Trojaner Vundo auf der Festplatte gefunden, erbitte Rat

#1 Hallo,
Wie im Betreff beschrieben habe ich mir den Trojaner Vundo eingefangen. Ich konnte bisher 2 arten des Trojaners auf meiner Festplatte identifizieren.
Vundo.Gen und Vundo.Zahlenreihe

Ich habe bereits eine Vielzahl von Lösungshilfen gefunden und dabei auch bemerkt das von dem betroffenen eine Vielzahl von Log-Files verlangt wurde. Ich denke mal ohne Hilfe von einer Person die davon ahnung hat, wird es schwierig den wieder los zu werden.

Hier schonmal die HJT Log-File
-------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:46:59, on 04.02.2009
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Anti-Vundo\HJT\hjt.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\Windows\system32\ljJYPiGY.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F0FFC608-E0E7-48FD-B4EE-55F7058A66EE} - C:\Windows\system32\ljJyvtrQ.dll
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [f00d9ac4] rundll32.exe "C:\Windows\system32\skknpody.dll",b
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O15 - Trusted Zone: *.moove.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC368224-6EF8-401F-9E64-30F31C1055F0}: NameServer = 193.254.160.1 193.254.160.130
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Hier die Log-File der Combo-Fix.exe

ComboFix 09-02-03.01 - Doctor Snow 2009-02-04 15:49:27.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1031.18.2047.1353 [GMT 1:00]
ausgeführt von:: c:\anti-vundo\Downloads\ComboFix.exe
FW: COMODO Firewall *enabled*
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\ddcYpnNH.dll
c:\windows\System32\HNnpYcdd.ini
c:\windows\system32\HNnpYcdd.ini2
c:\windows\system32\ljJyvtrQ.dll
c:\windows\system32\oqxvvdor.dll
c:\windows\system32\qhqtyssx.ini
c:\windows\system32\QrtvyJjl.ini
c:\windows\system32\QrtvyJjl.ini2
c:\windows\system32\rajdewax.dll
c:\windows\system32\rodvvxqo.ini
c:\windows\system32\skknpody.dll
c:\windows\system32\spshymuv.ini
c:\windows\system32\srqxjhxn.ini
c:\windows\system32\wyywfdew.ini
c:\windows\system32\xawedjar.ini
c:\windows\system32\ydopnkks.ini
c:\windows\Tasks\pqqxfihx.job
G:\Autorun.inf

----- BITS: Eventuell infizierte Webseiten -----

hxxp://childhe.com
.
((((((((((((((((((((((( Dateien erstellt von 2009-01-04 bis 2009-02-04 ))))))))))))))))))))))))))))))
.

2009-02-04 12:42 . 2009-02-04 15:46 <DIR> d-------- C:\Anti-Vundo
2009-02-04 12:42 . 2009-02-04 12:42 0 --ah----- C:\ntuser.dat.LOG2
2009-02-04 12:42 . 2009-02-04 12:42 0 --ah----- C:\ntuser.dat.LOG1
2009-02-04 12:42 . 2009-02-04 12:42 0 --a------ C:\ntuser.dat
2009-02-04 12:38 . 2009-02-04 12:38 0 --a------ C:\ARK27B9.tmp
2009-02-04 12:01 . 2009-02-04 12:01 <DIR> d-------- C:\VundoFix Backups
2009-02-04 07:17 . 2009-02-04 07:17 0 --a------ C:\ARKCE20.tmp
2009-01-29 21:57 . 2009-01-31 17:52 <DIR> d-------- c:\users\Doctor Snow\AppData\Roaming\ICQ
2009-01-29 21:55 . 2009-01-30 21:26 <DIR> d-------- c:\program files\ICQ6.5
2009-01-28 14:57 . 2009-01-28 14:57 <DIR> d-------- c:\windows\uninstall\DE-Browser4
2009-01-28 14:57 . 2009-01-28 14:57 <DIR> d-------- c:\windows\uninstall
2009-01-27 20:10 . 2009-01-27 20:19 <DIR> d-------- C:\Das erste mal
2009-01-24 22:47 . 2009-01-25 00:10 <DIR> d-------- C:\moove
2009-01-24 22:47 . 2002-01-05 13:48 974,848 --------- c:\windows\System32\mfc70.dll
2009-01-24 22:47 . 2003-07-24 10:18 237,568 --a------ c:\windows\System32\demooverGer.exe
2009-01-24 22:47 . 2004-05-29 17:52 91,072 --------- c:\windows\System32\RoseCo2.dll
2009-01-24 22:47 . 2004-05-29 17:53 82,896 --------- c:\windows\System32\KickCom2.dll
2009-01-24 22:47 . 2001-10-12 15:44 3,310 --------- c:\windows\System32\advanced.ico
2009-01-24 22:46 . 1998-04-24 00:00 1,078 --------- c:\windows\System32\rosewaste.ico
2009-01-24 21:23 . 2008-07-26 23:56 210,432 --a------ c:\windows\System32\ifsdrives.dll
2009-01-24 21:23 . 2008-09-25 17:37 189,888 --a------ c:\windows\System32\drivers\ext2fs.sys
2009-01-24 21:23 . 2007-12-16 18:13 77,760 --a------ c:\windows\System32\ifsdrives.exe
2009-01-24 21:23 . 2008-08-28 22:48 60,352 --a------ c:\windows\System32\drivers\ifsmount.sys
2009-01-24 21:23 . 2007-08-26 14:11 724 --a------ c:\windows\System32\ifsdrives_tasks.xml
2009-01-24 16:41 . 2009-01-24 16:41 37,376 --a------ c:\windows\System32\vTlLeEUm.dll
2009-01-24 15:04 . 2009-01-24 15:04 37,376 --a------ c:\windows\System32\wvUkHWMF.dll
2009-01-24 13:47 . 2009-01-24 13:47 126,976 --a------ c:\windows\System32\UAService7.exe
2009-01-16 22:09 . 2009-01-16 22:09 <DIR> d-------- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-01-16 16:19 . 2009-01-30 11:01 <DIR> d-------- C:\Filme
2009-01-11 17:37 . 2008-10-16 20:35 87,352 --a------ c:\windows\System32\LMIinit.dll
2009-01-11 16:11 . 2009-01-11 16:11 <DIR> d-------- c:\users\All Users\Google
2009-01-09 20:10 . 2009-01-09 20:10 <DIR> d-------- c:\users\Doctor Snow\AppData\Roaming\Macrovision
2009-01-09 18:14 . 2008-10-22 02:22 2,048 --a------ c:\windows\System32\tzres.dll
2009-01-09 18:09 . 2008-11-01 02:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2009-01-09 18:09 . 2008-10-29 07:29 2,927,104 --a------ c:\windows\explorer.exe
2009-01-09 18:09 . 2008-06-23 02:59 2,868,736 --a------ c:\windows\System32\mf.dll
2009-01-09 18:09 . 2008-06-23 02:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2009-01-09 18:09 . 2008-10-21 06:25 296,960 --a------ c:\windows\System32\gdi32.dll
2009-01-09 18:09 . 2008-06-23 02:58 94,720 --a------ c:\windows\System32\logagent.exe
2009-01-09 18:09 . 2008-11-01 04:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2009-01-09 18:08 . 2008-10-16 05:47 827,392 --a------ c:\windows\System32\wininet.dll
2009-01-07 16:30 . 2009-01-07 16:30 <DIR> d-------- c:\users\Doctor Snow\AppData\Roaming\OpenOffice.org
2009-01-07 16:25 . 2009-01-07 16:25 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-07 16:25 . 2009-01-07 16:25 <DIR> d-------- c:\program files\JRE
2009-01-06 21:01 . 2009-01-06 21:01 <DIR> d-------- C:\mwconn
2009-01-06 20:16 . 2009-01-06 20:16 <DIR> dr------- c:\windows\System32\config\systemprofile\Searches
2009-01-06 20:16 . 2009-01-06 20:16 <DIR> dr------- c:\windows\System32\config\systemprofile\Saved Games
2009-01-06 20:16 . 2009-01-06 20:16 <DIR> dr------- c:\windows\System32\config\systemprofile\Links
2009-01-06 20:16 . 2009-01-06 20:16 <DIR> d-------- c:\users\All Users\Macrovision
2009-01-06 20:16 . 2009-01-06 20:16 <DIR> d-------- c:\programdata\Macrovision
2009-01-06 20:16 . 2009-01-06 20:16 <DIR> d-------- c:\program files\Vodafone
2009-01-06 20:16 . 2007-09-12 09:56 101,376 --a------ c:\windows\System32\drivers\ewusbmdm.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 19:19 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\BitTorrent
2009-02-02 21:21 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\dvdcss
2009-01-24 21:47 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-24 16:20 --------- d-----w c:\program files\AGEIA Technologies
2009-01-24 16:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-24 09:44 --------- d-----w c:\program files\CyberLink
2009-01-24 09:40 --------- d-----w c:\program files\CCleaner
2009-01-23 19:50 --------- d-----w c:\program files\Steam
2009-01-17 16:51 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\DNA
2009-01-12 11:11 --------- d-----w c:\program files\DNA
2009-01-12 11:10 --------- d-----w c:\program files\LogMeIn
2009-01-05 12:13 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\TVcentral-Core
2009-01-05 12:13 --------- d-----w c:\program files\Common Files\Buhl Data Service
2009-01-03 15:06 --------- d-----w c:\program files\Common Files\SWF Studio
2009-01-03 14:50 --------- d--h--w c:\program files\Creative Installation Information
2009-01-03 14:50 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\Creative
2008-12-21 10:40 --------- d-----w c:\program files\DC++
2008-12-19 10:26 99,344 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-12-18 20:48 --------- d-----w c:\programdata\ICQ
2008-12-18 20:07 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\teamspeak2
2008-12-18 20:00 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\InstallShield Installation Information
2008-12-13 19:24 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\BSplayer
2008-12-12 20:58 --------- d-----w c:\programdata\2DBoy
2008-12-09 16:09 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\GRETECH
2008-12-09 16:09 --------- d-----w c:\programdata\GRETECH
2008-12-09 16:09 --------- d-----w c:\program files\GRETECH
2008-12-09 16:00 --------- d-----w c:\users\Doctor Snow\AppData\Roaming\BSplayer Pro
2008-12-09 16:00 --------- d-----w c:\program files\Webteh
2008-12-09 15:33 --------- d-----w c:\program files\ffdshow
2008-12-07 20:13 --------- d-----w c:\program files\WinTV
2008-11-14 16:39 32,441 ----a-w c:\users\All Users\nvModes.dat
2008-11-14 16:39 32,441 ----a-w c:\programdata\nvModes.dat
2008-10-25 22:14 174 --sha-w c:\program files\desktop.ini
2008-10-25 20:07 22,328 ----a-w c:\users\Doctor Snow\AppData\Roaming\PnkBstrK.sys
2008-08-05 10:12 28,409 ----a-w c:\users\Doctor Snow\AppData\Roaming\nvModes.dat
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2008-11-07 1351872]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2008-12-17 172792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-12 13589024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-12 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Doctor Snow^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Doctor Snow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Doctor Snow^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Doctor Snow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 07:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-08-04 22:54 266497 c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-01-01 01:39 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
--a------ 2008-12-19 11:22 1797880 c:\program files\COMODO\Firewall\cfp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
--a------ 2008-12-19 11:22 1797880 c:\program files\COMODO\Firewall\cfp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 23:29 165784 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a------ 2008-01-18 22:33 125952 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPGServiceTool]
--a------ 2008-04-17 17:20 688128 c:\progra~1\WinTV\EPG Services\System\EPGClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FunctionKeyCtrl]
--a------ 2006-05-25 16:49 49152 c:\program files\Function Key Controller\FKC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-12-17 14:36 172792 c:\program files\ICQ6.5\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-03-29 15:41 222128 c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-12-05 22:55 54832 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
--a------ 2007-07-18 00:30 1687824 c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
--a------ 2007-07-18 01:08 2094352 c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LgDevAgt]
--a------ 2007-07-18 01:13 99600 c:\program files\Logitech\GamePanel Software\LGDevAgt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2008-07-24 18:46 63048 c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-09-12 13:05 13589024 c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-09-12 13:05 92704 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 08:34 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-18 22:33 1233920 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-17 17:17 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-11-17 13:58 815104 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-07-09 22:33 36352 c:\programme\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 22:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2007-02-06 17:50 4374528 c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe"
"Windows Mobile-based device management"=%windir%\WindowsMobile\wmdSync.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5526E6DC-45F4-4695-8B7C-EFE8662F26EB}"= UDP:c:\games\Kane and Lynch\kaneandlynch.exe:Kane & Lynch: Dead Men
"{7D2CB57A-F486-4EE3-A922-F92249E0A1D5}"= TCP:c:\games\Kane and Lynch\kaneandlynch.exe:Kane & Lynch: Dead Men
"{C57960AC-3917-4EF4-9273-C378F977698A}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{FE5F3E18-D5A6-416E-84D2-08CABAA65385}"= UDP:c:\program files\o2 Connection Manager\o2 Connection Manager.exe:o2 Connection Manager
"{BED2FA90-83EA-486B-B492-155227B36A0D}"= TCP:c:\program files\o2 Connection Manager\o2 Connection Manager.exe:o2 Connection Manager
"TCP Query User{AA335139-90FF-4629-B996-2A9113A29393}c:\\program files\\azureus\\azureus.exe"= UDP:c:\program files\azureus\azureus.exe:Azureus
"UDP Query User{0D2A8888-A58C-4E2E-9B4E-E3FE5F4E6873}c:\\program files\\azureus\\azureus.exe"= TCP:c:\program files\azureus\azureus.exe:Azureus
"TCP Query User{A1505701-46FD-49CF-8C4B-110B32441A10}c:\\games\\cod\\codmp.exe"= UDP:c:\games\cod\codmp.exe:CoDMP
"UDP Query User{C90B6AEA-897E-45C5-B9D6-4B2F4258904F}c:\\games\\cod\\codmp.exe"= TCP:c:\games\cod\codmp.exe:CoDMP
"TCP Query User{001A8A82-D710-4E8E-B3D5-34DA5175DC23}c:\\games\\oil tycoon 2\\game.exe"= UDP:c:\games\oil tycoon 2\game.exe:game
"UDP Query User{DAB3F824-7AF8-403D-B2CF-09CB96E82250}c:\\games\\oil tycoon 2\\game.exe"= TCP:c:\games\oil tycoon 2\game.exe:game
"TCP Query User{38B7C800-FF7B-4F7C-B6D3-02ACC3C7393E}c:\\games\\world of warcraft\\wow-2.3.3.7799-to-2.4.0.8089-engb-downloader.exe"= UDP:c:\games\world of warcraft\wow-2.3.3.7799-to-2.4.0.8089-engb-downloader.exe:Blizzard Downloader
"UDP Query User{9CB7A365-5E5E-4025-982D-5CC0268269E7}c:\\games\\world of warcraft\\wow-2.3.3.7799-to-2.4.0.8089-engb-downloader.exe"= TCP:c:\games\world of warcraft\wow-2.3.3.7799-to-2.4.0.8089-engb-downloader.exe:Blizzard Downloader
"TCP Query User{E6C2EA77-77E4-4356-8DDF-A3FB59809583}c:\\games\\call of duty 4 - modern warfare\\iw3mp.exe"= UDP:c:\games\call of duty 4 - modern warfare\iw3mp.exe:iw3mp
"UDP Query User{671BA5FF-8BA7-4AD7-A567-8E3E1C2D28EB}c:\\games\\call of duty 4 - modern warfare\\iw3mp.exe"= TCP:c:\games\call of duty 4 - modern warfare\iw3mp.exe:iw3mp
"TCP Query User{3721CA30-62DC-4423-AE7A-9A0302FE44BA}c:\\wamp\\apache2\\bin\\httpd.exe"= UDP:c:\wamp\apache2\bin\httpd.exe:Apache HTTP Server
"UDP Query User{642585D0-7DF7-4319-8AB1-83B3750400C7}c:\\wamp\\apache2\\bin\\httpd.exe"= TCP:c:\wamp\apache2\bin\httpd.exe:Apache HTTP Server
"TCP Query User{8EF3BCC2-B31F-4AFF-BD6C-77C3674DBCA5}c:\\wow priv server\\ascent1036\\logonserver.exe"= UDP:c:\wow priv server\ascent1036\logonserver.exe:logonserver
"UDP Query User{8BBA5451-E308-4523-80DE-5FF2C00594D7}c:\\wow priv server\\ascent1036\\logonserver.exe"= TCP:c:\wow priv server\ascent1036\logonserver.exe:logonserver
"TCP Query User{004A766F-ECF8-4620-B170-AE9BEEC14265}c:\\wow priv server\\ascent1036\\ascent.exe"= UDP:c:\wow priv server\ascent1036\ascent.exe:ascent
"UDP Query User{06F44062-3CB9-49C7-AA99-EBFA77462994}c:\\wow priv server\\ascent1036\\ascent.exe"= TCP:c:\wow priv server\ascent1036\ascent.exe:ascent
"TCP Query User{CA183976-35D0-49F6-B49A-54159590419B}c:\\wow priv server\\ascent1036\\logonserver.exe"= UDP:c:\wow priv server\ascent1036\logonserver.exe:logonserver
"UDP Query User{152741FA-71A6-475C-BDD0-806882B2EC82}c:\\wow priv server\\ascent1036\\logonserver.exe"= TCP:c:\wow priv server\ascent1036\logonserver.exe:logonserver
"TCP Query User{ABA913B9-A292-453F-AD8D-019674D3D719}c:\\wow priv server\\ascent1036\\ascent.exe"= UDP:c:\wow priv server\ascent1036\ascent.exe:ascent
"UDP Query User{7BA8715C-7B41-4DF0-A66B-4ABCB9A0C485}c:\\wow priv server\\ascent1036\\ascent.exe"= TCP:c:\wow priv server\ascent1036\ascent.exe:ascent
"TCP Query User{E2F1EFAA-6ABB-4096-B05F-2FBB7C13984B}c:\\downloads\\wow-burningcrusade-dede-installer-downloader.exe"= UDP:c:\downloads\wow-burningcrusade-dede-installer-downloader.exe:WoW-BurningCrusade-deDE-Installer-downloader
"UDP Query User{B84E083C-7F72-44FA-94E5-1B308D92734C}c:\\downloads\\wow-burningcrusade-dede-installer-downloader.exe"= TCP:c:\downloads\wow-burningcrusade-dede-installer-downloader.exe:WoW-BurningCrusade-deDE-Installer-downloader
"TCP Query User{1FE74AB1-00AC-4E05-AFCA-1D4A58350F09}c:\\wow priv server\\ascent rev2355\\logonserver.exe"= UDP:c:\wow priv server\ascent rev2355\logonserver.exe:logonserver
"UDP Query User{EFE84A14-7C28-424F-9B20-52EB3D970DB0}c:\\wow priv server\\ascent rev2355\\logonserver.exe"= TCP:c:\wow priv server\ascent rev2355\logonserver.exe:logonserver
"TCP Query User{3FAC0004-4B72-4EEE-B996-5C0860FE7AA5}c:\\wow priv server\\ascent1139\\logonserver.exe"= UDP:c:\wow priv server\ascent1139\logonserver.exe:logonserver
"UDP Query User{08ACC0C2-801C-402A-B0C2-A70C24C03888}c:\\wow priv server\\ascent1139\\logonserver.exe"= TCP:c:\wow priv server\ascent1139\logonserver.exe:logonserver
"TCP Query User{50052663-9093-407D-AFA8-6C682C28689E}c:\\wow priv server\\ascent1139\\ascent.exe"= UDP:c:\wow priv server\ascent1139\ascent.exe:ascent
"UDP Query User{810219AE-B97A-4853-9B29-690BFC7C3883}c:\\wow priv server\\ascent1139\\ascent.exe"= TCP:c:\wow priv server\ascent1139\ascent.exe:ascent
"TCP Query User{4D12AB00-309A-454D-B5F8-E0BBF30CCA69}c:\\wow priv server\\ascent rev2355\\ascent.exe"= UDP:c:\wow priv server\ascent rev2355\ascent.exe:ascent
"UDP Query User{0FDD0DE5-682B-4AB4-AEE8-9C456F900227}c:\\wow priv server\\ascent rev2355\\ascent.exe"= TCP:c:\wow priv server\ascent rev2355\ascent.exe:ascent
"TCP Query User{0D5B4EA9-DF73-45AB-A904-FAF2DD1018A0}c:\\wow priv server\\ascent rev2355\\voicechat.exe"= UDP:c:\wow priv server\ascent rev2355\voicechat.exe:voicechat
"UDP Query User{6DE46711-D21C-45AC-8F45-8A4307F45924}c:\\wow priv server\\ascent rev2355\\voicechat.exe"= TCP:c:\wow priv server\ascent rev2355\voicechat.exe:voicechat
"TCP Query User{973B6C0C-30C4-4C26-9CC0-85C87D5DDB36}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{C4D5A769-0A2A-418C-A76D-ACB474A6DCD5}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{DB481E7A-D8DE-440D-B4CD-7CF5E4F2056E}c:\\program files\\azureus\\azureus.exe"= UDP:c:\program files\azureus\azureus.exe:Azureus
"UDP Query User{04B273DB-1581-479E-893B-D4C8522D89D2}c:\\program files\\azureus\\azureus.exe"= TCP:c:\program files\azureus\azureus.exe:Azureus
"TCP Query User{F13FE205-04AB-49FB-8AF2-2555CD1015FB}c:\\wow priv server\\ascent4296\\ascent-voicechat.exe"= UDP:c:\wow priv server\ascent4296\ascent-voicechat.exe:ascent-voicechat
"UDP Query User{5844484F-1358-41C7-8AC3-3F0DF3FA7679}c:\\wow priv server\\ascent4296\\ascent-voicechat.exe"= TCP:c:\wow priv server\ascent4296\ascent-voicechat.exe:ascent-voicechat
"TCP Query User{7B822A0B-8ACB-4F8D-9B1F-D4EBCF265F83}c:\\wow priv server\\mangos\\diskw\\usr\\local\\mysql\\bin\\mysqld-nt.exe"= UDP:c:\wow priv server\mangos\diskw\usr\local\mysql\bin\mysqld-nt.exe:mysqld-nt
"UDP Query User{3F18D33D-3D82-4489-88C2-E434E9A950B7}c:\\wow priv server\\mangos\\diskw\\usr\\local\\mysql\\bin\\mysqld-nt.exe"= TCP:c:\wow priv server\mangos\diskw\usr\local\mysql\bin\mysqld-nt.exe:mysqld-nt
"TCP Query User{AA22034D-B584-4540-B061-5900DBE448D2}c:\\wow priv server\\mangos\\realmd.exe"= UDP:c:\wow priv server\mangos\realmd.exe:realmd
"UDP Query User{A51B9299-8260-48BF-BC7F-077B91F8ED07}c:\\wow priv server\\mangos\\realmd.exe"= TCP:c:\wow priv server\mangos\realmd.exe:realmd
"TCP Query User{C7BB621B-3E00-4ADC-9B9C-4FF3E80EF934}c:\\wow priv server\\mangos\\diskw\\usr\\local\\apache2\\bin\\apache.exe"= UDP:c:\wow priv server\mangos\diskw\usr\local\apache2\bin\apache.exe:Apache HTTP Server
"UDP Query User{7F08F921-3CD1-420A-A542-6A952DDC9A7B}c:\\wow priv server\\mangos\\diskw\\usr\\local\\apache2\\bin\\apache.exe"= TCP:c:\wow priv server\mangos\diskw\usr\local\apache2\bin\apache.exe:Apache HTTP Server
"TCP Query User{7E43DA87-EA56-4AAD-9D2C-27A288D0D509}c:\\wow priv server\\mangos\\mangosd.exe"= UDP:c:\wow priv server\mangos\mangosd.exe:mangosd
"UDP Query User{8563F540-E8F6-42B5-A446-48F4B5414DD5}c:\\wow priv server\\mangos\\mangosd.exe"= TCP:c:\wow priv server\mangos\mangosd.exe:mangosd
"TCP Query User{F2563B1E-05E5-46CE-B5B9-0091A318A899}c:\\wow priv server\\world of warcraft\\wow-2.2.3.7359-to-2.3.0.7561-dede-downloader.exe"= UDP:c:\wow priv server\world of warcraft\wow-2.2.3.7359-to-2.3.0.7561-dede-downloader.exe:Blizzard Downloader
"UDP Query User{3C3BE374-9FE1-4694-AC1C-5C606FBE09D6}c:\\wow priv server\\world of warcraft\\wow-2.2.3.7359-to-2.3.0.7561-dede-downloader.exe"= TCP:c:\wow priv server\world of warcraft\wow-2.2.3.7359-to-2.3.0.7561-dede-downloader.exe:Blizzard Downloader
"TCP Query User{71F2D1CF-3EDE-4CB4-BE49-83CA2B54844C}c:\\wow priv server\\mangos\\diskw\\usr\\local\\mysql\\bin\\mysqld-nt.exe"= UDP:c:\wow priv server\mangos\diskw\usr\local\mysql\bin\mysqld-nt.exe:mysqld-nt
"UDP Query User{C9F6BF5C-EADE-4EAF-83E1-1BB330ADB0CF}c:\\wow priv server\\mangos\\diskw\\usr\\local\\mysql\\bin\\mysqld-nt.exe"= TCP:c:\wow priv server\mangos\diskw\usr\local\mysql\bin\mysqld-nt.exe:mysqld-nt
"TCP Query User{9685FE59-A5F6-431A-9EC4-1E50D5F62246}c:\\wow priv server\\mangos\\diskw\\usr\\local\\apache2\\bin\\apache.exe"= UDP:c:\wow priv server\mangos\diskw\usr\local\apache2\bin\apache.exe:Apache HTTP Server
"UDP Query User{554663CC-2835-4876-B513-81173B1C9E9A}c:\\wow priv server\\mangos\\diskw\\usr\\local\\apache2\\bin\\apache.exe"= TCP:c:\wow priv server\mangos\diskw\usr\local\apache2\bin\apache.exe:Apache HTTP Server
"TCP Query User{B2D9E753-D456-4723-A223-33DC69EF1E93}c:\\wow priv server\\mangos\\realmd.exe"= UDP:c:\wow priv server\mangos\realmd.exe:realmd
"UDP Query User{8C99852B-361B-4409-B41D-B0BE4E605AA3}c:\\wow priv server\\mangos\\realmd.exe"= TCP:c:\wow priv server\mangos\realmd.exe:realmd
"TCP Query User{DF481289-265C-46E2-B4E7-0BAE9141CBE9}c:\\wow priv server\\mangos\\mangosd.exe"= UDP:c:\wow priv server\mangos\mangosd.exe:mangosd
"UDP Query User{D4C0E9E8-4926-47B3-895A-C9B4BC36471D}c:\\wow priv server\\mangos\\mangosd.exe"= TCP:c:\wow priv server\mangos\mangosd.exe:mangosd
"TCP Query User{2D3485C1-1E0B-43A4-B944-5CC21093C117}c:\\games\\world of warcraft\\repair.exe"= UDP:c:\games\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{DC0D6D6D-A3D9-4250-9054-AABA9EBB52C5}c:\\games\\world of warcraft\\repair.exe"= TCP:c:\games\world of warcraft\repair.exe:Blizzard Repair Utility
"{8C0FF791-C9FB-4AA0-8A42-D200A407AA8E}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{0C0C1653-651A-4737-B0E9-ED5A0A5F1C35}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{92BEE834-A80B-496C-A252-3D7250B9D41A}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{CDBB01D8-DD5D-4483-819C-629968B7D4D3}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{D885030F-40F9-4B6D-B283-8F0001014F64}c:\\games\\world of warcraft\\repair.exe"= UDP:c:\games\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{53F6ECAA-0E60-4F91-9039-54627CC5FA09}c:\\games\\world of warcraft\\repair.exe"= TCP:c:\games\world of warcraft\repair.exe:Blizzard Repair Utility
"{9CF3DAA1-BCAF-448A-92A1-5CD672EDCC3D}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{04343B8F-BA3F-4510-9777-08B0A0524497}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{C5E5B040-CA24-4CB3-B922-829FC00E8FB8}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{9A84FE66-4B8C-4DC4-9A7E-8B7851D39DB5}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"TCP Query User{089777C5-01A3-412A-B3D6-DFC34912D1E8}c:\\program files\\dna\\btdna.exe"= UDP:c:\program files\dna\btdna.exe:DNA
"UDP Query User{419CC374-640B-4BBE-A38E-56C048B18BC2}c:\\program files\\dna\\btdna.exe"= TCP:c:\program files\dna\btdna.exe:DNA
"TCP Query User{7CFEF4B0-5CE4-4FB6-BEF9-B30E35F412E8}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"UDP Query User{AF9B94BD-D950-4416-B5CE-2C81F2224BE7}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"{1B3071C9-7A78-4405-93D3-43A88463079E}"= UDP:c:\games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet
"{D845EE0F-708C-4C67-AF71-3B5A08859533}"= TCP:c:\games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet
"{4C8326EA-8439-493D-8C4F-045A6380E6DB}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{871A5DF8-2A09-43E7-A3DD-40DAE6CFC240}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{9616D36F-2BA7-4CAE-AF91-6FC651125110}c:\\program files\\tortun\\gui.exe"= UDP:c:\program files\tortun\gui.exe:gui
"UDP Query User{B9D5CEA6-9603-4BDF-9537-59A549E2492E}c:\\program files\\tortun\\gui.exe"= TCP:c:\program files\tortun\gui.exe:gui
"TCP Query User{E0E4B1AB-377B-4A2E-BA3A-B0B52CE0D9AD}c:\\downloads\\war europe downloader.exe"= UDP:c:\downloads\war europe downloader.exe:WAR Europe Downloader
"UDP Query User{8E58910E-2137-4A73-85CB-51CEEC6D1075}c:\\downloads\\war europe downloader.exe"= TCP:c:\downloads\war europe downloader.exe:WAR Europe Downloader
"{3FCA8E7E-0ABD-41C2-A45B-08BD1B415D8B}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{88C76E93-09F6-4E67-ACD6-FE25F581DAA6}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{15BB45B4-0201-4E71-9A4A-1E00919E0A2D}"= UDP:c:\games\S.T.A.L.K.E.R. - Clear Sky\bin\xrEngine.exe:S.T.A.L.K.E.R. - Clear Sky (CLI)
"{6D727243-043D-4A61-B4D3-6F1CF022D8BC}"= TCP:c:\games\S.T.A.L.K.E.R. - Clear Sky\bin\xrEngine.exe:S.T.A.L.K.E.R. - Clear Sky (CLI)
"{58364DEF-9FA9-4DBA-B770-510ACDB5CF96}"= UDP:c:\games\S.T.A.L.K.E.R. - Clear Sky\bin\dedicated\xrEngine.exe:S.T.A.L.K.E.R. - Clear Sky (SRV)
"{E389F1D1-2FFE-404C-B92E-91F8ECB1970E}"= TCP:c:\games\S.T.A.L.K.E.R. - Clear Sky\bin\dedicated\xrEngine.exe:S.T.A.L.K.E.R. - Clear Sky (SRV)
"{265F492E-00C4-4BC5-A591-BA379BFE625E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{23ACCD31-0468-4A88-B4AC-3300BDF5A365}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{2C91063A-5FD0-4627-9F18-5BD61D68F6A2}"= UDP:c:\games\Sid Meier's Civilization IV Colonization\Colonization.exe:Sid Meier's Civilization IV Colonization
"{7DC120F3-B5F9-4816-961A-8DD1843CC9DD}"= TCP:c:\games\Sid Meier's Civilization IV Colonization\Colonization.exe:Sid Meier's Civilization IV Colonization
"{49A4EB2A-1084-469F-965B-4ABF02401EB3}"= UDP:c:\games\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{F40B009F-185A-42F8-962D-534914716557}"= TCP:c:\games\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{53D9CB46-CD75-44A4-A23B-93918CC136DC}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.1-to-3.0.2-enGB-Win-Update-downloader.exe:Blizzard Downloader
"{9E0F0CD9-3EBD-4D6A-905D-2D2467219109}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.1-to-3.0.2-enGB-Win-Update-downloader.exe:Blizzard Downloader
"{426BE81C-58E2-4304-B3BA-6D0E08C1ED08}"= UDP:3724:Blizzard Downloader: 3724
"{BA48EBA5-3D4B-4E67-99BE-FB067DF9466C}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{7BC6C579-6C8B-48E5-B81F-EEBEB9DB66AD}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
"TCP Query User{3F5431E9-8EEF-462F-8080-F93FB2292BCF}c:\\program files\\hlsw\\hlsw.exe"= UDP:c:\program files\hlsw\hlsw.exe:HLSW Application
"UDP Query User{DFA3DE92-4DFA-4B83-8674-207EFE54B6D3}c:\\program files\\hlsw\\hlsw.exe"= TCP:c:\program files\hlsw\hlsw.exe:HLSW Application
"TCP Query User{F44339F3-4F4C-44CE-8563-8BA53EFAA637}c:\\program files\\gamers.irc\\mirc.exe"= UDP:c:\program files\gamers.irc\mirc.exe:mIRC
"UDP Query User{B283F7D3-A77E-41DA-8688-EAC6A3E0888E}c:\\program files\\gamers.irc\\mirc.exe"= TCP:c:\program files\gamers.irc\mirc.exe:mIRC
"{DBDD668B-7291-4D4D-97FF-FC847FA7B8E7}"= UDP:c:\games\Unreal Tournament 3 (LG)\Binaries\UT3.exe:Unreal Tournament 3
"{4080F414-B19C-4D7E-A4B5-B7814662CA7F}"= TCP:c:\games\Unreal Tournament 3 (LG)\Binaries\UT3.exe:Unreal Tournament 3
"TCP Query User{9838968C-3A9D-4BA4-B284-F23579287E2A}c:\\games\\quake iii arena\\quake3.exe"= UDP:c:\games\quake iii arena\quake3.exe:quake3
"UDP Query User{E6B7565C-AE30-4226-A2B4-EB719E9D1240}c:\\games\\quake iii arena\\quake3.exe"= TCP:c:\games\quake iii arena\quake3.exe:quake3
"{EBD9498A-3E81-4C92-AAF2-BE806FCC2AD2}"= c:\program files\Electronic Arts\Command & Conquer 3 Kane's Wrath\RetailExe\1.0\cnc3ep1.dat:Command & Conquer(tm) 3: Kane's Wrath
"{02EF15EF-2C81-4109-A2AF-1D8F7B94E62D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C9F84D61-7620-4E80-BE81-D9FE34F0448C}"= UDP:5353:Adobe CSI CS4
"{890B85F1-B2D6-4AB4-B7CA-6333276A6030}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{885010BA-02C9-4E21-AB56-51F2B67B80AA}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{33EF32B0-C3D7-4BD9-A58B-7D8C5061A88C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{AA2ECAAB-114B-4636-8DDF-8BB9ED78B6BF}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{6908B4DC-DC26-4CCE-9017-6BBA2C4B5115}c:\\program files\\icqlite\\icqlite.exe"= UDP:c:\program files\icqlite\icqlite.exe:ICQLite
"UDP Query User{CFA1E92E-AFBD-4B27-8BA8-4422BB924488}c:\\program files\\icqlite\\icqlite.exe"= TCP:c:\program files\icqlite\icqlite.exe:ICQLite
"TCP Query User{FE733BC5-17AA-46CA-AEB3-A1AA4EAF716E}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{ABFFFE90-729B-4A06-8072-6A9BFB6C2E17}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{1F8C65F6-E1F0-47B3-A2DB-B1234D701C24}c:\\czdc 0699 a\\czdc.exe"= UDP:c:\czdc 0699 a\czdc.exe:CZDC
"UDP Query User{D021F534-C61E-483E-ADC2-1CC865B08EA3}c:\\czdc 0699 a\\czdc.exe"= TCP:c:\czdc 0699 a\czdc.exe:CZDC
"TCP Query User{A6ADC903-CF1B-45A5-A65C-0FA1771376F5}c:\\users\\doctor snow\\desktop\\czdc-0699[b2]\\czdc.exe"= UDP:c:\users\doctor snow\desktop\czdc-0699[b2]\czdc.exe:czdc.exe
"UDP Query User{5660FE1A-A3B4-496B-87A7-DD2532BA5DCA}c:\\users\\doctor snow\\desktop\\czdc-0699[b2]\\czdc.exe"= TCP:c:\users\doctor snow\desktop\czdc-0699[b2]\czdc.exe:czdc.exe
"TCP Query User{793F99B2-A457-4A80-82B9-7FED7835B663}c:\\games\\left 4 dead\\left4dead.exe"= UDP:c:\games\left 4 dead\left4dead.exe:left4dead
"UDP Query User{C40A83D3-D07E-4361-8214-143EE88A78C7}c:\\games\\left 4 dead\\left4dead.exe"= TCP:c:\games\left 4 dead\left4dead.exe:left4dead
"TCP Query User{2ED708A1-337D-4653-B01B-9DDCD1A0EB79}c:\\program files\\steam\\steamapps\\dr_snow\\team fortress 2\\hl2.exe"= UDP:c:\program files\steam\steamapps\dr_snow\team fortress 2\hl2.exe:hl2
"UDP Query User{DB009E25-C78C-4A89-A9EA-15D1DC0A1B6C}c:\\program files\\steam\\steamapps\\dr_snow\\team fortress 2\\hl2.exe"= TCP:c:\program files\steam\steamapps\dr_snow\team fortress 2\hl2.exe:hl2
"TCP Query User{73CD9828-BCD6-4D78-A8DB-A33BEF2055A7}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{88E8D555-AC6C-4861-B95B-B87ADD36519C}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{D0E95160-E088-428A-A4D3-D2E1A80BB84F}"= UDP:c:\games\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"{328E6993-EEF4-4950-B5A7-FFF3AE2C4291}"= TCP:c:\games\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:Rockstar Games Social Club
"TCP Query User{8554A19F-6DC5-4599-A41D-EC3A8B260ED6}c:\\program files\\icq6.5\\icq.exe"= UDP:c:\program files\icq6.5\icq.exe:ICQ Library
"UDP Query User{0A0EE27A-6D6F-4E3B-95FF-A184290A50E1}c:\\program files\\icq6.5\\icq.exe"= TCP:c:\program files\icq6.5\icq.exe:ICQ Library
"TCP Query User{879FFD96-B5A3-46AD-B877-7BBF6A99EB5B}c:\\games\\rise of the argonauts\\binaries\\riseoftheargonauts.exe"= UDP:c:\games\rise of the argonauts\binaries\riseoftheargonauts.exe:RiseOfTheArgonauts
"UDP Query User{519FE8D3-E81C-4CA9-AAD8-A376F52A0766}c:\\games\\rise of the argonauts\\binaries\\riseoftheargonauts.exe"= TCP:c:\games\rise of the argonauts\binaries\riseoftheargonauts.exe:RiseOfTheArgonauts
"{9957C8E4-0369-4598-9ADC-B1AF0305AB9E}"= UDP:c:\games\Mirror's Edge\Binaries\MirrorsEdge.exe:Mirror's Edge™
"{1E5A9E93-641E-4B36-A1CF-3F4C9E52BAD8}"= TCP:c:\games\Mirror's Edge\Binaries\MirrorsEdge.exe:Mirror's Edge™

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 appdrv01;Application Driver (01);c:\windows\System32\drivers\appdrv01.sys [2008-09-20 2915944]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [2008-10-08 99344]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [2008-10-08 25104]
R1 Ext2fs;Ext2fs;c:\windows\System32\drivers\ext2fs.sys [2009-01-24 189888]
R1 IfsMount;IfsMount;c:\windows\System32\drivers\ifsmount.sys [2009-01-24 60352]
R1 SSHDRV86;SSHDRV86;c:\windows\System32\drivers\SSHDRV86.sys [2008-03-19 81408]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [2008-09-07 47640]
S3 GliderII;GliderII;c:\games\World of Warcraft\Glider 2\GliderII.sys [2008-11-27 31232]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\System32\drivers\hcw95bda.sys [2008-10-23 560640]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\System32\drivers\hcw95rc.sys [2008-10-23 15616]
S3 RTCore32;RTCore32;c:\program files\RMClock\RTCore32.sys [2008-08-26 4608]
S3 RTL85n86;Realtek 8180/8185 Extensible 802.11-Drahtlosgerätetreiber;c:\windows\System32\drivers\RTL85n86.sys [2006-11-02 311808]
S3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\System32\drivers\CM106.sys [2008-09-20 1313792]
S4 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc --> c:\windows\System32\appdrvrem01.exe svc [?]
S4 EPGService;EPGService;c:\progra~1\WinTV\EPG Services\System\EPGService.exe [2008-10-23 436224]
S4 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [2008-10-23 815104]

--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\1\Command - g:\.\recycled\info.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL g:\.\recycled\info.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4364451b-db21-11dd-a4d4-fb9d8f49b722}]
\shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43644523-db21-11dd-a4d4-fb9d8f49b722}]
\shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43644524-db21-11dd-a4d4-fb9d8f49b722}]
\shell\AutoRun\command - I:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bda979f-f72c-11dc-8819-001641debfe7}]
\shell\AutoRun\command - F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4fb7c26-a75a-11dd-80ec-001641debfe7}]
\shell\AutoRun\command - E:\Autorun.exe
.
Inhalt des "geplante Tasks" Ordners

2009-02-04 c:\windows\Tasks\1-Klick-Wartung.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-05-17 14:04]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

BHO-{F0FFC608-E0E7-48FD-B4EE-55F7058A66EE} - c:\windows\system32\ljJyvtrQ.dll
MSConfigStartUp-BLASC - c:\program files\buffed\BLASC.exe
MSConfigStartUp-CLHomeMediaServer - c:\program files\CyberLink\CyberLink Live\CLHomeMediaServer.exe
MSConfigStartUp-CLPushUpdate - c:\program files\CyberLink\CyberLink Live\CLPushUpdate.exe
MSConfigStartUp-CTSyncU - c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe
MSConfigStartUp-igndlm - c:\program files\Download Manager\DLM.exe
MSConfigStartUp-LogitechCommunicationsManager - c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
MSConfigStartUp-LogitechQuickCamRibbon - c:\program files\Logitech\QuickCam\Quickcam.exe
MSConfigStartUp-TVBroadcast - c:\program files\Sceneo\Bonavista\SERVICES\ODSBC\ODSBCApp.exe
MSConfigStartUp-UVS10 Preload - c:\program files\Ulead Systems\Ulead VideoStudio 10.0\uvPL.exe
MSConfigStartUp-Cm106Sound - cm106.cpl


.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = msm.local.ipcop:8080
uInternet Settings,ProxyOverride = *.local
IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: moove.com
TCP: {BC368224-6EF8-401F-9E64-30F31C1055F0} = 193.254.160.130 193.254.160.1
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\users\Doctor Snow\AppData\Roaming\Mozilla\Firefox\Profiles\gc5572vh.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://de.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:de:official
FF - component: c:\users\Doctor Snow\AppData\Roaming\Mozilla\Firefox\Profiles\gc5572vh.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\programme\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\users\Doctor Snow\AppData\Roaming\Mozilla\Firefox\Profiles\gc5572vh.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

---- FIREFOX Richtlinien ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.01.01);user_pref(general.useragent.extra.zencast, .

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 15:59:54
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(3480)
c:\windows\system32\btncopy.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\windows\System32\conime.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-02-04 16:07:30 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-02-04 15:07:05

Vor Suchlauf: 27 Verzeichnis(se), 27.836.948.480 Bytes frei
Nach Suchlauf: 27 Verzeichnis(se), 26,228,199,424 Bytes frei

515 --- E O F --- 2009-01-09 17:20:36

und hier die letzten 3 Monate der datfind.bat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: F00D-9A6B

Verzeichnis von c:\

04.02.2009 16:14 0 dirdat.txt
04.02.2009 16:07 47.225 ComboFix.txt
04.02.2009 15:59 2.146.791.424 hiberfil.sys
04.02.2009 15:59 2.460.626.944 pagefile.sys
04.02.2009 12:42 0 ntuser.dat.LOG2
04.02.2009 12:42 0 ntuser.dat.LOG1
04.02.2009 12:42 0 ntuser.dat
04.02.2009 12:38 0 ARK27B9.tmp
04.02.2009 12:28 135 VundoFix.txt
04.02.2009 07:17 0 ARKCE20.tmp
23.11.2008 18:19 268 sqmdata19.sqm
23.11.2008 18:19 244 sqmnoopt19.sqm
26.10.2008 00:20 268 sqmdata18.sqm
26.10.2008 00:20 244 sqmnoopt18.sqm

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: F00D-9A6B

Verzeichnis von C:\Windows\system32

04.02.2009 15:59 3.296 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
04.02.2009 15:59 3.296 7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
04.02.2009 12:42 322 FixVundo.log
04.02.2009 07:16 0 fb2e5eba-.txt
01.02.2009 01:35 587.178 perfh009.dat
01.02.2009 01:35 101.250 perfc009.dat
01.02.2009 01:35 618.442 perfh007.dat
01.02.2009 01:35 122.842 perfc007.dat
01.02.2009 01:35 1.418.806 PerfStringBackup.INI
29.01.2009 22:23 66.872 PnkBstrA.exe
24.01.2009 16:41 37.376 vTlLeEUm.dll
24.01.2009 15:04 37.376 wvUkHWMF.dll
24.01.2009 13:47 126.976 UAService7.exe
09.01.2009 20:08 2.197.512 FNTCACHE.DAT
19.12.2008 11:27 147.192 guard32.dll
12.12.2008 06:52 3.578.880 mshtml.dll
10.12.2008 00:24 17.593.280 mrt.exe
06.11.2008 14:14 11.580.928 shell32.dll
04.11.2008 10:30 90.112 QuickTimeVR.qtx
04.11.2008 10:30 57.344 QuickTime.qts
02.11.2008 16:54 1.394 lvcoinst.log
02.11.2008 15:02 7.680 ff_vfw.dll
01.11.2008 04:44 28.672 Apphlpdm.dll
01.11.2008 02:21 4.240.384 GameUXLegacyGDFs.dll
25.10.2008 22:42 101.888 ifxcardm.dll
25.10.2008 22:42 82.432 axaltocm.dll
25.10.2008 22:05 152.576 SPWizUI.dll
25.10.2008 22:05 47.560 SPReview.exe
25.10.2008 21:06 107.832 PnkBstrB.exe
25.10.2008 21:06 2.250.024 pbsvc.exe
25.10.2008 21:03 56 ezsidmv.dat
23.10.2008 16:36 5.331 UnEPGService.LOG
23.10.2008 16:36 30 UNWISE.INI
23.10.2008 16:35 50.949 HCW_ChanDB.LOG
22.10.2008 02:22 2.048 tzres.dll
21.10.2008 06:25 296.960 gdi32.dll
18.10.2008 02:11 57 pbuser.htm
18.10.2008 02:11 9.678 pbgame.htm
17.10.2008 09:29 70.936 PhysXLoader.dll
16.10.2008 22:13 1.809.944 wuaueng.dll
16.10.2008 22:12 561.688 wuapi.dll
16.10.2008 22:09 51.224 wuauclt.exe
16.10.2008 22:09 43.544 wups2.dll
16.10.2008 22:08 34.328 wups.dll
16.10.2008 21:56 1.524.736 wucltux.dll
16.10.2008 21:55 83.456 wudriver.dll
16.10.2008 20:35 83.288 LMIRfsClientNP.dll
16.10.2008 20:35 10.040 lmimirr2.dll
16.10.2008 20:35 23.736 lmimirr.dll
16.10.2008 20:35 87.352 LMIinit.dll
16.10.2008 14:08 162.064 wuwebv.dll
16.10.2008 13:56 31.232 wuapp.exe
16.10.2008 05:47 827.392 wininet.dll
16.10.2008 05:47 1.166.336 urlmon.dll
16.10.2008 05:47 466.944 netapi32.dll
16.10.2008 05:47 671.232 mstime.dll
16.10.2008 05:47 28.160 jsproxy.dll
16.10.2008 05:47 6.068.736 ieframe.dll
16.10.2008 05:47 270.336 iertutil.dll
15.10.2008 09:04 288.024 PhysXCompatCplUI.exe
15.10.2008 09:04 288.024 PhysXCplUI.exe
07.10.2008 09:13 197.912 physxcudart_20.dll
07.10.2008 09:13 23.320 PhysXDevice.dll
07.10.2008 09:13 214.296 PhysX.cpl
07.10.2008 09:13 58.648 AgCPanelTraditionalChinese.dll
07.10.2008 09:13 58.648 AgCPanelPortugese.dll
07.10.2008 09:13 58.648 AgCPanelKorean.dll
07.10.2008 09:13 58.648 AgCPanelSpanish.dll
07.10.2008 09:13 58.648 AgCPanelSwedish.dll
07.10.2008 09:13 58.648 AgCPanelGerman.dll
07.10.2008 09:13 58.648 AgCPanelJapanese.dll
07.10.2008 09:13 58.648 AgCPanelFrench.dll
07.10.2008 09:13 58.648 AgCPanelSimplifiedChinese.dll
06.10.2008 11:31 444.952 wrap_oal.dll
06.10.2008 11:31 109.080 OpenAL32.dll
05.10.2008 15:09 355.584 TuneUpDefragService.exe
02.10.2008 02:32 1.383.424 mshtml.tlb

Verzeichnis von C:\Windows

04.02.2009 16:09 17.370 WindowsUpdate.log
04.02.2009 15:59 215 system.ini
04.02.2009 15:59 67.584 bootstat.dat
04.02.2009 15:57 1.660 bthservsdp.dat
02.02.2009 20:48 69 NeroDigital.ini
07.12.2008 19:34 6.413 HCWPNP.INI
20.11.2008 18:21 346 win.ini
02.11.2008 12:39 194 disney.ini
29.10.2008 07:29 2.927.104 explorer.exe
25.10.2008 23:14 749 WindowsShell.Manifest
25.10.2008 22:35 196.608 SPInstall.etl
23.10.2008 16:58 1.462 vtplus32.ini
23.10.2008 16:36 32.133 Irremote.ini
23.10.2008 16:35 135 ODBC.INI
23.10.2008 16:35 209 ODBCINST.INI
18.10.2008 12:00 525 QIII.INI
06.10.2008 21:01 300 game.ini

Verzeichnis von C:\Users\DOCTOR~1\AppData\Local\Temp

04.02.2009 16:13 0 etilqs_4PEgVaRflVVFNi6BfCG2
04.02.2009 16:09 31.832 Doctor Snow.bmp
04.02.2009 16:07 47.225 log.txt

#2 Start > Ausführen> Kopiere rein ComboFix /U OK

Download OTCleanIt. by OldTimer zum Desktop
Schliesse alle Fenster
Doppelklick: OTCleanIt.
Klicke: CleanUp
cleanup.txt wird vom Internet geladen , von Firewall zulassen!
Wenn gefragt wird “Do you want to reboot now?”klicke “Yes”
Dein Rechner wird neu gestartet
Vista benutzer: rechtermausklick auf OTCleanIt.exe und waehle "Run as an Administrator"

Download MalwareBytes' Anti-Malware
Malwarebytes Anti-Malware fuer Windows NT/2000/XP/2003 Server/Vista/2008 Server
Download link 1 MalwareBytes' Anti-Malware
Download link 2 MalwareBytes' Anti-Malware
Download link 3 MalwareBytes' Anti-Malware
Download link 4 MalwareBytes' Anti-Malware
Download link 5 MalwareBytes' Anti-Malware
Doppelklick mbam-setup und waehle Deutsch ,das Program wird jetzt ge-updatet

Wähle bei Reiter:
“Update “> klicke “Suche nache Aktualisierungen “
“Einstellungen“ hake an “Beende Inter Explorer während des Löschvorgangs“
“Scanner”> "Quick-scan durchführen".
Scan laufen lassen
Wenn am Ende infizierungen gefunden werden,anhaken und entfernen lassen
Starte dein Rechner neu
Unter Scanberichte stet das log (mbam-log-XX-XX-XXXX.txt)
Poste dessen inhalt hier ins Forum
Note:
Wenn MBAM Schwierigkeiten damit hat Daten zu entfernen wird es gemeldet und klicke OK
Danach wird gefragt den Rechner neu zu starten,lass es zu
Malwarebytes Anti-Malware kann man nachher behalten !

Entferne Hijack This 1.99.1 und……..

Download: Trend Micro Hijack This™
Lade/entpacke HijackThis in einen extra Ordner z.b C:\Programme\Hijack This
Doppelklick HJTInstall.exe und installiere das Tool in C:\Programme\Hijack This
Am Ende steht auf dein Desktop eine verknüpfung

Starte Hijack This und klicke “Do a system scan and safe a logfile”
Save log --> hijackthis.log - Save - es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
Windows Vista rechtsklick auf HijackThis.exe waehle "Run as Administrator".
__________
MfG Argus

#3 Malwarebytes' Anti-Malware 1.33
Datenbank Version: 1736
Windows 6.0.6001 Service Pack 1

07.02.2009 15:56:04
mbam-log-2009-02-07 (15-56-04).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 49043
Laufzeit: 4 minute(s), 28 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

------
Avira hat aber 3 mal gemeckert das er ein trojaner gefunden hat. Hab Löschen gewählt und es war still.
------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:21:50, on 07.02.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE
C:\Program Files\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = msm.local.ipcop:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O15 - Trusted Zone: *.moove.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4715 bytes

#4 Verborgene Dateien sichtbar machen
Arbeitsplatz öffnen >Extras >Ordneroptionen >den Reiter "Ansicht" >Versteckte Dateien und Ordner >"alle Dateien und Ordner anzeigen" aktivieren und >Extras >Ordneroptionen >den Reiter "Ansicht" >Dateien und Ordner >"Geschützte Systemdateien ausblenden (empfohlen)" deaktivieren
VISTA
Öffnen Sie den Explorer und gehen in der oberen linken Ecke auf „Organisieren“.
Wählen Sie den Punkt Ordner und Suchoptionen.
Im Register „Ansicht“ gehen Sie auf
„Versteckte Dateien und Ordner“ und wählen hier, alle Dateien und Ordner anzeigen.
Bestätigen Sie nun mit O.K. um diese Änderung zu übernehmen.

Prüfe mal diese Datei(en) bei Virustotal

Zitat

c:\windows\System32\vTlLeEUm.dll
c:\windows\System32\wvUkHWMF.dll

Note: Wenn bei VirusTotal die Meldung kommt ” Die Datei wurde bereits analysiert “wähle „Analysiere die Datei“
Poste die Daten
Poste nur die URL am Ende(der link oben in der leiste)
__________
MfG Argus

#5 Ich habe mir das jetzt mal einfach gemacht und meine Festplatte formatiert. Sie hatte es eh mal nötig. (Nach über einem Jahr folterung unter meinen fittichen war es bitter nötig).

Ich danke dir für deine ausführliche Hilfe.