Ein paar offensichtliche Dateien kanns du schonmal löschen, geh dazu so vor:

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:



2.) Klicke nun auf die Option „Input Script manually“ -> klicke jetzt auf die Lupe und kopiere folgenden Text rein:

Zitat:

Files to delete:
C:\WINDOWS\system32\rwinrldt.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\kqdsrngk.exe
C:\WINDOWS\system32\gzmrot-uninst.exe
C:\WINDOWS\system32\rwinrldt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\dwdsrngt.exe

Folders to delete:
C:\Programme\outlook\

3.) Klicke nun auf die „grüne Ampel“, das Script fängt an zu arbeiten.



4.) Danach das System unverzüglich neu starten lassen
5.) Poste den Inhalt der C:\avenger.txt Datei.

Führ danach mal dieses script aus und mail mir die Datei listing.txt (liegt aufm Desktop, Datei zu groß fürs Board) => Mail an cosinus
Besorg dir auch das script von Silentrunners, führe es aus und poste davon das Logfile. Dazu musst du die Silentrunners.vbs aufm Desktop speichern und doppelklicken.

Kann leider nicht den Inhalt der C:\avenger.txt Datei posten, denn da stand nichts drin.
Nach dem Neustart stand da nur, dass irgend etwas nicht gefunden wurde.

und bei silentrunners ist auch nichts bei rausgekommen.
Hab gescannt und nach dem scann stand nichts in der Liste.

Überprüf mal bitte ob Windows script Host aktiv ist. Öffne regedit und navigiere zu

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows Script Host/Settings

stell sicher, dass rechts die Zeichenfolge "Enabled" den Wert 1 hat. Wenn nicht auf 1 setzen! Probier es dann mit dem Avenger und silentrunners noch einmal.

Ok, bis HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows Script Host/Settings , bin ich gekommen, doch darin sind nur:
(Standart)
ActiveDebugging
DisplayLogo
SilentTerminate
UseWINSAFER

mehr nicht. Also Enabled auch nicht.
???

Klick dort im rechten Teilfenster auf einen leeren Bereich mit rechts und sag Neu -> Zeichenfolge. Benenn diese "Enabled" (Groß-/Kleinschreibung beachten) und verpass ihr den Wert 1.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xukpupvp

*******************

Script file located at: \??\C:\WINDOWS\system32\bpgsrnch.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\rwinrldt.exe deleted successfully.
File C:\WINDOWS\system32\winpfz32.sys deleted successfully.
File C:\WINDOWS\system32\zxdnt3d.cfg deleted successfully.
File C:\WINDOWS\system32\kqdsrngk.exe deleted successfully.
File C:\WINDOWS\system32\gzmrot-uninst.exe deleted successfully.


File C:\WINDOWS\system32\rwinrldt.exe not found!
Deletion of file C:\WINDOWS\system32\rwinrldt.exe failed!

Could not process line:
C:\WINDOWS\system32\rwinrldt.exe
Status: 0xc0000034

File C:\WINDOWS\system32\msnav32.ax deleted successfully.
File C:\WINDOWS\system32\dwdsrngt.exe deleted successfully.
Folder C:\Programme\outlook deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Ok, das sieht schon mal besser aus. Die Dateien hat er gelöscht. Führ bitte noch die anderen Tools aus.

"Silent Runners.vbs", revision 52, [h**p://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Programme\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"ICQ" = ""C:\Programme\ICQ6\ICQ.exe" silent" ["ICQ, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"HTpatch" = "C:\WINDOWS\htpatch.exe" [null data]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"StorageGuard" = ""C:\Programme\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"ExploreUpdSched" = "C:\WINDOWS\system32\rwinrldt.exe P2D002" [file not found]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{055FD26D-3A88-4e15-963D-DC8493744B1D}\(Default) = "XTTBPos00"
-> {HKLM...CLSID} = "XTTBPos00 Class"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

Das Logfile von Silentrunners ist nicht vollständig!

"Silent Runners.vbs", revision 52, h**p://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Programme\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"ICQ" = ""C:\Programme\ICQ6\ICQ.exe" silent" ["ICQ, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"HTpatch" = "C:\WINDOWS\htpatch.exe" [null data]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"StorageGuard" = ""C:\Programme\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"ExploreUpdSched" = "C:\WINDOWS\system32\rwinrldt.exe P2D002" [file not found]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{055FD26D-3A88-4e15-963D-DC8493744B1D}\(Default) = "XTTBPos00"
-> {HKLM...CLSID} = "XTTBPos00 Class"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Meine freigegebenen Ordner"
\InProcServer32\(Default) = "C:\Programme\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson Datei-Manager"
-> {HKLM...CLSID} = "Sony Ericsson Datei-Manager"
\InProcServer32\(Default) = "C:\Programme\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "none" [file not found]


Startup items in "" & "All Users" startup folders:
------------------------------------------------------

C:\Dokumente und Einstellungen\***\Startmenü\Programme\Autostart
"clock1363762907" -> shortcut to: "C:\Dokumente und Einstellungen\***\***p\mtv_gillette_download_de_13\clock.exe" [file not found]
"Think-Adz" -> shortcut to: "C:\WINDOWS\system32\rwinrldt.exe P2D002" [file not found]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"hp psc 1000 series" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]
"hpoddt01.exe" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"FRU Task #Hewlett-Packard#hp psc 1200 series#1166194764" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1166194764"" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."]
Messenger USN Journal Reader-Service für freigegebene Ordner, usnjsvc, ""C:\Programme\MSN Messenger\usnsvc.exe"" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-09-23 10:40:04)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 44 seconds, including 14 seconds for message boxes)

das sieht auch gut aus.
Aus der Registry löschen kannst du aber den Eintrag

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ExploreUpdSched

Das ist der, den der Schädling angelegt hat, nun aber unwirksam, da die Datei, die dadurch aufgerufen wird, ja nicht mehr da ist. Ansonsten hab ich da keine weiteren bedenklichen Einträge gefunden. Allerdings solltest du mal den alten Adobe Reader deinstallieren und die neue Version verwenden.

Schick mir abschließend nochmal das "listing.txt" per Mail und poste hier noch ein frisches HJT-logfile.

Wie finde ich denn
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ExploreUpdSched
???

Hklm = Hkey_local_machine

Ich hab es immernoch nicht gefunden. Wo soll ich denn danach suchen? Oder mit was soll ich danach suchen?