\""
"LexwareInfoService"="C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart"
"D-Link AirPlus G"="C:\Programme\D-Link\AirPlus G\AirGCFG.exe"
"ANIWZCS2Service"="C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe"

[Run\OptionalComponents]

[Run\OptionalComponents\IMAIL]
"Installed"="1"

[Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[Run\OptionalComponents\MSFS]
"Installed"="1"

-----HKCU\Software\Microsoft\Windows\CurrentVersion\Run-----

[Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe"

-----HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run-----

[Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE"

-----HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-----

-----HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run-----

-----HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows-----

[Windows]
"AppInit_DLLs"=""

-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad-----

[ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

HKCR\CLSID\{704256A8-EB18-4FBB-943D-0843F08DD20A}\InprocServer32 @="C:\WINDOWS\qegbdmwf.dll"
"pntqkflv"="{F33F7155-384B-404D-865C-994967DD0B12}"
#### HKCR\CLSID\{F33F7155-384B-404D-865C-994967DD0B12}\InprocServer32 @="C:\WINDOWS\pntqkflv.dll"

-----HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks-----

[ShellExecuteHooks]

#### HKCR\CLSID\{84AA61C2-A977-4FD8-9E2F-C768F0387572}\InprocServer32 @="C:\WINDOWS\system32\khfCuULC.dll"

-----HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-----

[Winlogon]
"Shell"="Explorer.exe"
"System"=""
"Userinit"="C:\WINDOWS\system32\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"UIHost"=expand:"logonui.exe"
"LogonType"=dword:00000001
"WinStationsDisabled"="0"

[Winlogon\GPExtensions]

[Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
"@="Microsoft-Datenträgerkontingent"
"DllName"=expand:"dskquota.dll"

[Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
"@="Internet Explorer-Zonenzuordnung"
"DllName"=expand:"iedkcs32.dll"

[Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"DllName"=expand:"scecli.dll"
"@="Security"

[Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"DllName"=expand:"iedkcs32.dll"
"@="Internet Explorer-Branding"

[Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"DllName"=expand:"scecli.dll"
"@="EFS recovery"

[Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
"@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\System32\cscui.dll"

[Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
"@="Softwareinstallation"
"DllName"=expand:"appmgmts.dll"

[Winlogon\Notify]

[Winlogon\Notify\crypt32chain]
"DllName"=expand:"crypt32.dll"

[Winlogon\Notify\cryptnet]
"DllName"=expand:"cryptnet.dll"

[Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"

[Winlogon\Notify\khfCuULC]
"DllName"="khfCuULC.dll"

[Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"

[Winlogon\Notify\Schedule]
"DllName"=expand:"wlnotify.dll"

[Winlogon\Notify\sclgntfy]
"DllName"=expand:"sclgntfy.dll"

[Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"

[Winlogon\Notify\termsrv]
"DllName"=expand:"wlnotify.dll"

[Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"

[Winlogon\SpecialAccounts]

[Winlogon\SpecialAccounts\UserList]
"Hilfeassistent"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"HelpAssistant"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000

-----HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon-----

[Winlogon]
"ParseAutoexec"="1"
"ExcludeProfileDirs"="Lokale Einstellungen;Temporary Internet Files;Verlauf;Temp"
"BuildNumber"=dword:00000a28

-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options-----

[Image File Execution Options\Your Image File Name Here without a path]
"Debugger"="ntsd -d"

-----HKLM\System\CurrentControlSet\Control\Session Manager\-----

[Session Manager]
"BootExecute"=multi:"autocheck autochk *\00lsdelete\00\00"

[Session Manager\SubSystems]
"Windows"=expand:"%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

-----HKLM\SYSTEM\CurrentControlSet\Control\WOW-----

[WOW]
"cmdline"=expand:"%SystemRoot%\system32\ntvdm.exe"
"wowcmdline"=expand:"%SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386"

-----HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run-----

-----HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce-----

[RunOnce]

-----HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-----

[RunOnceEx]

-----HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices-----

-----HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-----

-----HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce-----

-----HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx-----

-----HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices-----

-----HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run-----

-----HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce-----

-----HKLM\Software\Microsoft\Command Processor\Autorun-----

-----HKCU\Software\Microsoft\Command Processor\Autorun-----

-----HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load-----

-----HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup-----

-----HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon-----

-----HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon-----

-----HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce-----

-----HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run-----

-----HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms-----

-----HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce-----

-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler-----

[SharedTaskScheduler]


-----HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects-----

[Browser Helper Objects]

[Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
@=""

[Browser Helper Objects\{2FF811E6-8925-4084-A649-C159955E67E8}]
#### HKCR\CLSID\{2FF811E6-8925-4084-A649-C159955E67E8}\InprocServer32 @="C:\WINDOWS\system32\nada32.dll"

[Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
#### HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32 @="C:\Programme\Java\jre1.6.0_02\bin\ssv.dll"
"NoExplorer"=dword:00000001

[Browser Helper Objects\{84AA61C2-A977-4FD8-9E2F-C768F0387572}]
#### HKCR\CLSID\{84AA61C2-A977-4FD8-9E2F-C768F0387572}\InprocServer32 @="C:\WINDOWS\system32\khfCuULC.dll"

[Browser Helper Objects\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}]
#### HKCR\CLSID\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}\InprocServer32 @="C:\WINDOWS\gfetqaxstmk.dll"


[Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
#### HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32 @="C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll"

[Browser Helper Objects\{D1D81E18-4363-484D-92CB-D5A8F33BF4E0}]
#### HKCR\CLSID\{D1D81E18-4363-484D-92CB-D5A8F33BF4E0}\InprocServer32 @="C:\WINDOWS\system32\hgGwVNeb.dll"

-----HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks-----

[URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
#### HKCR\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InprocServer32 @=expand:"%SystemRoot%\system32\shdocvw.dll"

-----HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig-----

[MSConfig]

[MSConfig\services]

[MSConfig\startupfolder]

[MSConfig\startupreg]

[MSConfig\startupreg\WinSpywareProtect]
"key"="SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
"item"="winspywareprotect"
"hkey"="HKCU"
"command"="\"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe\" /autorun"
"inimapping"="0"

[MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000002

-----HKCU\Control Panel\Desktop\-----

[Desktop]
"SCRNSAVE.EXE"="C:\WINDOWS\system32\logon.scr"

[Desktop\WindowMetrics]

-----HKEY_CLASSES_ROOT\exefile\shell\open\command-----

[command]
@="\"%1\" %*"

-----HKEY_CLASSES_ROOT\comfile\shell\open\command-----

[command]
@="\"%1\" %*"

-----HKEY_CLASSES_ROOT\batfile\shell\open\command-----

[command]
@="\"%1\" %*"

-----HKEY_CLASSES_ROOT\piffile\shell\open\command-----

[command]
@="\"%1\" %*"

-----HKEY_CLASSES_ROOT\scrFile\shell\open\command-----

[command]
@="\"%1\" /S"

-----HKEY_CLASSES_ROOT\htafile\shell\open\command-----

[Command]
@="C:\WINDOWS\system32\mshta.exe \"%1\" %*"

-----HKEY_CLASSES_ROOT\logfile\shell\open\command-----

-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL-----

[URL]

[URL\DefaultPrefix]
@="http://"

[URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

-----HKLM\SYSTEM\CurrentControlSet\Control\Lsa-----

[Lsa]

[Lsa\AccessProviders]

[Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=expand:"%SystemRoot%\system32\ntmarta.dll"

[Lsa\Audit]

[Lsa\Audit\PerUserAuditing]

[Lsa\Audit\PerUserAuditing\System]

[Lsa\Data]

[Lsa\SSO]

[Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[Lsa\SspiCache]

[Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"

[Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"

[Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"

-----HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess-----

[SharedAccess]
"DependOnGroup"=multi:"\00"
"DependOnService"=multi:"Netman\00WinMgmt\00\00"
"Description"="Bietet allen Computern in Heim- und kleinen Firmennetzwerken Dienste für die Netzwerkadressübersetzung, Adressierung, Namensauflösung und Eindringsschutz."
"DisplayName"="Windows-Firewall/Gemeinsame Nutzung der Internetverbindung"
"ErrorControl"=dword:00000001
"ImagePath"=expand:"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020
"Group"=""

[SharedAccess\Epoch]
"Epoch"=dword:000001b3

[SharedAccess\Parameters]
"ServiceDll"=expand:"%SystemRoot%\System32\ipnathlp.dll"

[SharedAccess\Parameters\FirewallPolicy]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enaxxxxx@xxxxxres.dll,-22019"

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]

[SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:*:Enaxxxxx@xxxxxres.dll,-22004"
"445:TCP"="445:TCP:*:Enaxxxxx@xxxxxres.dll,-22005"
"137:UDP"="137:UDP:*:Enaxxxxx@xxxxxres.dll,-22001"
"138:UDP"="138:UDP:*:Enaxxxxx@xxxxxres.dll,-22002"

[SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enaxxxxx@xxxxxres.dll,-22019"
"C:\Programme\Messenger\msmsgs.exe"="C:\Programme\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Programme\ICQ6\ICQ.exe"="C:\Programme\ICQ6\ICQ.exe:*:Enabled:ICQ6"

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22008"
"139:TCP"="139:TCP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enaxxxxx@xxxxxres.dll,-22002"

[SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

-----HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Firewall\-----

-----HKEY_LOCAL_MACHINE\SOFTWARE\Winsock2-----

-----HKLM\Software\Microsoft\Ole-----

[Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
"EnableDCOM"="Y"

[Ole\AppCompat]

[Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

-----HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\-----

-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\-----

[Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[Security Center\Monitoring]

[Security Center\Monitoring\AhnlabAntiVirus]

[Security Center\Monitoring\ComputerAssociatesAntiVirus]

[Security Center\Monitoring\KasperskyAntiVirus]

[Security Center\Monitoring\McAfeeAntiVirus]

[Security Center\Monitoring\McAfeeFirewall]

[Security Center\Monitoring\PandaAntiVirus]

[Security Center\Monitoring\PandaFirewall]

[Security Center\Monitoring\SophosAntiVirus]

[Security Center\Monitoring\SymantecAntiVirus]

[Security Center\Monitoring\SymantecFirewall]

[Security Center\Monitoring\TinyFirewall]

[Security Center\Monitoring\TrendAntiVirus]

[Security Center\Monitoring\TrendFirewall]

[Security Center\Monitoring\ZoneLabsFirewall]

-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\-----

[SystemRestore]
"DisableSR"=dword:00000000
"CreateFirstRunRp"=dword:00000001
"DSMin"=dword:000000c8
"DSMax"=dword:00000190
"RPSessionInterval"=dword:00000000
"RPGlobalInterval"=dword:00015180
"RPLifeInterval"=dword:0076a700
"CompressionBurst"=dword:0000003c
"TimerInterval"=dword:00000078
"DiskPercent"=dword:0000000c
"ThawInterval"=dword:00000384
"RestoreDiskSpaceError"=dword:00000000
"RestoreStatus"=dword:00000001
"RestoreSafeModeStatus"=dword:00000000

[SystemRestore\Cfg]
"DiskPercent"=dword:0000000c
"MachineGuid"="{64AB1029-AC96-4312-9A81-A0ACDF6ECA81}"

[SystemRestore\SnapshotCallbacks]
@=""

-----HKEY_CURRENT_USER\Software\VB and VBA Program Settings-----

-----HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\-----

-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions-----

[AdvancedOptions]

-----HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions-----

-----HKLM\Software\Microsoft\Active Setup\Installed Components-----

[Installed Components]

[Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"Stubpath"="C:\WINDOWS\inf\unregmp2.exe /ShowWMP"
"@="Microsoft Windows Media Player"
"ComponentID"="WMPACCESS"

[Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
"@="Internet Explorer"
"ComponentID"="IEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE"

[Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
"@="Browseranpassungen"
"ComponentID"="BRANDING.CAB"
"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"

[Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
"@="Outlook Express"
"ComponentID"="OEACCESS"
"StubPath"=expand:"%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE"

[Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
"@="Java (Sun)"
"ComponentID"="JAVAVM"
"KeyFileName"="C:\Programme\Java\jre1.6.0_02\bin\regutils.dll"

[Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]
"@="Vektorgrafik-Rendering (VML)"
"ComponentID"="MSVML"

[Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
#### HKCR\CLSID\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"ComponentID"="NetShow"
"StubPath"=""

[Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
#### HKCR\CLSID\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\InprocServer32 @="C:\WINDOWS\system32\wmpdxm.dll"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"=""
"@="Microsoft Windows Media Player 6.4"

[Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]
#### HKCR\CLSID\{283807B5-2C60-11D0-A31D-00AA00B92C03}\InprocServer32 @="C:\WINDOWS\system32\danim.dll"
"@="DirectAnimation"
"ComponentID"="DirectAnimation"

[Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
"@="Themes Setup"
"ComponentID"="Theme Component"
"StubPath"=expand:"%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll"

[Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]
"@="Dynamic HTML-Datenbindung für Java"
"ComponentID"="TridataJava"

[Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]
"@="Offlinebrowsingpaket"
"ComponentID"="MobilePk"

[Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]
"@="Uniscribe"
"ComponentID"="USP10"

[Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}]
"@="Erweitertes Authoring"
"ComponentID"="AdvAuth"

[Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"@="Microsoft Outlook Express 6"
"ComponentID"="MailNews"
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:OE /CALLER:WINNT /user /install"

[Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
"@="NetMeeting 3.01"
"ComponentID"="NetMeeting"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT"

[Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
"@="DirectShow"
"ComponentID"="activemovie"

[Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
"@="DirectDrawEx"
"ComponentID"="DirectDrawEx"

[Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
"@="Internet Explorer-Hilfe"
"ComponentID"="HelpCont"

[Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}]
"@="DirectAnimation Java Classes"
"ComponentID"="DAJava"

[Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
"@="Microsoft Windows Script 5.6"
"ComponentID"="MSVBScript"

[Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
"KeyFileName"="C:\Programme\Messenger\msmsgs.exe"
"@="Windows Messenger 4.7"
"ComponentID"="Messenger"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser"

[Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}]
"(Default)"="Internet Connection Wizard"
"ComponentID"="ICW"

[Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
"@="Internet Explorer Setup Tools"
"ComponentID"="GenSetup"

[Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
"@="Browsererweiterungen"
"ComponentID"="ExtraPack"
"KeyFileName"="C:\WINDOWS\system32\msieftp.dll"

[Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
#### HKCR\CLSID\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\InprocServer32 @="C:\WINDOWS\system32\wmp.dll"
"@="Microsoft Windows Media Player"
"ComponentID"="Microsoft Windows Media Player"
"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub"

[Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
"@="Zugang zu MSN Site"
"ComponentID"="MSN_Auth"

[Installed Components\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}]
"ComponentID"=".NETFramework"
"@=".NET Framework"

[Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"@="Adressbuch 6"
"ComponentID"="WAB"
"StubPath"=expand:"\"%ProgramFiles%\Outlook Express\setup50.exe\" /APP:WAB /CALLER:WINNT /user /install"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
"@="Windows Desktop-Update"
"ComponentID"="IE4Shell_NT"
"StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
"@="Internet Explorer 6"
"ComponentID"="BASEIE40_W2K"
"StubPath"=expand:"%SystemRoot%\system32\ie4uinit.exe"

[Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\AuthorizedCDFPrefix]

[Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"StubPath"="C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install"
"ComponentID"="DOTNETFRAMEWORKS"

[Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
"@="Dynamic HTML-Datenbindung"
"ComponentID"="Tridata"

[Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}]

[Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]
"@="Internet Explorer-Hauptschriftarten"
"ComponentID"="Fontcore"

[Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]
"@="Taskplaner"
"ComponentID"="MSTASK"

[Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]
"ComponentID"="Windows Movie Maker v2.1"

[Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"@="Adobe Flash Player 9 ActiveX"
"ComponentID"="Flash"

[Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
"@="HTML-Hilfe"
"ComponentID"="HTMLHelp"

[Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]
"@="Active Directory Service Interface"
"ComponentID"="ADSI"

-----Comparing registry keys CCS1 vs CCS2 -----
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\DS
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\LSA
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\NetDDE Object
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\SC Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Security Account Manager
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Eventlog\Security\Spooler
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\MRxDAV\EncryptedDirectories
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\mssmbios\Data
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\SharedAccess\Epoch Epoch REG_DWORD 435 (0x1B3)
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\SharedAccess\Epoch Epoch REG_DWORD 432 (0x1B0)
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} NTEContextList REG_MULTI_SZ \0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} NTEContextList REG_MULTI_SZ 0x00000003\0\0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} DhcpNameServer REG_SZ 213.191.74.18 192.168.0.1
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} DhcpDomain REG_SZ
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} DhcpDefaultGateway REG_MULTI_SZ 192.168.0.1\0\0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\Tcpip\Parameters\Interfaces\{C637C02F-67B6-487C-BE6A-5980BADADFEA} DhcpSubnetMaskOpt REG_MULTI_SZ 255.255.255.0\0\0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\{C637C02F-67B6-487C-BE6A-5980BADADFEA}\Parameters\Tcpip DhcpDefaultGateway REG_MULTI_SZ 192.168.0.1\0\0
> Value: HKEY_LOCAL_MACHINE\system\controlset002\services\{C637C02F-67B6-487C-BE6A-5980BADADFEA}\Parameters\Tcpip DhcpSubnetMaskOpt REG_MULTI_SZ 255.255.255.0\0\0

Result compared: Different


-----Comparing registry keys CCS1 vs CCS3 -----
< Value: HKEY_LOCAL_MACHINE\system\controlset001\services

Result compared: Identical


===================== AUTOPLAY SETTINGS =====================

~~~~~~~~~~~~~~~~~~~~~ Registry setting ~~~~~~~~~~~~~~~~~~~~~
(note: default values should be 91 or 95)


-----HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer-----

[Explorer]
"NoDriveTypeAutoRun"=dword:00000091

-----HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer-----

[Explorer]
"NoDriveTypeAutoRun"=dword:00000091

Autorun is enabled on:
DRIVE_UNKNOWN = Falsch
DRIVE_NO_ROOT_DIR = Wahr
DRIVE_REMOVABLE = Wahr
DRIVE_FIXED = Wahr
DRIVE_REMOTE = Falsch
DRIVE_CDROM = Wahr
DRIVE_RAMDISK = Wahr
RESERVED = Falsch

~~~~~~~~~~~~~~~~~~~~~ Autorun.inf files ~~~~~~~~~~~~~~~~~~~~~

### C:\Dokumente und Einstellungen\Simon\Desktop\BWV Prüfungsprogramm\autorun.inf
open=setup.exe

===================== SCHEDULED JOBS =====================

jobs found in C:\WINDOWS:

01.01.2000 00:12:08 6 byte 3100 days old -- C:\WINDOWS\tasks\SA.DAT
28.02.2006 14:00:00 65 byte 850 days old -- C:\WINDOWS\tasks\desktop.ini
~~~~~~~~~~~~~~~~~~~~~
Active jobs:

~~~~~~~~~~~~~~~~~~~~~
Most recent (50) lines in jobs scheduled log:


===================== LIST OF ALL SERVICES & DRIVERS =====================


------------------------------------------------------------------------------
System pid: 4
Command line: <no command line>
------------------------------------------------------------------------------
smss.exe pid: 568
Command line: \SystemRoot\System32\smss.exe

Base Size Version Path
0x48580000 0xf000 \SystemRoot\System32\smss.exe
------------------------------------------------------------------------------
csrss.exe pid: 800
Command line: C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Base Size Version Path
0x4a680000 0x5000 \??\C:\WINDOWS\system32\csrss.exe
0x75ae0000 0xb000 5.01.2600.2180 C:\WINDOWS\system32\CSRSRV.dll
0x75af0000 0x10000 5.01.2600.2180 C:\WINDOWS\system32\basesrv.dll
0x75b00000 0x4a000 5.01.2600.2180 C:\WINDOWS\system32\winsrv.dll
------------------------------------------------------------------------------
winlogon.exe pid: 824
Command line: winlogon.exe

Base Size Version Path
0x01000000 0x81000 \??\C:\WINDOWS\system32\winlogon.exe
0x77690000 0x11000 5.01.2600.2180 C:\WINDOWS\system32\AUTHZ.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x10000000 0x10000 C:\WINDOWS\system32\khfCuULC.dll
0x76ad0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL
------------------------------------------------------------------------------
services.exe pid: 868
Command line: C:\WINDOWS\system32\services.exe

Base Size Version Path
0x01000000 0x1c000 5.01.2600.2180 C:\WINDOWS\system32\services.exe
0x77b40000 0x53000 5.01.2600.2180 C:\WINDOWS\system32\SCESRV.dll
0x77690000 0x11000 5.01.2600.2180 C:\WINDOWS\system32\AUTHZ.dll
0x75850000 0x1f000 5.01.2600.2180 C:\WINDOWS\system32\umpnpmgr.dll
0x76020000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x772d0000 0x11000 5.01.2600.2180 C:\WINDOWS\system32\eventlog.dll
------------------------------------------------------------------------------
lsass.exe pid: 880
Command line: C:\WINDOWS\system32\lsass.exe

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\lsass.exe
0x753d0000 0xb6000 5.01.2600.2180 C:\WINDOWS\system32\LSASRV.dll
0x743c0000 0x6e000 5.01.2600.2180 C:\WINDOWS\system32\SAMSRV.dll
0x76740000 0xc000 5.01.2600.2180 C:\WINDOWS\system32\cryptdll.dll
0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll
0x76750000 0x13000 5.01.2600.2180 C:\WINDOWS\system32\NTDSAPI.dll
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x20000000 0xe000 5.01.2600.2180 C:\WINDOWS\system32\msprivs.dll
0x71c70000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\kerberos.dll
0x74430000 0x65000 5.01.2600.2180 C:\WINDOWS\system32\netlogon.dll
0x76770000 0x2d000 5.01.2600.2180 C:\WINDOWS\system32\w32time.dll
0x76020000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll
0x767a0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\schannel.dll
0x742f0000 0xf000 5.01.2600.2180 C:\WINDOWS\system32\wdigest.dll
0x10000000 0x9d000 C:\WINDOWS\system32\hgGwVNeb.dll
0x74380000 0x30000 5.01.2600.2180 C:\WINDOWS\system32\scecli.dll
0x74350000 0x30000 5.01.2600.2180 C:\WINDOWS\system32\ipsecsvc.dll
0x77690000 0x11000 5.01.2600.2180 C:\WINDOWS\system32\AUTHZ.dll
0x756c0000 0xce000 5.01.2600.2180 C:\WINDOWS\system32\oakley.DLL
0x742e0000 0xb000 5.01.2600.2180 C:\WINDOWS\system32\WINIPSEC.DLL
0x74310000 0xb000 5.01.2600.2180 C:\WINDOWS\system32\pstorsvc.dll
0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x74330000 0x1b000 5.01.2600.2180 C:\WINDOWS\system32\psbase.dll
0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll
0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
0x68100000 0x24000 5.01.2600.2133 C:\WINDOWS\system32\dssenh.dll
------------------------------------------------------------------------------
svchost.exe pid: 1048
Command line: C:\WINDOWS\system32\svchost -k DcomLaunch

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x77690000 0x11000 5.01.2600.2180 c:\windows\system32\AUTHZ.dll
0x76ad0000 0x11000 3.05.2284.0000 c:\windows\system32\ATL.DLL
------------------------------------------------------------------------------
svchost.exe pid: 1132
Command line: C:\WINDOWS\system32\svchost -k rpcss

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll
0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll
------------------------------------------------------------------------------
svchost.exe pid: 1172
Command line: C:\WINDOWS\System32\svchost.exe -k netsvcs

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\svchost.exe
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\System32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x76ee0000 0x27000 5.01.2600.2180 c:\windows\system32\DNSAPI.dll
0x76ad0000 0x11000 3.05.2284.0000 c:\windows\system32\ATL.DLL
0x663a0000 0xc000 5.01.2600.2180 c:\windows\system32\irmon.dll
0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\System32\hnetcfg.dll
0x590a0000 0x6000 5.01.2600.2180 C:\WINDOWS\System32\wshirda.dll
0x767a0000 0x27000 5.01.2600.2180 C:\WINDOWS\System32\SCHANNEL.dll
0x76020000 0x65000 6.02.3104.0000 C:\WINDOWS\System32\MSVCP60.dll
0x76750000 0x13000 5.01.2600.2180 c:\windows\system32\NTDSAPI.dll
0x776e0000 0x41000 2001.12.4414.0258 c:\windows\system32\es.dll
0x74ec0000 0xc000 5.01.2600.2180 c:\windows\pchealth\helpctr\binaries\pchsvc.dll
0x4f110000 0x28000 5.01.2600.2180 c:\windows\system32\wbem\wmisvc.dll
0x76770000 0x2d000 5.01.2600.2180 c:\windows\system32\w32time.dll
0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
0x76bc0000 0x2f000 5.01.2600.2180 c:\windows\system32\credui.dll
0x68d80000 0x9000 5.01.2600.2180 c:\windows\system32\hidserv.dll
0x77690000 0x11000 5.01.2600.2180 c:\windows\system32\AUTHZ.dll
0x742e0000 0xb000 5.01.2600.2180 c:\windows\system32\WINIPSEC.DLL
0x58030000 0x36000 5.01.2600.2180 C:\WINDOWS\System32\unimdm.tsp
0x5b3f0000 0x16000 5.01.2600.2180 C:\WINDOWS\System32\unimdmat.dll
0x61a70000 0x29000 5.01.2600.2180 C:\WINDOWS\system32\modemui.dll
0x580b0000 0xb000 5.01.2600.2180 C:\WINDOWS\System32\kmddsp.tsp
0x58090000 0x10000 5.01.2600.2180 C:\WINDOWS\System32\ndptsp.tsp
0x580c0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\ipconf.tsp
0x580e0000 0x46000 5.01.2600.2180 C:\WINDOWS\System32\h323.tsp
0x580d0000 0xa000 5.01.2600.2180 C:\WINDOWS\System32\hidphone.tsp
0x71c70000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\kerberos.dll
0x76740000 0xc000 5.01.2600.2180 C:\WINDOWS\System32\cryptdll.dll
0x5af90000 0x64000 6.06.2600.2180 c:\windows\system32\qmgr.dll
0x74e50000 0xe000 5.01.2600.2180 C:\WINDOWS\system32\wbem\wbemsvc.dll
------------------------------------------------------------------------------
svchost.exe pid: 1252
Command line: C:\WINDOWS\system32\svchost.exe -k NetworkService

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x76ee0000 0x27000 5.01.2600.2180 c:\windows\system32\DNSAPI.dll
------------------------------------------------------------------------------
svchost.exe pid: 1352
Command line: C:\WINDOWS\system32\svchost.exe -k LocalService

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll
0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
------------------------------------------------------------------------------
aawservice.exe pid: 1624
Command line: C:\Programme\Lavasoft\Ad-Aware\aawservice.exe

Base Size Version Path
0x00400000 0x97000 7.01.0000.0003 C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
0x10000000 0xc5000 7.01.0000.0007 C:\Programme\Lavasoft\Ad-Aware\CEAPI.dll
0x004a0000 0x21b000 8.04.1045.0000 C:\Programme\Lavasoft\Ad-Aware\PKArchive85u.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
------------------------------------------------------------------------------
spoolsv.exe pid: 2036
Command line: C:\WINDOWS\system32\spoolsv.exe

Base Size Version Path
0x01000000 0x10000 5.01.2600.2180 C:\WINDOWS\system32\spoolsv.exe
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll
0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\system32\mswsock.dll
0x76750000 0x13000 5.01.2600.2180 C:\WINDOWS\system32\NTDSAPI.dll
------------------------------------------------------------------------------
explorer.exe pid: 2044
Command line: C:\WINDOWS\Explorer.EXE

Base Size Version Path
0x01000000 0xff000 6.00.2900.2180 C:\WINDOWS\Explorer.EXE
0x75f20000 0xfd000 6.00.2900.2853 C:\WINDOWS\system32\BROWSEUI.dll
0x77730000 0x16e000 6.00.2900.2853 C:\WINDOWS\system32\SHDOCVW.dll
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x10000000 0x9d000 C:\WINDOWS\system32\hgGwVNeb.dll
0x55df0000 0xd000 17.01.0051.0000 C:\WINDOWS\system32\AcSignIcon.dll
0x782e0000 0x10f000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80U.DLL
0x78130000 0x9b000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
0x5d360000 0x10000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\MFC80DEU.DLL
0x5b9b0000 0x72000 6.00.2900.2180 C:\WINDOWS\system32\themeui.dll
0x76320000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\MSIMG32.dll
0x01230000 0x8e000 6.00.2900.2180 C:\WINDOWS\system32\shdoclc.dll
0x00ff0000 0x10000 C:\WINDOWS\system32\khfCuULC.dll
0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\mswsock.dll
0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll
0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\sensapi.dll
0x74e70000 0x8000 5.01.2600.2180 C:\WINDOWS\system32\wbem\wbemprox.dll
0x74e50000 0xe000 5.01.2600.2180 C:\WINDOWS\system32\wbem\wbemsvc.dll
0x76020000 0x65000 6.02.3104.0000 C:\WINDOWS\system32\MSVCP60.dll
0x76750000 0x13000 5.01.2600.2180 C:\WINDOWS\system32\NTDSAPI.dll
0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll
0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
0x71cc0000 0x1c000 6.00.2900.2180 C:\WINDOWS\system32\actxprxy.dll
0x55fe0000 0x52000 17.01.0051.0000 C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcSignCore16.dll
0x7c420000 0x87000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll
0x76930000 0x8000 5.01.2600.2180 C:\WINDOWS\system32\LINKINFO.dll
0x76ad0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL
0x765c0000 0x21000 5.01.2600.2180 C:\WINDOWS\system32\stobject.dll
0x74a70000 0xa000 6.00.2900.2180 C:\WINDOWS\system32\BatMeter.dll
0x76bc0000 0x2f000 5.01.2600.2180 C:\WINDOWS\system32\credui.dll
0x01930000 0x2d000 C:\WINDOWS\qegbdmwf.dll
0x01860000 0x3b000 C:\WINDOWS\pntqkflv.dll
0x00f40000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
0x60010000 0x33000 5.01.2600.2180 C:\WINDOWS\system32\msutb.dll
0x75f00000 0x7000 5.01.2600.2180 C:\WINDOWS\System32\drprov.dll
0x71b90000 0xe000 5.01.2600.2180 C:\WINDOWS\System32\ntlanman.dll
0x71c50000 0x17000 5.01.2600.2180 C:\WINDOWS\System32\NETUI0.dll
0x71c10000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\NETUI1.dll
0x75f10000 0x9000 5.01.2600.2180 C:\WINDOWS\System32\davclnt.dll
0x4f4a0000 0x5f000 5.01.2600.2180 C:\WINDOWS\system32\wzcdlg.dll
0x55ee0000 0x1b000 17.01.0051.0000 C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
0x7c630000 0x1b000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.DLL
0x02350000 0x5b000 8.00.0000.0000 C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
0x01ee0000 0x4c000 8.00.0000.0000 C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.DEU
0x5b2e0000 0x15000 5.01.2600.2180 C:\WINDOWS\system32\usbui.dll
0x01df0000 0x13000 6.00.2900.2180 C:\WINDOWS\system32\browselc.dll
0x02000000 0x11000 1.00.0000.0001 C:\WINDOWS\system32\nada32.dll
0x4eba0000 0x1a3000 5.01.3102.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll
0x5ce90000 0x6e000 6.00.2900.2180 C:\WINDOWS\system32\shimgvw.dll
0x6c670000 0x4d000 5.01.2600.2180 C:\WINDOWS\system32\DUSER.dll
0x73b10000 0x14000 5.01.2600.2180 C:\WINDOWS\system32\sti.dll
0x74a60000 0x7000 5.01.2600.2180 C:\WINDOWS\system32\CFGMGR32.dll
------------------------------------------------------------------------------
avguard.exe pid: 188
Command line: "C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"

------------------------------------------------------------------------------
sched.exe pid: 676
Command line: "C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"

------------------------------------------------------------------------------
GoogleUpdaterService.exe pid: 712
Command line: "C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe"

Base Size Version Path
0x00400000 0x25000 2.02.0824.5515 C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
------------------------------------------------------------------------------
alg.exe pid: 1104
Command line: C:\WINDOWS\System32\alg.exe

Base Size Version Path
0x01000000 0xd000 5.01.2600.2180 C:\WINDOWS\System32\alg.exe
0x76ad0000 0x11000 3.05.2284.0000 C:\WINDOWS\System32\ATL.DLL
0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\MSWSOCK.DLL
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\System32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x66710000 0x59000 5.01.2600.2180 C:\WINDOWS\system32\hnetcfg.dll
0x719f0000 0x8000 5.01.2600.2180 C:\WINDOWS\System32\wshtcpip.dll
------------------------------------------------------------------------------
apdproxy.exe pid: 200
Command line: "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

Base Size Version Path
0x00400000 0xe000 3.00.0000.50878 C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
0x10000000 0x1d000 3.00.0000.50878 C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdboot.dll
0x7c3a0000 0x7b000 7.10.3077.0000 C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\MSVCP71.dll
0x7c340000 0x56000 7.10.3052.0004 C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\MSVCR71.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x73e70000 0x5c000 5.03.2600.2180 C:\WINDOWS\system32\DSOUND.dll
0x73b10000 0x14000 5.01.2600.2180 C:\WINDOWS\system32\sti.dll
0x74a60000 0x7000 5.01.2600.2180 C:\WINDOWS\system32\CFGMGR32.dll
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
------------------------------------------------------------------------------
avgnt.exe pid: 792
Command line: "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

Base Size Version Path
0x00400000 0x40000 8.00.0000.0007 C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
0x7c250000 0x102000 7.10.3077.0000 C:\Programme\Avira\AntiVir PersonalEdition Classic\MFC71U.DLL
0x00320000 0x56000 7.10.3052.0004 C:\Programme\Avira\AntiVir PersonalEdition Classic\MSVCR71.dll
0x10000000 0x2a000 8.00.0001.0018 C:\Programme\Avira\AntiVir PersonalEdition Classic\cclib.dll
0x7c3a0000 0x7b000 7.10.3077.0000 C:\Programme\Avira\AntiVir PersonalEdition Classic\MSVCP71.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x00af0000 0x44000 8.00.0000.0020 c:\programme\avira\antivir personaledition classic\ccgen.dll
0x00b40000 0x7000 8.00.0012.0000 c:\programme\avira\antivir personaledition classic\ccgenrc.dll
0x00b50000 0x37000 8.00.0000.0016 c:\programme\avira\antivir personaledition classic\ccguard.dll
0x00b90000 0x8000 8.00.0003.0000 c:\programme\avira\antivir personaledition classic\ccgrdrc.dll
0x00ba0000 0x14000 1.00.0006.0000 c:\programme\avira\antivir personaledition classic\avipc.dll
0x00bd0000 0x1e000 8.00.0000.0014 c:\programme\avira\antivir personaledition classic\ccupdate.dll
0x00bf0000 0x6000 8.00.0003.0000 c:\programme\avira\antivir personaledition classic\ccupdrc.dll
0x00c00000 0x11000 8.00.0000.0009 c:\programme\avira\antivir personaledition classic\cclic.dll
0x00c20000 0x4000 8.00.0002.0000 c:\programme\avira\antivir personaledition classic\cclicrc.dll
0x00c30000 0x28000 8.00.0000.0004 c:\programme\avira\antivir personaledition classic\ccmsg.dll
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
------------------------------------------------------------------------------
jusched.exe pid: 240
Command line: "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"

Base Size Version Path
0x00400000 0x21000 6.00.0020.0006 C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x10000000 0x10000 C:\WINDOWS\system32\khfCuULC.dll
------------------------------------------------------------------------------
LxUpdateManager.exe pid: 1520
Command line: "C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" /autostart

Base Size Version Path
0x00400000 0x86000 2.50.0033.0812 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe
0x79000000 0x45000 2.00.50727.0042 C:\WINDOWS\system32\mscoree.dll
0x79e70000 0x561000 2.00.50727.0042 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
0x78130000 0x9b000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x790c0000 0xae6000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\a4b747a8051d7342a743014a44592ed4\mscorlib.ni.dll
0x64020000 0x13000 2.00.50727.0042 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
0x73240000 0x5000 5.131.2600.0000 C:\WINDOWS\system32\SOFTPUB.DLL
0x76580000 0x13000 5.131.2600.2180 C:\WINDOWS\system32\cryptnet.dll
0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\SensApi.dll
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
0x7a440000 0x7be000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\2ec52b74b63689418313a2fdaca5276f\System.ni.dll
0x7ade0000 0x194000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\8d686761485e4a4bbc23cf69543c9f12\System.Drawing.ni.dll
0x7afd0000 0xc86000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\e634ca373fe9e94bb2f0a7d5e5b39b8f\System.Windows.Forms.ni.dll
0x79060000 0x53000 2.00.50727.0042 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
0x03300000 0x42000 2.50.0033.0812 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\Lexware.Lisa.dll
0x03620000 0x3e000 1.00.0000.0000 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\NLog.dll
0x035c0000 0x8000 1.00.0000.0001 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\Lexware.Lisa.Interfaces.dll
0x64890000 0xee000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\1d3505dcf8265b4db7168cbaa060fdf9\System.Configuration.ni.dll
0x69be0000 0x568000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\606a7789ef03a2498313c4df185923c6\System.Xml.ni.dll
0x685c0000 0xb4a000 2.00.50727.0042 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\0e67da8edef45a45ba2ee08f120ec08b\System.Web.ni.dll
0x67670000 0x42000 2.00.50727.0042 C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
0x4eba0000 0x1a3000 5.01.3102.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll
0x60500000 0x28000 2.50.0033.0812 C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\lxiuum10.dll
0x781d0000 0x10f000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
0x7c420000 0x87000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll
0x5d360000 0x10000 8.00.50727.0762 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\MFC80DEU.DLL
0x74900000 0x130000 8.50.2162.0000 C:\WINDOWS\system32\msxml3.dll
------------------------------------------------------------------------------
AirGCFG.exe pid: 1540
Command line: "C:\Programme\D-Link\AirPlus G\AirGCFG.exe"

Base Size Version Path
0x00400000 0x17e000 3.03.0001.51123 C:\Programme\D-Link\AirPlus G\AirGCFG.exe
0x10000000 0x3c000 1.03.0036.51122 C:\WINDOWS\system32\wlanapi.dll
0x00320000 0xa000 2.00.0003.51006 C:\WINDOWS\system32\ANIOApi.dll
0x00330000 0xd000 1.00.0000.30603 C:\WINDOWS\system32\AQCKGen.dll
0x00340000 0x29000 1.00.0015.51118 C:\WINDOWS\system32\WlanApp.dll
0x5f1a0000 0x17000 5.01.2600.2180 C:\WINDOWS\system32\OLEPRO32.DLL
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x00b40000 0x19000 3.03.0001.50907 C:\Programme\D-Link\AirPlus G\WlanMon.dll
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
------------------------------------------------------------------------------
WZCSLDR2.exe pid: 1532
Command line: "C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe"

Base Size Version Path
0x00400000 0xd000 1.00.0006.41216 C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
0x10000000 0x9e000 2.04.0038.51122 C:\WINDOWS\system32\ANIWZCS2.DLL
0x00850000 0xd000 1.00.0000.30603 C:\WINDOWS\system32\AQCKGen.dll
0x00860000 0xa000 2.00.0003.51006 C:\WINDOWS\system32\ANIOApi.dll
0x00870000 0x29000 1.00.0015.51118 C:\WINDOWS\system32\WlanApp.dll
0x008a0000 0x3c000 1.03.0036.51122 C:\WINDOWS\system32\wlanapi.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
------------------------------------------------------------------------------
ctfmon.exe pid: 1432
Command line: "C:\WINDOWS\system32\CTFMON.EXE"

Base Size Version Path
0x00400000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\CTFMON.EXE
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
0x60010000 0x33000 5.01.2600.2180 C:\WINDOWS\system32\MSUTB.dll
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
------------------------------------------------------------------------------
GoogleUpdater.exe pid: 2184
Command line: "C:\Programme\Google\Google Updater\GoogleUpdater.exe" -systray -startup

Base Size Version Path
0x00400000 0x20000 2.02.1111.1511 C:\Programme\Google\Google Updater\GoogleUpdater.exe
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
0x60000000 0xdc000 2.02.1111.1511 C:\Programme\Google\Google Updater\2.2.1111.1511\ci.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x10000000 0xa3000 2.01.1119.1736 C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\sensapi.dll
0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\mswsock.dll
0x76ee0000 0x27000 5.01.2600.2180 C:\WINDOWS\system32\DNSAPI.dll
0x76ad0000 0x11000 3.05.2284.0000 C:\WINDOWS\system32\ATL.DLL
------------------------------------------------------------------------------
svchost.exe pid: 3908
Command line: C:\WINDOWS\system32\svchost.exe -k imgsvc

Base Size Version Path
0x01000000 0x6000 5.01.2600.2180 C:\WINDOWS\system32\svchost.exe
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x75b50000 0x55000 5.01.2600.2180 c:\windows\system32\wiaservc.dll
0x74a60000 0x7000 5.01.2600.2180 c:\windows\system32\CFGMGR32.dll
0x73aa0000 0x14000 5.01.2600.2180 c:\windows\system32\mscms.dll
0x71cc0000 0x1c000 6.00.2900.2180 C:\WINDOWS\system32\actxprxy.dll
0x73b10000 0x14000 5.01.2600.2180 C:\WINDOWS\system32\sti.dll
------------------------------------------------------------------------------
jucheck.exe pid: 2140
Command line: "C:\Programme\Java\jre1.6.0_02\bin\jucheck.exe" -auto

Base Size Version Path
0x00400000 0x50000 6.00.0020.0006 C:\Programme\Java\jre1.6.0_02\bin\jucheck.exe
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
0x5e190000 0x9000 6.06.2600.2180 C:\WINDOWS\system32\qmgrprxy.dll
0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\sensapi.dll
------------------------------------------------------------------------------
sys77280.exe pid: 2924
Command line: "C:\Dokumente und Einstellungen\Maikes\Desktop\sys77280.exe"

Base Size Version Path
0x00400000 0x39000 C:\Dokumente und Einstellungen\Maikes\Desktop\sys77280.exe
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
------------------------------------------------------------------------------
runme.exe pid: 2936
Command line: runme.exe

Base Size Version Path
0x00400000 0x63000 3.05.0000.0005 C:\DOKUME~1\Maikes\LOKALE~1\Temp\nsdC.tmp\runme.exe
0x66000000 0x152000 6.00.0097.0082 C:\WINDOWS\system32\MSVBVM60.DLL
0x66630000 0x22000 6.00.0089.0088 C:\WINDOWS\system32\VB6DE.DLL
0x746a0000 0x4b000 5.01.2600.2180 C:\WINDOWS\system32\MSCTF.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x72240000 0x5000 5.01.2600.2180 C:\WINDOWS\system32\sensapi.dll
0x719b0000 0x40000 5.01.2600.2180 C:\WINDOWS\System32\mswsock.dll
------------------------------------------------------------------------------
cmd.exe pid: 2460
Command line: cmd /c uuoywfrygn.exe > tempd.txt

Base Size Version Path
0x4ad00000 0x64000 5.01.2600.2180 C:\WINDOWS\system32\cmd.exe
0x5cf00000 0x26000 5.01.2600.2180 C:\WINDOWS\system32\ShimEng.dll
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
------------------------------------------------------------------------------
uuoywfrygn.exe pid: 2448
Command line: uuoywfrygn.exe

Base Size Version Path
0x00400000 0x14000 2.25.0000.0000 C:\DOKUME~1\Maikes\LOKALE~1\Temp\nsdC.tmp\uuoywfrygn.exe
0x773a0000 0x102000 6.00.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

===================== NTFS ADS =====================



c:\Dokumente und Einstellungen\Simon\Eigene Dateien\Eigene Bilder\Thumbs.db:encryptable 0 bytes
c:\Dokumente und Einstellungen\Simon\Eigene Dateien\lach\Thumbs.db:encryptable 0 bytes
c:\Dokumente und Einstellungen\Simon\Eigene Dateien\Videos\Thumbs.db:encryptable 0 bytes



===================== ENCRYPTED FILES =====================


===================== HIDDEN OBJECTS =====================


scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


===================== RUSTOCK ROOTKIT DETECTION =====================


#### NOTHING FOUND ####

===================== MASTER BOOT RECORD =====================


device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

===================== NETWORK SETTINGS =====================

~~~~~~~~~~~~~~~~~~~~~ Winsock Parameters ~~~~~~~~~~~~~~~~~~~~~

-----HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\-----

[Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath"="%SystemRoot%\System32\mswsock.dll"


~~~~~~~~~~~~~~~~~~~~~ TCP/IP network configuration ~~~~~~~~~~~~~~~~~~~~~

Hostname. . . . . . . . . . . . . : MAIKE
Primäres DNS-Suffix . . . . . . . :
Knotentyp . . . . . . . . . . . . : Gemischt
WINS-Proxy aktiviert. . . . . . . : Nein
Ethernetadapter LAN-Verbindung:
Medienstatus. . . . . . . . . . . : Es besteht keine Verbindung
Beschreibung. . . . . . . . . . . : Intel 8255x-basierter PCI-Ethernetadapter (10/100)
Physikalische Adresse . . . . . . : 00-00-39-E3-F7-AA

-----HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

~~~~~~~~~~~~~~~~~~~~~ Open ports ~~~~~~~~~~~~~~~~~~~~~

Aktive Verbindungen
Proto Lokale Adresse Remoteadresse Status PID
TCP MAIKE:epmap 0.0.0.0:0 ABH™REN 1132
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
-- unbekannte Komponente(n) --
[svchost.exe]
TCP MAIKE:microsoft-ds 0.0.0.0:0 ABH™REN 4
[System]
TCP MAIKE:1026 0.0.0.0:0 ABH™REN 1104
[alg.exe]
UDP MAIKE:microsoft-ds *:* 4
[System]
UDP MAIKE:4500 *:* 880
[lsass.exe]
UDP MAIKE:isakmp *:* 880
[lsass.exe]
UDP MAIKE:1900 *:* 1352
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP MAIKE:ntp *:* 1172
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

~~~~~~~~~~~~~~~~~~~~~ Shared Resources ~~~~~~~~~~~~~~~~~~~~~

Name Ressource Beschreibung
print$ C:\WINDOWS\system32\spool\drivers
Druckertreiber
IPC$ Remote-IPC
SharedDocs C:\DOKUMENTE UND EINSTELLUNGEN\ALL USERS\DOKUMENTE

Drucker LPT1: Spooler Lexware PDF-Export 3
Drucker2 LPT1: Spooler AGFA-AccuSet v52.3
Der Befehl wurde erfolgreich ausgef�hrt.

~~~~~~~~~~~~~~~~~~~~~ TRUSTED DOMAINS ~~~~~~~~~~~~~~~~~~~~~

-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

-----HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

~~~~~~~~~~~~~~~~~~~~~ TRUSTED IPs ~~~~~~~~~~~~~~~~~~~~~

-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\

-----HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\

~~~~~~~~~~~~~~~~~~~~~ RAS active connections ~~~~~~~~~~~~~~~~~~~~~

Keine Verbindungen
Der Befehl wurde erfolgreich ausgef�hrt.

~~~~~~~~~~~~~~~~~~~~~ Rasphone.pbk content ~~~~~~~~~~~~~~~~~~~~~

-----C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk\rasphone.pbk


===================== HOSTS FILE =====================


127.0.0.1 localhost

===================== SUSPICIOUS FILES =====================
EXE and DLL files packed with runtime packers, found in: C:\; C:\WINDOWS\; C:\WINDOWS\system32\

C:\WINDOWS\system32\nada32.dll --> is compressed with UPX
C:\WINDOWS\system32\opus16.dll --> is compressed with UPX

===================== UNINSTALL LIST =====================


-----HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall-----

[Uninstall]

[Uninstall\AddressBook]

[Uninstall\AntiVir PersonalEdition Classic]
"DisplayIcon"="C:\Programme\Avira\AntiVir PersonalEdition Classic\rcimage.dll,1"
"DisplayName"="Avira AntiVir Personal – Free Antivirus"
"UninstallString"="C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE"

[Uninstall\Branding]

[Uninstall\Connection Manager]

[Uninstall\DirectAnimation]

[Uninstall\DirectDrawEx]

[Uninstall\DWG TrueView 2008]
"DisplayIcon"="C:\WINDOWS\Installer\{B1A9CD45-A702-4E3B-91ED-8CD562869901}\Aoem162_icon.exe"
"UninstallString"="C:\Programme\DWG TrueView 2008\Setup\Setup.exe /P {B1A9CD45-A702-4E3B-91ED-8CD562869901} /M AOEM"
"DisplayName"="DWG TrueView 2008"

[Uninstall\DXM_Runtime]

[Uninstall\Fontcore]

[Uninstall\Google Updater]
"DisplayIcon"="C:\Programme\Google\Google Updater\GoogleUpdater.exe"
"DisplayName"="Google Updater"
"UninstallString"="\"C:\Programme\Google\Google Updater\GoogleUpdater.exe\" -uninstall"

[Uninstall\ICW]

[Uninstall\IE40]

[Uninstall\IE4Data]

[Uninstall\IE5BAKEX]

[Uninstall\IEData]

[Uninstall\InstallShield Uninstall Information]

[Uninstall\InstallShield Uninstall Information\{2B7E4354-0492-460A-BDB1-1F59EE141025}]

[Uninstall\InstallShield_{2B7E4354-0492-460A-BDB1-1F59EE141025}]
"UninstallString"="C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{2B7E4354-0492-460A-BDB1-1F59EE141025} /l1031 "
"DisplayName"="AirPlus G"
"InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\_is4\"
"DisplayIcon"=""

[Uninstall\KB884016]

[Uninstall\KB893803]

[Uninstall\KB893803v2]
"DisplayName"="Windows Installer 3.1 (KB893803)"
"UninstallString"="\"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe\""
"DisplayIcon"=expand:"%windir%\system32\msiexec.exe"

[Uninstall\KB911164]
"DisplayName"="Update für Windows XP (KB911164)"
"UninstallString"=""

[Uninstall\Lexmark_HostCD]
"UninstallString"="C:\Programme\Lexmark_HostCD\Install\Uninstall.exe"
"DisplayIcon"="C:\Programme\Lexmark_HostCD\Install\Uninstall.exe"
"DisplayName"="Lexmark Software deinstallieren"

[Uninstall\Microsoft .NET Framework 2.0]
"DisplayIcon"="C:\WINDOWS\system32\msiexec.exe"
"DisplayName"="Microsoft .NET Framework 2.0"
"UninstallString"="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe"

[Uninstall\MobileOptionPack]

[Uninstall\Mozilla Firefox (2.0.0.12)]
"DisplayIcon"="C:\Programme\Mozilla Firefox\firefox.exe,0"
"DisplayName"="Mozilla Firefox (2.0.0.12)"
"UninstallString"="C:\Programme\Mozilla Firefox\uninstall\helper.exe"

[Uninstall\MPlayer2]

[Uninstall\MSI30-Beta1]

[Uninstall\MSI30-Beta2]

[Uninstall\MSI30-KB884016]

[Uninstall\MSI30-RC1]

[Uninstall\MSI30-RC2]

[Uninstall\MSI30a-KB884016]

[Uninstall\MSI31-Beta]

[Uninstall\MSI31-RC1]

[Uninstall\NetMeeting]

[Uninstall\OutlookExpress]

[Uninstall\PCHealth]
"UninstallString"="rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf"

[Uninstall\SchedulingAgent]

[Uninstall\ShockwaveFlash]
"DisplayName"="Adobe Flash Player 9 ActiveX"
"UninstallString"="C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q"

[Uninstall\Toshiba Soft Modem]
"DisplayName"="Toshiba Soft Modem AMR"

[Uninstall\XTTB00001.XTTB00001Toolbar]
"DisplayName"="ICQ Toolbar"
"UninstallString"="regsvr32 /u /s \"C:\PROGRA~1\ICQTOO~1\toolbaru.dll\" "

[Uninstall\{00000407-78E1-11D2-B60F-006097C998E7}]
"InstallSource"="D:\"
"UninstallString"=expand:"MsiExec.exe /I{00000407-78E1-11D2-B60F-006097C998E7}"
"DisplayName"="Microsoft Office 2000 Premium"

[Uninstall\{102C0111-5FEA-425C-88AC-B0BB6E60EC33}]
"InstallSource"="C:\WINDOWS\Installer\{29D4CE6D-B616-4282-9228-C6469D1FE8A4\"
"DisplayName"="Lexware financial office 2008"

[Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
#### HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32 @="c:\programme\google\googletoolbar1.dll"
"DisplayName"="Google Toolbar for Internet Explorer"
"UninstallString"="regsvr32 /u /s \"c:\programme\google\googletoolbar1.dll\""
"DisplayIcon"="c:\programme\google\googletoolbar1.dll"

[Uninstall\{2B7E4354-0492-460A-BDB1-1F59EE141025}]
"InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\_is4\"
"DisplayName"="AirPlus G"

[Uninstall\{2CCBABCB-6427-4A55-B091-49864623C43F}]
"InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\GGSB.tmp\"
"UninstallString"=expand:"MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}"
"DisplayName"="Google Toolbar for Firefox"

[Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160020}]
"DisplayIcon"="C:\Programme\Java\jre1.6.0_02\\bin\javaws.exe"
"InstallSource"="d:\Data\java_runtime\"
"UninstallString"=expand:"MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}"
"DisplayName"="Java(TM) 6 Update 2"

[Uninstall\{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}]
"InstallSource"="C:\WINDOWS\system32\"
"DisplayName"="WebFldrs XP"

[Uninstall\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}]
"UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe\" -l0x7 -removeonly"
"InstallSource"="C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater\cache\installers_ci_earth_de_4.0.2740.0_setup_2007.02.21_14.46.09.exe"
"DisplayName"="Google Earth"

[Uninstall\{41EBCCBE-1FAD-40AD-A8B6-BD292DB683A4}]
"UninstallString"="C:\Programme\InstallShield Installation Information\{41EBCCBE-1FAD-40AD-A8B6-BD292DB683A4}\setup.exe -runfromtemp -l0x0007 -removeonly"
"InstallSource"="C:\Programme\Gemeinsame Dateien\Lexware\Aktualisierung2008\lexware_aktualisierung_financial_office_2008_12_20\"
"DisplayName"="Lexware financial office Aktualisierung Februar 2008, Version 12.20"
"DisplayIcon"="C:\Programme\Lexware\office\lfo.ico,0"

[Uninstall\{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}]
"DisplayIcon"="C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\Photoshop Album Starter Edition.exe,-111"
"InstallSource"="C:\WINDOWS\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\"
"UninstallString"=expand:"MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}"
"DisplayName"="Adobe® Photoshop® Album Starter Edition 3.0"

[Uninstall\{4C590030-7469-453E-8589-D15DA9D03F52}]
"UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe\" "
"DisplayName"="ANIWZCS2 Service"

[Uninstall\{520CC748-9867-498E-A257-B6112952A65E}]
"UninstallString"="C:\Programme\InstallShield Installation Information\{520CC748-9867-498E-A257-B6112952A65E}\setup.exe -runfromtemp -l0x0007 -removeonly"
"InstallSource"="d:\DATA\financial_office\"
"DisplayName"="Lexware financial office 2008"
"DisplayIcon"="C:\Programme\Lexware\office\lfo.ico,0"

[Uninstall\{5DB88ED8-3487-4BDE-A8C5-7F4D016BE737}]
"InstallSource"="C:\WINDOWS\Installer\FA3FE437-8DC5-4556-B384-F3C0AC81B1B0\"
"DisplayName"="Lexware financial office Aktualisierung Februar 2008, Version 12.20"

[Uninstall\{60DE4033-9503-48D1-A483-7846BD217CA9}]
"UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe\" -l0x9 -removeonly"
"InstallSource"="C:\Dokumente und Einstellungen\Simon\Desktop\Install_ICQ6.exe"
"DisplayName"="ICQ6"
"DisplayIcon"="<PATH_TO_AKIVA_FILES>\icq\icq6_install.ico,0"

[Uninstall\{6845AE3B-EB95-46DE-A190-EAB8D7764C60}]
"InstallSource"="C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lexware\Elster\Daten\Download\"
"UninstallString"=expand:"MsiExec.exe /I{6845AE3B-EB95-46DE-A190-EAB8D7764C60}"
"DisplayName"="Lexware Elster"

[Uninstall\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}]
"DisplayIcon"="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ndpsetup.ico"
"InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\IXP000.TMP\"
"DisplayName"="Microsoft .NET Framework 2.0"

[Uninstall\{7299052b-02a4-4627-81f2-1818da5d550d}]
"InstallSource"="C:\Dokumente und Einstellungen\Simon\Lokale Einstellungen\Anwendungsdaten\Lexware\LxSetupTemp\Data\visual_studio_runtime_8\"
"UninstallString"=expand:"MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}"
"DisplayName"="Microsoft Visual C++ 2005 Redistributable"

[Uninstall\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}]
"UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe\" "
"DisplayName"="ANIO Service"

[Uninstall\{7C4BCD17-BDBA-4078-9D8C-8CA8B7EABE77}]
"DisplayName"=""
"UninstallString"="\"C:\Programme\Uninstall.exe\""

[Uninstall\{AC76BA86-7AD7-1031-7B44-A80000000002}]
"InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\Adobe Reader 8.0\"
"UninstallString"=expand:"MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A80000000002}"
"DisplayName"="Adobe Reader 8 - Deutsch"

[Uninstall\{AEB9948B-4FF2-47C9-990E-47014492A0FE}]
"InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\WZSE1.TMP\support\msxml\"
"UninstallString"=expand:"MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}"
"DisplayName"="MSXML 6.0 Parser"

[Uninstall\{B1A9CD45-A702-4E3B-91ED-8CD562869901}]
"InstallSource"="C:\DOKUME~1\Simon\LOKALE~1\Temp\WZSE1.TMP\"
"DisplayName"="DWG TrueView 2008"

[Uninstall\{B480BD2A-F1BA-4FE6-8C8E-34C6111B72C9}]
"UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{B480BD2A-F1BA-4FE6-8C8E-34C6111B72C9}\setup.exe\" -l0x7 -removeonly"
"InstallSource"="C:\Dokumente und Einstellungen\Simon\Desktop\ElsterFormular2007-Setup.exe"
"DisplayName"="ElsterFormular 2007/2008"
"DisplayIcon"="<ISPROJECTDIR>\setup files\compressed files\language independent\os independent\Elfo.ico"

[Uninstall\{BEDFB0D0-CA1E-4CBA-9664-B25A74019D0C}]
"InstallSource"="d:\Data\lisa_2_50\"
"UninstallString"=expand:"MsiExec.exe /I{BEDFB0D0-CA1E-4CBA-9664-B25A74019D0C}"
"DisplayName"="Lexware Info Service"

[Uninstall\{DBEA1034-5882-4A88-8033-81C4EF0CFA29}]
"InstallSource"="C:\Programme\Google\Installers\"
"UninstallString"=expand:"MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}"
"DisplayName"="Google Toolbar for Internet Explorer"

[Uninstall\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}]
"InstallSource"="C:\Programme\Gemeinsame Dateien\Wise Installation Wizard\"
"UninstallString"=expand:"MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"
"DisplayName"="Ad-Aware"

[Uninstall\{FF748561-FFFE-11D3-A06B-00E02939A7B1}]
"UninstallString"="RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup \"C:\Programme\InstallShield Installation Information\{FF748561-FFFE-11D3-A06B-00E02939A7B1}\Setup.exe\" -l0x7 -removeonly"
"InstallSource"="d:\Data\dakota_4_0\"
"DisplayName"="dakota.ag"

-----HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall-----

==========================================
Scan completed in 19 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work

#4 Hallo,

1.
http://virus-protect.org/artikel/tools/otmoveIt.html
öffne: OTMoveIt.exe
OTMoveIt Kopiere rein: im linken Fenster ,wo steht: Paste List of Files/Folders to Move

Zitat

C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\beNVwGgh.ini2
C:\WINDOWS\system32\beNVwGgh.ini
C:\WINDOWS\system32\hgGwVNeb.dll
C:\WINDOWS\system32\khfCuULC.dll
C:\WINDOWS\qegbdmwf.dll
C:\WINDOWS\pntqkflv.dll
C:\WINDOWS\gfetqaxstmk.dll
C:\WINDOWS\gxvpsafm.dll
C:\WINDOWS\system32\nada32.dll
C:\WINDOWS\system32\opus16.dll
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ADSL Software Ltd

Klicke auf den Roten MoveIt!

2.
lade HijacktHis
http://virus-protect.org/hjtkurz.html
Beim Erststart:
Do a system scan and save a logfile - es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und hier mit rechtem Mausklick "einfügen"

3.
lade Combofix, es erscheint eine Warnmeldung, keine Angst, es geht nichts schief, poste den report, der erscheint
http://virus-protect.org/artikel/tools/combofix.html

---------------------------------------------------------------------

ist für mich
[Browser Helper Objects\{2FF811E6-8925-4084-A649-C159955E67E8}]
HKCR\CLSID\{2FF811E6-8925-4084-A649-C159955E67E8}\InprocServer32
[Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
[Browser Helper Objects\{84AA61C2-A977-4FD8-9E2F-C768F0387572}]
HKCR\CLSID\{84AA61C2-A977-4FD8-9E2F-C768F0387572}
[Browser Helper Objects\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}]
HKCR\CLSID\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}\InprocServer32


[ShellServiceObjectDelayLoad]

"qegbdmwf"="{704256A8-EB18-4FBB-943D-0843F08DD20A}"
#### HKCR\CLSID\{704256A8-EB18-4FBB-943D-0843F08DD20A}\InprocServer32 @="C:\WINDOWS\qegbdmwf.dll"
"pntqkflv"="{F33F7155-384B-404D-865C-994967DD0B12}"
#### HKCR\CLSID\{F33F7155-384B-404D-865C-994967DD0B12}\InprocServer32 @="C:\WINDOWS\pntqkflv.dll"

-----HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks-----

[ShellExecuteHooks]
"{84AA61C2-A977-4FD8-9E2F-C768F0387572}"=""
#### HKCR\CLSID\{84AA61C2-A977-4FD8-9E2F-C768F0387572}\InprocServer32 @="C:\WINDOWS\system32\khfCuULC.dll"
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Hier das Log:

ComboFix 08-06-20.4 - Maikes 2008-06-27 13:52:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.404 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Maikes\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\Simon\Desktop\Error Cleaner.url
C:\Dokumente und Einstellungen\Simon\Desktop\Privacy Protector.url
C:\Dokumente und Einstellungen\Simon\Desktop\Spyware&Malware Protection.url
C:\Dokumente und Einstellungen\Simon\Favoriten\Error Cleaner.url
C:\Dokumente und Einstellungen\Simon\Favoriten\Privacy Protector.url
C:\Dokumente und Einstellungen\Simon\Favoriten\Spyware&Malware Protection.url
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\apgrdnqv.ini
C:\WINDOWS\system32\beNVwGgh.ini
C:\WINDOWS\system32\beNVwGgh.ini2
C:\WINDOWS\system32\hgGwVNeb.dll
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((( Dateien erstellt von 2008-05-27 bis 2008-06-27 ))))))))))))))))))))))))))))))
.

2008-06-27 13:06 . 2008-06-27 13:06 92,032 --a------ C:\WINDOWS\system32\vqndrgpa.dll
2008-06-27 12:53 . 2008-06-27 12:53 <DIR> d-------- C:\_OTMoveIt
2008-06-27 12:35 . 2008-06-27 12:41 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{C637C02F-67B6-487C-BE6A-5980BADADFEA}
2008-06-27 12:14 . 2008-06-27 12:14 <DIR> d-------- C:\Dokumente und Einstellungen\Maikes\Anwendungsdaten\ICQ Toolbar
2008-06-27 11:05 . 2008-06-27 11:05 <DIR> d-------- C:\Dokumente und Einstellungen\Maikes\Anwendungsdaten\Lexware
2008-06-27 11:02 . 2008-06-27 11:03 <DIR> dr------- C:\Dokumente und Einstellungen\Maikes\Eigene Dateien
2008-06-27 09:42 . 2000-04-09 02:02 <DIR> d--h----- C:\Dokumente und Einstellungen\Maikes\Vorlagen
2008-06-27 09:42 . 2000-04-09 01:53 <DIR> dr------- C:\Dokumente und Einstellungen\Maikes\Startmen�
2008-06-27 09:42 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Maikes\Netzwerkumgebung
2008-06-27 09:42 . 2008-06-27 13:56 <DIR> d--h----- C:\Dokumente und Einstellungen\Maikes\Lokale Einstellungen
2008-06-27 09:42 . 2008-06-27 11:03 <DIR> dr------- C:\Dokumente und Einstellungen\Maikes\Favoriten
2008-06-27 09:42 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Maikes\Druckumgebung
2008-06-27 09:42 . 2008-06-27 12:16 <DIR> dr-h----- C:\Dokumente und Einstellungen\Maikes\Anwendungsdaten
2008-06-27 09:41 . 2008-06-27 11:02 <DIR> d-------- C:\Dokumente und Einstellungen\Maikes
2008-06-26 22:22 . 2008-06-26 22:22 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien
2008-06-26 20:23 . 2008-06-26 20:23 <DIR> d-------- C:\Programme\Lavasoft
2008-06-26 20:23 . 2008-06-26 20:27 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-06-26 20:19 . 2008-06-26 19:56 19,153,264 --a------ C:\aaw2008_10.exe
2008-06-26 20:07 . 2006-02-28 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-26 20:00 . 2008-06-26 20:00 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-06-26 19:44 . 2003-10-09 17:55 20,966,970 --a------ C:\WINDOWS\cfdemo.exe
2008-06-26 19:44 . 2005-10-11 22:33 2,807,808 --a------ C:\WINDOWS\alcwzrd.exe
2008-06-26 19:44 . 2007-04-10 14:05 372,736 --a------ C:\WINDOWS\suinsta4001.exe
2008-06-26 19:44 . 2006-03-21 05:23 23,040 --a------ C:\WINDOWS\kb913800.exe
2008-06-26 18:48 . 2000-04-09 02:02 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2008-06-26 18:48 . 2000-04-09 01:53 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmen�
2008-06-26 18:48 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2008-06-26 18:48 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2008-06-26 18:48 . 2000-04-09 01:53 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2008-06-26 18:48 . 2000-04-09 01:53 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2008-06-26 18:48 . 2000-04-09 01:53 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2008-06-26 18:48 . 2008-06-26 22:22 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-06-25 18:12 . 2008-06-25 18:12 62,910 --a------ C:\Programme\Uninstall.exe
2008-06-25 18:12 . 2008-06-25 18:12 0 --a------ C:\Programme\uninstall.dat
2008-06-25 18:09 . 2008-06-26 18:46 <DIR> d-------- C:\Dokumente und Einstellungen\Simon\Anwendungsdaten\TmpRecentIcons
2008-06-24 20:24 . 2008-06-24 20:24 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ADSL Software Ltd
2008-06-24 20:24 . 2008-06-24 18:51 245,760 --a------ C:\WINDOWS\gfetqaxstmk.dll
2008-06-24 20:24 . 2008-06-24 18:51 233,472 --a------ C:\WINDOWS\pntqkflv.dll
2008-06-24 20:24 . 2008-06-24 18:51 180,224 --a------ C:\WINDOWS\qegbdmwf.dll
2008-06-24 20:24 . 2008-06-24 18:51 155,648 --a------ C:\WINDOWS\gxvpsafm.dll
2008-06-24 20:24 . 2008-06-24 20:24 28,288 --a------ C:\WINDOWS\system32\khfCuULC.dll
2008-06-24 20:23 . 2008-06-24 20:23 19,456 --a------ C:\WINDOWS\system32\nada32.dll
2008-06-24 20:22 . 2008-06-24 20:22 19,456 --a------ C:\WINDOWS\system32\opus16.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 10:31 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-06-27 10:16 --------- d-----w C:\Programme\ICQToolbar
2008-06-26 17:52 --------- d-----w C:\Programme\Q-Dir
2008-06-26 17:08 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84AA61C2-A977-4FD8-9E2F-C768F0387572}]
2008-06-24 20:24 28288 --a------ C:\WINDOWS\system32\khfCuULC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}]
2008-06-24 18:51 245760 --a------ C:\WINDOWS\gfetqaxstmk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{866A4717-E246-4FDC-B2AA-14607C905E3A}"= "C:\WINDOWS\gxvpsafm.dll" [2008-06-24 18:51 155648]

[HKEY_CLASSES_ROOT\clsid\{866a4717-e246-4fdc-b2aa-14607c905e3a}]
[HKEY_CLASSES_ROOT\gxvpsafm.1]
[HKEY_CLASSES_ROOT\TypeLib\{F260EB6B-9B1E-450F-AB15-905E5FAF6BE7}]
[HKEY_CLASSES_ROOT\gxvpsafm]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-23 20:33 57344]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"LexwareInfoService"="C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" [2007-09-25 14:59 532776]
"D-Link AirPlus G"="C:\Programme\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 16:04 1544192]
"ANIWZCS2Service"="C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 19:19 49152]
"c02927a3"="C:\WINDOWS\system32\vqndrgpa.dll" [2008-06-27 13:06 92032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 14:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{84AA61C2-A977-4FD8-9E2F-C768F0387572}"= C:\WINDOWS\system32\khfCuULC.dll [2008-06-24 20:24 28288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qegbdmwf"= {704256A8-EB18-4FBB-943D-0843F08DD20A} - C:\WINDOWS\qegbdmwf.dll [2008-06-24 18:51 180224]
"pntqkflv"= {F33F7155-384B-404D-865C-994967DD0B12} - C:\WINDOWS\pntqkflv.dll [2008-06-24 18:51 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfCuULC]
khfCuULC.dll 2008-06-24 20:24 28288 C:\WINDOWS\system32\khfCuULC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect]
--a------ 2008-06-24 20:24 1159168 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=

R3 tridxp;tridxp;C:\WINDOWS\system32\DRIVERS\tridxpm.sys [2001-09-26 21:42]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 14:00:49
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\khfCuULC.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\vqndrgpa.dll
-> C:\WINDOWS\system32\opnklmJA.dll
-> C:\WINDOWS\qegbdmwf.dll
-> C:\WINDOWS\pntqkflv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Programme\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Java\jre1.6.0_02\bin\jucheck.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-27 14:05:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 12:05:13

7 Verzeichnis(se), 24,872,697,856 Bytes frei
9 Verzeichnis(se), 24,956,108,800 Bytes frei

155

#6 Hallo,

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als cfscript.txt mit 'Speichern unter' auf dem Desktop. Gib an "Alle Dateien" - Speichern

Zitat

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfCuULC]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qegbdmwf"=-
"pntqkflv"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c02927a3"=-
[-HKEY_CLASSES_ROOT\clsid\{866a4717-e246-4fdc-b2aa-14607c905e3a}]
[-HKEY_CLASSES_ROOT\gxvpsafm.1]
[-HKEY_CLASSES_ROOT\TypeLib\{F260EB6B-9B1E-450F-AB15-905E5FAF6BE7}]
[-HKEY_CLASSES_ROOT\gxvpsafm]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{84AA61C2-A977-4FD8-9E2F-C768F0387572}"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84AA61C2-A977-4FD8-9E2F-C768F0387572}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0E0FE98-9C54-4523-BA09-68A7CBB46A8B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FF811E6-8925-4084-A649-C159955E67E8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{866A4717-E246-4FDC-B2AA-14607C905E3A}"=-

File::
C:\Programme\Uninstall.exe
C:\Programme\uninstall.dat
C:\WINDOWS\system32\vqndrgpa.dll
C:\WINDOWS\system32\khfCuULC.dll
C:\WINDOWS\system32\opnklmJA.dll
C:\WINDOWS\system32\nada32.dll
C:\WINDOWS\system32\opus16.dll
C:\WINDOWS\qegbdmwf.dll
C:\WINDOWS\pntqkflv.dll
C:\WINDOWS\gfetqaxstmk.dll
C:\WINDOWS\gxvpsafm.dll

Folder::
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ADSL Software Ltd

Man sollte jetzt auf dem Desktop diese Datei cfscript.txt finden.

cfscript.txt und mit der rechten Maustaste auf das Symbol von Combofix ziehen



danach: Combofix noch einmal anwenden

------

poste das neue Log von Combofix
__________
MfG Sabina

rund um die PC-Sicherheit