hallo, ich habe folgendes problem.
ich habe mir das antivirenprogramm bitdefender draufgezogen und und einen scan gemacht.
dort zeigt er mir an, das ich 1-nen virus habe namens "trojan downloader agent yfz, die datei svchost16.exe im verzeichniss windows\system32 sei damit infiziert.
nun ist das problem, dass ich diese datei (svchost16.exe) nicht.
was für mich sehr beunruhigend ist. bitdefender sagt weiterhin, es ist dier downloader.

so meine frage ist, wie kann ich ihn entfernen?

-ich habe schon nen kaspersky online scan gemacht und der hat nichts gefunden
-ich habe spywaredoctor 5.1 drüberlaufen lassen, der hat zwar was gerfunden, was nicht diesen trojaner

mein HijackThis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48:17, on 31.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programme\CyberLink\Shared files\RichVideo.exe
C:\Programme\Spyware Doctor\svcntaux.exe
C:\Programme\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe
C:\Programme\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\ASUS\WLAN Card Utilities\Center.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\Comodo\Firewall\CPF.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Programme\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://google.daemonsearch.com/de/ý
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Control Center] C:\Programme\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programme\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Programme\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Programme\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programme\Comodo\Firewall\cmdagent.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Programme\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7841 bytes

Hallo.

Das sieht schon fast aus, als wenn sie im alternate data stream drin wär. Mach mal folgendes:

- Streams.zip herunterladen, entpacken und die streams.exe nach c:\windows\system32 kopieren
- öffne dann die Konsole mit Start, Ausführen, cmd eintippen und ausführen
- in der Konsole diesen Befehl eintippen:

Code: Alles auswählenAufklappen

ATTFilter

streams -s c:\ > c:\streams.txt
         

Nach getaner Zeit sollte das Programm durch sein. Öffne dann mal die Datei c:\streams.txt und poste den Inhalt hier.

so hab ich gemacht und der inhalt der streams.txt ist:


das schreib ich heute nachmitag

denne sEb

da ich meinen vorherigen text nicht editieren kann (?)
ausserdem hat wiederwas versucht auf systemevolumen zuzugreifen...siehe screen
hier meine txt datei


Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - Microsoft TechNet: Windows Sysinternals


Error opening c:\pagefile.sys:
Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.

c:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:
:DFC5A2B2:$DATA 142
.
c:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Bilder\Beispielbilder\Thumbs.db:
:encryptable:$DATA 0
..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Error opening c:\System Volume Information\_restore{9E86A35B-6EB0-4EA1-83B2-A2E37327F7FF}\RP59\A0018992.dll:
Ein an das System angeschlossenes Gerät funktioniert nicht.
.


c:\WINDOWS\system32:
:svchost16:$DATA 7834
:svchost16.exe:$DATA 1148416
...

...

...

...

...

...

...

...

...

.

Code: Alles auswählenAufklappen

ATTFilter

c:\WINDOWS\system32:
:svchost16:$DATA 7834
:svchost16.exe:$DATA 1148416
         

Dass sich schonmal ein Schädling ins ADS eingenistet steht damit fest. Mach das gleiche wie eben nochmal, nur führe diesmal diesen Befehl aus:

Code: Alles auswählenAufklappen

ATTFilter

streams -s -d c:\ > c:\streams.txt
         

Poste danach wieder die streams.txt. Und für weitere Analysen das hier:

- eScan
- Silentrunners
- combofix

also silencer und escan hab ich schon und stream macht grad is bald fertig..

hier schonma escan:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
find.bat Version 2007.06.16.01

Microsoft Windows XP [Version 5.1.2600]
Bootmodus: NETWORK

eScan Version: 9.5.1
Sprache: German
C:\DOKUME~1\KRAWAL~1\LOKALE~1\Temp\MWAV.LOG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Object "smitfraud Browser Hijacker" in Dateisystem gefunden! Folgende Maßnahme wurde durchgeführt: Keine Aktion vorgenommen.
System found infected with ezula Spyware/Adware (internet.lnk)! Action taken: Keine Aktion vorgenommen.


~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Offending file found: C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\microsoft\internet explorer\quick launch\internet.lnk
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
Offending Folder found: C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\icq\bart\1024
~~~~~~~~~~~
Registry
~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Diverses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Prozesse und Module
~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Scanfehler
~~~~~~~~~~~~~~~~~~~~~~
C:\MSOCache\All Users\{90120000-00A1-0407-0000-0000000FF1CE}-C\OnoteLR.cab nicht gescannt. Wahrscheinlich durch Passwort geschützt...
~~~~~~~~~~~~~~~~~~~~~~
Hosts-Datei
~~~~~~~~~~~~~~~~~~~~~~
DataBasePath: %SystemRoot%\System32\drivers\etc
Zeilen die nicht dem Standard entsprechen:
C:\WINDOWS\System32\drivers\etc\hosts :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan-Optionen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Specherüberprüfung: Aktiviert
Registry Überprüfung: Aktiviert
System-Ordner Überprüfung: Aktiviert
Überprüfung der Systembereiche: Deaktiviert
Überprüfung der Dienste: Aktiviert
Überprüfung der Festplatten: Deaktiviert
Überprüfung aller Festplatten :Aktiviert

Batchstart: 19:23:02,71
Batchende: 19:23:05,51




und hier silencer:


"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Control Center" = "C:\Programme\ASUS\WLAN Card Utilities\Center.exe" ["ASUSTeK COMPUTER INC."]
"StartCCC" = ""C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"" [null data]
"OSSelectorReinstall" = "C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe" [null data]
"COMODO Firewall Pro" = ""C:\Programme\Comodo\Firewall\CPF.exe" /background" ["COMODO"]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"GrooveMonitor" = ""C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NWEReboot" = "(empty string)" [file not found]
"BDMCon" = "C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" ["SOFTWIN S.R.L."]
"BDAgent" = ""C:\Programme\Softwin\BitDefender10\bdagent.exe"" ["SOFTWIN S.R.L."]
"SDTray" = ""C:\Programme\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{000123B4-9B42-4900-B3F7-F4B073EFC214}\(Default) = "btorbit.com"
-> {HKLM...CLSID} = "Octh Class"
\InProcServer32\(Default) = "C:\Programme\Orbitdownloader\orbitcth.dll" ["Orbitdownloader.com"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\KrawallSchachtel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "KrawallSchachtel" & "All Users" startup folders:
------------------------------------------------------------------

C:\Dokumente und Einstellungen\KrawallSchachtel\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{36ECAF82-3300-8F84-092E-AFF36D6C7040}\
"ButtonText" = "Run WinHTTrack"
"MenuText" = "Launch WinHTTrack"
"CLSIDExtension" = "{86529161-034E-4F8A-88D2-3C625E612E04}"
-> {HKLM...CLSID} = "WinHTTrackLauncher Class"
\InProcServer32\(Default) = "C:\Programme\WinHTTrack\WinHTTrackIEBar.dll" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Adobe LM Service, Adobe LM Service, ""C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe"" ["Adobe Systems"]
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
ATI Smart, ATI Smart, "C:\WINDOWS\system32\ati2sgag.exe" [empty string]
BitDefender Communicator, XCOMM, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["SOFTWIN S.R.L"]
BitDefender Desktop Update Service, LIVESRV, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]
BitDefender Scan Server, bdss, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
BitDefender Virus Shield, VSSERV, ""C:\Programme\Softwin\BitDefender10\vsserv.exe" /service" ["SOFTWIN S.R.L."]
Comodo Application Agent, CmdAgent, "C:\Programme\Comodo\Firewall\cmdagent.exe" ["COMODO"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Programme\CyberLink\Shared files\RichVideo.exe"" [empty string]
Dienst für Seriennummern der tragbaren Medien, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Microsoft Office Diagnostics Service, odserv, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE"" [MS]
Microsoft Office Groove Audit Service, Microsoft Office Groove Audit Service, ""C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe"" [MS]
Netzwerkversorgungsdienst, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Office Source Engine, ose, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
PC Tools Auxiliary Service, sdAuxService, "C:\Programme\Spyware Doctor\svcntaux.exe" ["PC Tools"]
PC Tools Security Service, sdCoreService, "C:\Programme\Spyware Doctor\swdsvc.exe" ["PC Tools"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
Verwaltungsdienst für die Verwaltung logischer Datenträger, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Windows CardSpace, idsvc, ""C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2007-11-01 19:23:44)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 47 seconds, including 10 seconds for message boxes)

hier ist stream:



Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com


Error opening c:\pagefile.sys:
Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.

c:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:
Deleted :DFC5A2B2:$DATA
...

.
Error opening c:\System Volume Information\_restore{9E86A35B-6EB0-4EA1-83B2-A2E37327F7FF}\RP59\A0018992.dll:
Ein an das System angeschlossenes Gerät funktioniert nicht.
..

.

is da nochwas drinne oder, ni? also bitdefender findet niX mehr...aber man weiss ja nie...

Das sieht schonmal gut aus. Allerdings sagt das Streams-Logfile nichts von einer Löschung der svchost16.exe - führ daher nochmal den ersten Befehl aus

streams -s c:\ > c:\streams.txt

Machst du noch den combofix?

oki, hier ist

combofix:

ComboFix 07-11-01.1** - KrawallSchachtel 2007-11-03 18:26:52.2 - NTFSx86
ausgeführt von:: C:\Dokumente und Einstellungen\KrawallSchachtel\Desktop\virus\ComboFix.exe
.

((((((((((((((((((((((( Dateien erstellt von 2007-10-03 bis 2007-11-03 ))))))))))))))))))))))))))))))
.

2007-11-02 17:32 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-11-01 19:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 18:52 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-11-01 18:52 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-11-01 18:52 <DIR> d-a------ C:\WINDOWS\system32\systems.txt
2007-11-01 18:52 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-11-01 18:52 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-11-01 18:52 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-11-01 18:52 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-11-01 18:49 153,600 --a------ C:\WINDOWS\R.COM
2007-11-01 18:49 140,800 --a------ C:\WINDOWS\system32\T.COM
2007-11-01 18:46 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2007-11-01 18:46 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmenü
2007-11-01 18:46 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2007-11-01 18:46 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2007-11-01 18:46 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2007-11-01 18:46 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2007-11-01 18:46 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2007-11-01 08:38 87,424 --a------ C:\WINDOWS\system32\streams.exe
2007-10-31 20:46 <DIR> d-------- C:\Programme\Trend Micro
2007-10-31 19:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-31 19:19 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2007-10-31 18:44 <DIR> d-------- C:\Programme\Spyware Doctor
2007-10-31 18:44 <DIR> d-------- C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\PC Tools
2007-10-31 18:44 <DIR> d-a------ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2007-10-31 18:44 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 18:44 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-31 18:44 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-31 18:44 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-31 18:44 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-31 18:19 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2007-10-31 17:32 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avg7
2007-10-31 17:12 <DIR> d-------- C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\Bitdefender
2007-10-31 17:11 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\BitDefender
2007-10-31 16:19 <DIR> d-------- C:\kav
2007-10-31 14:28 <DIR> d-------- C:\Programme\DivX
2007-10-31 13:24 <DIR> d-------- C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\SiteAdvisor
2007-10-31 00:12 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\McAfee
2007-10-30 23:49 <DIR> d-------- C:\Programme\No23 Recorder
2007-10-30 23:25 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-10-30 22:59 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab Setup Files
2007-10-29 21:18 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-10-29 21:18 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-29 21:18 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-29 21:18 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-10-26 16:45 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-10-26 16:45 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-10-26 16:45 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-25 17:23 238,080 --a------ C:\WINDOWS\windivx32.exe
2007-10-24 15:15 <DIR> d-------- C:\Programme\ICQ6
2007-10-24 15:12 1,386,496 --a------ C:\WINDOWS\system\MSVBVM60.DLL
2007-10-24 15:09 <DIR> d-------- C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\ICQ
2007-10-21 16:43 <DIR> d-------- C:\Programme\WinHTTrack
2007-10-20 18:34 <DIR> d-------- C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\CyberLink
2007-10-20 16:09 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-20 16:09 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-20 16:09 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-20 16:09 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-20 11:54 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-19 23:59 <DIR> d-------- C:\Programme\Realtek Sound Manager
2007-10-19 23:59 <DIR> d-------- C:\Programme\AvRack
2007-10-19 23:59 9,179,648 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2007-10-19 23:59 2,284,864 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2007-10-19 23:59 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2007-10-19 23:59 73,728 --a------ C:\WINDOWS\SOUNDMAN.EXE
2007-10-19 23:59 40,448 --------- C:\WINDOWS\system32\ChCfg.exe
2007-10-19 23:58 208,896 --------- C:\WINDOWS\alcupd.exe
2007-10-19 23:58 139,264 --------- C:\WINDOWS\alcrmv.exe
2007-10-19 14:31 <DIR> d-------- C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\FileZilla
2007-10-19 10:40 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CyberLink
2007-10-19 10:39 <DIR> d-------- C:\Programme\CyberLink
2007-10-17 12:14 <DIR> d-------- C:\WINDOWS\ftpcache
2007-10-17 09:14 <DIR> d-------- C:\Programme\QuickTime
2007-10-17 09:14 <DIR> d-------- C:\Programme\Apple Software Update
2007-10-17 09:14 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple Computer
2007-10-17 09:14 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple
2007-10-16 09:16 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe Systems
2007-10-16 09:14 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Adobe Systems Shared
2007-10-13 15:33 <DIR> d-------- C:\Programme\MSXML 4.0
2007-10-12 10:34 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MAGIX
2007-10-12 10:34 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-10-12 10:34 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2007-10-12 10:34 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-10-12 10:33 <DIR> d-------- C:\Programme\Gemeinsame Dateien\MAGIX Shared
2007-10-12 09:47 <DIR> d-------- C:\Programme\VstPlugins
2007-10-12 09:47 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2007-10-12 09:44 <DIR> d-------- C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\Thunderbird
2007-10-12 08:51 <DIR> d-------- C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\Steinberg
2007-10-12 08:49 <DIR> d-------- C:\Programme\Syncrosoft
2007-10-12 08:49 704,512 --a------ C:\WINDOWS\system32\SYNSOACC.dll
2007-10-12 08:49 147,456 --a------ C:\WINDOWS\system32\SynsoLChk.dll
2007-10-12 08:49 45,056 --a------ C:\WINDOWS\system32\Synsopos.exe
2007-10-12 08:49 33,792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2007-10-12 08:49 16,896 --a------ C:\WINDOWS\system32\drivers\synasUSB.sys
2007-10-11 23:12 <DIR> d-------- C:\Downloads
2007-10-11 20:08 <DIR> d-------- C:\WINDOWS\Sun
2007-10-11 20:07 <DIR> d-------- C:\Programme\Java
2007-10-11 20:07 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Java
2007-10-11 15:51 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 16:41 12,528 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 14:31 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-10-11 13:05 --------- d-----w C:\Programme\MSBuild
2007-10-11 09:57 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-11 07:59 --------- d-----w C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\ATI
2007-10-11 07:59 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ATI
2007-10-11 07:57 --------- d-----w C:\Programme\Gemeinsame Dateien\InstallShield
2007-10-11 07:57 --------- d-----w C:\Programme\ATI Technologies
2007-10-11 07:49 --------- d-----w C:\Programme\Reference Assemblies
2007-10-11 07:32 --------- d-----w C:\Programme\ASUS
2007-10-11 07:29 --------- d-----w C:\Programme\Marvell
2007-10-11 07:28 --------- d-----w C:\Programme\VIA
2007-10-11 07:23 --------- d-----w C:\Programme\microsoft frontpage
2007-10-11 07:22 --------- d-----w C:\Programme\Online-Dienste
2007-10-11 07:21 --------- d-----w C:\Programme\Gemeinsame Dateien\Dienste
2007-10-11 07:20 --------- d-----w C:\Programme\Gemeinsame Dateien\MSSoap
2007-08-22 02:09 352,256 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-08-22 02:07 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-08-22 02:07 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-08-22 01:59 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-08-22 01:59 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-08-22 01:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-08-22 01:58 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-08-22 01:57 487,424 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-08-22 01:56 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-08-22 01:48 8,306,688 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-08-22 01:47 3,091,392 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-08-22 01:35 1,586,816 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-08-22 01:21 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-08-22 01:19 266,240 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-08-22 01:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-08-22 01:15 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-08-22 01:11 450,560 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-08-21 19:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-08-21 06:16 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_19.27.18.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-14 16:14:07 47,616 ----a-w C:\WINDOWS\system32\drivers\sfdrv01.sys
+ 2004-10-28 10:47:59 6,656 ----a-w C:\WINDOWS\system32\drivers\sfhlp02.sys
+ 2004-12-03 10:20:41 20,544 ----a-w C:\WINDOWS\system32\drivers\sfsync02.sys
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Control Center"="C:\Programme\ASUS\WLAN Card Utilities\Center.exe" [2004-08-13 18:07]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"OSSelectorReinstall"="C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 14:58]
"COMODO Firewall Pro"="C:\Programme\Comodo\Firewall\CPF.exe" [2007-10-11 09:38]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"GrooveMonitor"="C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 07:49 C:\WINDOWS\SOUNDMAN.EXE]
"NWEReboot"="" []
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-10-31 17:25]
"BDAgent"="C:\Programme\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"SDTray"="C:\Programme\Spyware Doctor\SDTrayApp.exe" [2007-10-31 18:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^VIA RAID TOOL.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"C:\Programme\SlySoft\AnyDVD\AnyDVD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Programme\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXCodec]
C:\WINDOWS\windivx32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
"C:\Programme\ICQ6\ICQ.exe" silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
C:\Programme\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Programme\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programme\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Programme\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Programme\Winamp\winampa.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Programme\CyberLink\PowerDVD\000.fcl
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS
S3 W8100XP;Marvell Libertas 802.11b/g SoftAP Driver for Windows XP ;C:\WINDOWS\system32\DRIVERS\mrv8ka51.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2213C244-14B6-3B8A-B210-A5E23F1F343C}]
C:\WINDOWS\system32:svchost16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F05704FA-C2DA-F00E-B900-B724061870F0}]
C:\WINDOWS\system32\svchost.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 18:30:08
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2007-11-03 18:31:28
.
--- E O F ---

hier ist streams -s -d

Code: Alles auswählenAufklappen

ATTFilter

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com


Error opening c:\pagefile.sys:
Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird. 

c:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:
   Deleted :DFC5A2B2:$DATA
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
.
         

hier ist streams -s

Code: Alles auswählenAufklappen

ATTFilter

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com


Error opening c:\pagefile.sys:
Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird. 
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
...
     
.
         

sry zuviele zeichen, es fängt oben an

hier ist silent runners

Code: Alles auswählenAufklappen

ATTFilter

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Control Center" = "C:\Programme\ASUS\WLAN Card Utilities\Center.exe" ["ASUSTeK COMPUTER INC."]
"StartCCC" = ""C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"" [null data]
"OSSelectorReinstall" = "C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe" [null data]
"COMODO Firewall Pro" = ""C:\Programme\Comodo\Firewall\CPF.exe" /background" ["COMODO"]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"GrooveMonitor" = ""C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NWEReboot" = "(empty string)" [file not found]
"BDMCon" = "C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" ["SOFTWIN S.R.L."]
"BDAgent" = ""C:\Programme\Softwin\BitDefender10\bdagent.exe"" ["SOFTWIN S.R.L."]
"SDTray" = ""C:\Programme\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{000123B4-9B42-4900-B3F7-F4B073EFC214}\(Default) = "btorbit.com"
  -> {HKLM...CLSID} = "Octh Class"
                   \InProcServer32\(Default) = "C:\Programme\Orbitdownloader\orbitcth.dll" ["Orbitdownloader.com"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Groove GFS Browser Helper"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
  -> {HKLM...CLSID} = "SimpleShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {HKLM...CLSID} = "Portable Media Devices Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
  -> {HKLM...CLSID} = "TuneUp Theme Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
  -> {HKLM...CLSID} = "Groove GFS Browser Helper"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
  -> {HKLM...CLSID} = "Groove Folder Synchronization"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
  -> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
  -> {HKLM...CLSID} = "Groove XML Icon Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\KrawallSchachtel\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "KrawallSchachtel" & "All Users" startup folders:
------------------------------------------------------------------

C:\Dokumente und Einstellungen\KrawallSchachtel\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
  -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{36ECAF82-3300-8F84-092E-AFF36D6C7040}\
"ButtonText" = "Run WinHTTrack"
"MenuText" = "Launch WinHTTrack"
"CLSIDExtension" = "{86529161-034E-4F8A-88D2-3C625E612E04}"
  -> {HKLM...CLSID} = "WinHTTrackLauncher Class"
                   \InProcServer32\(Default) = "C:\Programme\WinHTTrack\WinHTTrackIEBar.dll" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Adobe LM Service, Adobe LM Service, ""C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe"" ["Adobe Systems"]
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
ATI Smart, ATI Smart, "C:\WINDOWS\system32\ati2sgag.exe" [empty string]
BitDefender Communicator, XCOMM, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["SOFTWIN S.R.L"]
BitDefender Desktop Update Service, LIVESRV, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]
BitDefender Scan Server, bdss, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
BitDefender Virus Shield, VSSERV, ""C:\Programme\Softwin\BitDefender10\vsserv.exe" /service" ["SOFTWIN S.R.L."]
Comodo Application Agent, CmdAgent, "C:\Programme\Comodo\Firewall\cmdagent.exe" ["COMODO"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Programme\CyberLink\Shared files\RichVideo.exe"" [empty string]
Dienst für Seriennummern der tragbaren Medien, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Microsoft Office Diagnostics Service, odserv, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE"" [MS]
Microsoft Office Groove Audit Service, Microsoft Office Groove Audit Service, ""C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe"" [MS]
Netzwerkversorgungsdienst, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Office Source Engine, ose, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
PC Tools Auxiliary Service, sdAuxService, "C:\Programme\Spyware Doctor\svcntaux.exe" ["PC Tools"]
PC Tools Security Service, sdCoreService, "C:\Programme\Spyware Doctor\swdsvc.exe" ["PC Tools"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
Verwaltungsdienst für die Verwaltung logischer Datenträger, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Windows CardSpace, idsvc, ""C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2007-11-03 20:18:08)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 41 seconds, including 9 seconds for message boxes)
         

ich habe alles nochmal gemacht, da ich mit den ganZen txt dateien nen bischen durcheinandergekommen bin...bitte entschuldige.

combofix hat auch welche in die quaratäne gestellt siehe hier:

Code: Alles auswählenAufklappen

ATTFilter

	
Code: 

Alles auswählenAufklappen 
ATTFilter

  
	
2004-08-03 23:58      140800    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\TASKMGR.COM.vir
2004-08-03 23:58      153600    --a------    C:\Qoobox\Quarantine\C\WINDOWS\REGEDIT.COM.vir


Auflistung der Ordnerpfade
Volumenummer: B863-15FD
C:\QOOBOX\QUARANTINE
+---C
|   \---WINDOWS
|       |   REGEDIT.COM.vir
|       |   
|       \---system32
|               TASKMGR.COM.vir
|               
\---Registry_backups
         
 
 

so hier ist Combofix

Code: Alles auswählenAufklappen

ATTFilter

ComboFix 07-11-01.1** - KrawallSchachtel 2007-11-03 20:19:32.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.697 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\KrawallSchachtel\Desktop\virus\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com

.
(((((((((((((((((((((((   Dateien erstellt von 2007-10-03 bis 2007-11-03  ))))))))))))))))))))))))))))))
.

2007-11-02 17:32	86,016	--a------	C:\WINDOWS\unvise32.exe
2007-11-01 19:24	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-01 18:52	<DIR>	d-a------	C:\WINDOWS\zts2.exe
2007-11-01 18:52	<DIR>	d-a------	C:\WINDOWS\system32\vcmgcd32.dll
2007-11-01 18:52	<DIR>	d-a------	C:\WINDOWS\system32\systems.txt
2007-11-01 18:52	<DIR>	d-a------	C:\WINDOWS\system32\iifgfgf.dll
2007-11-01 18:52	<DIR>	d-a------	C:\WINDOWS\rundll16.exe
2007-11-01 18:52	<DIR>	d-a------	C:\WINDOWS\rundl132.dll
2007-11-01 18:52	<DIR>	d-a------	C:\WINDOWS\logo1_.exe
2007-11-01 18:49	153,600	--a------	C:\WINDOWS\R.COM
2007-11-01 18:49	140,800	--a------	C:\WINDOWS\system32\T.COM
2007-11-01 18:46	<DIR>	d--------	C:\Dokumente und Einstellungen\Administrator\Vorlagen
2007-11-01 18:46	<DIR>	dr-------	C:\Dokumente und Einstellungen\Administrator\Startmenü
2007-11-01 18:46	<DIR>	d--h-----	C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2007-11-01 18:46	<DIR>	d--h-----	C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2007-11-01 18:46	<DIR>	d--------	C:\Dokumente und Einstellungen\Administrator\Favoriten
2007-11-01 18:46	<DIR>	d--h-----	C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2007-11-01 18:46	<DIR>	dr-h-----	C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2007-11-01 08:38	87,424	--a------	C:\WINDOWS\system32\streams.exe
2007-10-31 20:46	<DIR>	d--------	C:\Programme\Trend Micro
2007-10-31 19:19	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-10-31 19:19	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2007-10-31 18:44	<DIR>	d--------	C:\Programme\Spyware Doctor
2007-10-31 18:44	<DIR>	d--------	C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\PC Tools
2007-10-31 18:44	<DIR>	d-a------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2007-10-31 18:44	626,688	--a------	C:\WINDOWS\system32\msvcr80.dll
2007-10-31 18:44	79,688	--a------	C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-31 18:44	62,280	--a------	C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-31 18:44	41,288	--a------	C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-31 18:44	29,000	--a------	C:\WINDOWS\system32\drivers\kcom.sys
2007-10-31 18:19	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2007-10-31 17:32	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avg7
2007-10-31 17:12	<DIR>	d--------	C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\Bitdefender
2007-10-31 17:11	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\BitDefender
2007-10-31 16:19	<DIR>	d--------	C:\kav
2007-10-31 14:28	<DIR>	d--------	C:\Programme\DivX
2007-10-31 13:24	<DIR>	d--------	C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\SiteAdvisor
2007-10-31 00:12	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\McAfee
2007-10-30 23:49	<DIR>	d--------	C:\Programme\No23 Recorder
2007-10-30 23:25	81,984	--a------	C:\WINDOWS\system32\bdod.bin
2007-10-30 22:59	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab Setup Files
2007-10-29 21:18	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll
2007-10-29 21:18	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-29 21:18	15,104	--a--c---	C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-29 21:18	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll
2007-10-26 16:45	103,736	--a------	C:\WINDOWS\system32\PnkBstrB.exe
2007-10-26 16:45	66,872	--a------	C:\WINDOWS\system32\PnkBstrA.exe
2007-10-26 16:45	22,328	--a------	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-25 17:23	238,080	--a------	C:\WINDOWS\windivx32.exe
2007-10-24 15:15	<DIR>	d--------	C:\Programme\ICQ6
2007-10-24 15:12	1,386,496	--a------	C:\WINDOWS\system\MSVBVM60.DLL
2007-10-24 15:09	<DIR>	d--------	C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\ICQ
2007-10-21 16:43	<DIR>	d--------	C:\Programme\WinHTTrack
2007-10-20 18:34	<DIR>	d--------	C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\CyberLink
2007-10-20 16:09	12,288	--a------	C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-20 16:09	12,288	--a--c---	C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-20 16:09	9,600	--a------	C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-20 16:09	9,600	--a--c---	C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-20 11:54	<DIR>	d--------	C:\WINDOWS\system32\LogFiles
2007-10-19 23:59	<DIR>	d--------	C:\Programme\Realtek Sound Manager
2007-10-19 23:59	<DIR>	d--------	C:\Programme\AvRack
2007-10-19 23:59	9,179,648	--a------	C:\WINDOWS\system32\RTLCPL.EXE
2007-10-19 23:59	2,284,864	--a------	C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2007-10-19 23:59	156,672	--a------	C:\WINDOWS\system32\RTLCPAPI.dll
2007-10-19 23:59	73,728	--a------	C:\WINDOWS\SOUNDMAN.EXE
2007-10-19 23:59	40,448	---------	C:\WINDOWS\system32\ChCfg.exe
2007-10-19 23:58	208,896	---------	C:\WINDOWS\alcupd.exe
2007-10-19 23:58	139,264	---------	C:\WINDOWS\alcrmv.exe
2007-10-19 14:31	<DIR>	d--------	C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\FileZilla
2007-10-19 10:40	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CyberLink
2007-10-19 10:39	<DIR>	d--------	C:\Programme\CyberLink
2007-10-17 12:14	<DIR>	d--------	C:\WINDOWS\ftpcache
2007-10-17 09:14	<DIR>	d--------	C:\Programme\QuickTime
2007-10-17 09:14	<DIR>	d--------	C:\Programme\Apple Software Update
2007-10-17 09:14	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple Computer
2007-10-17 09:14	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple
2007-10-16 09:16	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe Systems
2007-10-16 09:14	<DIR>	d--------	C:\Programme\Gemeinsame Dateien\Adobe Systems Shared
2007-10-13 15:33	<DIR>	d--------	C:\Programme\MSXML 4.0
2007-10-12 10:34	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MAGIX
2007-10-12 10:34	420,240	--a------	C:\WINDOWS\system32\mpg4c32.dll
2007-10-12 10:34	82,432	--a------	C:\WINDOWS\system32\msxml4r.dll
2007-10-12 10:34	44,544	--a------	C:\WINDOWS\system32\msxml4a.dll
2007-10-12 10:33	<DIR>	d--------	C:\Programme\Gemeinsame Dateien\MAGIX Shared
2007-10-12 09:47	<DIR>	d--------	C:\Programme\VstPlugins
2007-10-12 09:47	225,280	--a------	C:\WINDOWS\system32\rewire.dll
2007-10-12 09:44	<DIR>	d--------	C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\Thunderbird
2007-10-12 08:51	<DIR>	d--------	C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\Steinberg
2007-10-12 08:49	<DIR>	d--------	C:\Programme\Syncrosoft
2007-10-12 08:49	704,512	--a------	C:\WINDOWS\system32\SYNSOACC.dll
2007-10-12 08:49	147,456	--a------	C:\WINDOWS\system32\SynsoLChk.dll
2007-10-12 08:49	45,056	--a------	C:\WINDOWS\system32\Synsopos.exe
2007-10-12 08:49	33,792	--a------	C:\WINDOWS\system32\drivers\cledx.sys
2007-10-12 08:49	16,896	--a------	C:\WINDOWS\system32\drivers\synasUSB.sys
2007-10-11 23:12	<DIR>	d--------	C:\Downloads
2007-10-11 20:08	<DIR>	d--------	C:\WINDOWS\Sun
2007-10-11 20:07	<DIR>	d--------	C:\Programme\Java
2007-10-11 20:07	<DIR>	d--------	C:\Programme\Gemeinsame Dateien\Java
2007-10-11 15:51	25,856	--a------	C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-11 15:51	25,856	--a--c---	C:\WINDOWS\system32\dllcache\usbprint.sys

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 16:41	12,528	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 14:31	---------	d--h--w	C:\Programme\InstallShield Installation Information
2007-10-11 13:05	---------	d-----w	C:\Programme\MSBuild
2007-10-11 09:57	685,816	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-10-11 07:59	---------	d-----w	C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\ATI
2007-10-11 07:59	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ATI
2007-10-11 07:57	---------	d-----w	C:\Programme\Gemeinsame Dateien\InstallShield
2007-10-11 07:57	---------	d-----w	C:\Programme\ATI Technologies
2007-10-11 07:49	---------	d-----w	C:\Programme\Reference Assemblies
2007-10-11 07:32	---------	d-----w	C:\Programme\ASUS
2007-10-11 07:29	---------	d-----w	C:\Programme\Marvell
2007-10-11 07:28	---------	d-----w	C:\Programme\VIA
2007-10-11 07:23	---------	d-----w	C:\Programme\microsoft frontpage
2007-10-11 07:22	---------	d-----w	C:\Programme\Online-Dienste
2007-10-11 07:21	---------	d-----w	C:\Programme\Gemeinsame Dateien\Dienste
2007-10-11 07:20	---------	d-----w	C:\Programme\Gemeinsame Dateien\MSSoap
2007-08-22 02:09	352,256	----a-w	C:\WINDOWS\system32\ATIDEMGX.dll
2007-08-22 02:07	307,200	----a-w	C:\WINDOWS\system32\atiiiexx.dll
2007-08-22 02:07	268,800	----a-w	C:\WINDOWS\system32\ati2dvag.dll
2007-08-22 01:59	26,112	----a-w	C:\WINDOWS\system32\Ati2mdxx.exe
2007-08-22 01:59	143,360	----a-w	C:\WINDOWS\system32\atipdlxx.dll
2007-08-22 01:58	43,520	----a-w	C:\WINDOWS\system32\ati2edxx.dll
2007-08-22 01:58	122,880	----a-w	C:\WINDOWS\system32\ati2evxx.dll
2007-08-22 01:57	487,424	----a-w	C:\WINDOWS\system32\ati2evxx.exe
2007-08-22 01:56	53,248	----a-w	C:\WINDOWS\system32\ATIDDC.DLL
2007-08-22 01:48	8,306,688	----a-w	C:\WINDOWS\system32\atioglx2.dll
2007-08-22 01:47	3,091,392	----a-w	C:\WINDOWS\system32\ati3duag.dll
2007-08-22 01:35	1,586,816	----a-w	C:\WINDOWS\system32\ativvaxx.dll
2007-08-22 01:21	5,435,392	----a-w	C:\WINDOWS\system32\atioglxx.dll
2007-08-22 01:19	266,240	----a-w	C:\WINDOWS\system32\atikvmag.dll
2007-08-22 01:17	17,408	----a-w	C:\WINDOWS\system32\atitvo32.dll
2007-08-22 01:15	172,032	----a-w	C:\WINDOWS\system32\atiok3x2.dll
2007-08-22 01:11	450,560	----a-w	C:\WINDOWS\system32\ati2cqag.dll
2007-08-21 19:05	593,920	------w	C:\WINDOWS\system32\ati2sgag.exe
2007-08-21 06:16	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
.

(((((((((((((((((((((((((((((   snapshot@2007-11-01_19.27.18.37   )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-14 16:14:07	47,616	----a-w	C:\WINDOWS\system32\drivers\sfdrv01.sys
+ 2004-10-28 10:47:59	6,656	----a-w	C:\WINDOWS\system32\drivers\sfhlp02.sys
+ 2004-12-03 10:20:41	20,544	----a-w	C:\WINDOWS\system32\drivers\sfsync02.sys
.
((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Control Center"="C:\Programme\ASUS\WLAN Card Utilities\Center.exe" [2004-08-13 18:07]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"OSSelectorReinstall"="C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 14:58]
"COMODO Firewall Pro"="C:\Programme\Comodo\Firewall\CPF.exe" [2007-10-11 09:38]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"GrooveMonitor"="C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 07:49 C:\WINDOWS\SOUNDMAN.EXE]
"NWEReboot"="" []
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-10-31 17:25]
"BDAgent"="C:\Programme\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"SDTray"="C:\Programme\Spyware Doctor\SDTrayApp.exe" [2007-10-31 18:47]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:57]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^VIA RAID TOOL.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"C:\Programme\SlySoft\AnyDVD\AnyDVD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Programme\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXCodec]
C:\WINDOWS\windivx32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
"C:\Programme\ICQ6\ICQ.exe" silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
C:\Programme\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Programme\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programme\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Programme\Spyware Doctor\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Programme\Winamp\winampa.exe

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Programme\CyberLink\PowerDVD\000.fcl
S2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS
S3 W8100XP;Marvell Libertas 802.11b/g SoftAP Driver for Windows XP ;C:\WINDOWS\system32\DRIVERS\mrv8ka51.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp

*Newly Created Service* - SFDRV01
*Newly Created Service* - SFHLP02
*Newly Created Service* - SFSYNC02

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2213C244-14B6-3B8A-B210-A5E23F1F343C}]
C:\WINDOWS\system32:svchost16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F05704FA-C2DA-F00E-B900-B724061870F0}]
C:\WINDOWS\system32\svchost.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 20:20:27
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen 
versteckte Dateien: 0 

**************************************************************************
.
Zeit der Fertigstellung: 2007-11-03 20:20:53
.
	--- E O F ---
         

hier ist escan

Code: Alles auswählenAufklappen

ATTFilter

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Header 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
find.bat Version 2007.06.16.01 

Microsoft Windows XP [Version 5.1.2600]
Bootmodus: NETWORK 
    
eScan Version: 9.5.1 
Sprache: German 
C:\DOKUME~1\KRAWAL~1\LOKALE~1\Temp\MWAV.LOG
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Infektionsmeldungen 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
 Object "smitfraud Browser Hijacker" in Dateisystem gefunden! Folgende Maßnahme wurde durchgeführt: Keine Aktion vorgenommen. 
 System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swreg.exe)! Action taken: Keine Aktion vorgenommen. 
 System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swsc.exe)! Action taken: Keine Aktion vorgenommen. 
 System found infected with ezula Spyware/Adware (internet.lnk)! Action taken: Keine Aktion vorgenommen. 
 
 
~~~~~~~~~~~ 
Dateien 
~~~~~~~~~~~ 
~~~~ Infected files 
~~~~~~~~~~~ 
~~~~~~~~~~~ 
~~~~ Tagged files 
~~~~~~~~~~~ 
~~~~~~~~~~~ 
~~~~ Offending files 
~~~~~~~~~~~ 
 Offending file found: C:\WINDOWS\system32\swreg.exe 
 Offending file found: C:\WINDOWS\system32\swsc.exe 
 Offending file found: C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\microsoft\internet explorer\quick launch\internet.lnk 
~~~~~~~~~~~ 
Ordner 
~~~~~~~~~~~ 
 Offending Folder found: C:\Dokumente und Einstellungen\KrawallSchachtel\Anwendungsdaten\icq\bart\1024 
~~~~~~~~~~~ 
Registry 
~~~~~~~~~~~ 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Diverses 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
~~~~~~~~~~~~~~~~~~~~~~ 
Prozesse und Module 
~~~~~~~~~~~~~~~~~~~~~~ 
~~~~~~~~~~~~~~~~~~~~~~ 
Scanfehler 
~~~~~~~~~~~~~~~~~~~~~~ 
 C:\MSOCache\All Users\{90120000-00A1-0407-0000-0000000FF1CE}-C\OnoteLR.cab nicht gescannt. Wahrscheinlich durch Passwort geschützt... 
~~~~~~~~~~~~~~~~~~~~~~ 
Hosts-Datei 
~~~~~~~~~~~~~~~~~~~~~~ 
DataBasePath: %SystemRoot%\System32\drivers\etc 
Zeilen die nicht dem Standard entsprechen: 
C:\WINDOWS\System32\drivers\etc\hosts :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Statistiken: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Scan-Optionen 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
 Specherüberprüfung: Aktiviert 
 Registry Überprüfung: Aktiviert 
 System-Ordner Überprüfung: Aktiviert 
 Überprüfung der Systembereiche: Deaktiviert 
 Überprüfung der Dienste: Aktiviert 
 Überprüfung der Festplatten: Deaktiviert 
 Überprüfung aller Festplatten :Aktiviert 
 
Batchstart: 20:17:10,45 
Batchende: 20:17:14,60
         

Wirkliche Schädlingseinträge hab ich da nicht mehr gefunden. Werte aber sicherheitshalber nochmal diese Dateien bei Virustotal aus:

Code: Alles auswählenAufklappen

ATTFilter

C:\WINDOWS\system32\bdod.bin
C:\WINDOWS\system32\drivers\iksyssec.sys
C:\WINDOWS\system32\drivers\iksysflt.sys
C:\WINDOWS\system32\drivers\ikfilesec.sys
C:\WINDOWS\system32\drivers\kcom.sys
C:\WINDOWS\system32\ptpusd.dll
C:\WINDOWS\system32\ptpusb.dll
         

Die Dateien, die combofix verschoben hat, sind umbenannte Kopien von taskmgr.exe (Executable zum Taskmanager) und regedit.exe (Executable zum Registrierungseditor). MWAV/eScan erstellt diese Kopien, warum und was das genau bringen soll ist mir schleierhaft. Eine Idee wäre es, Schädlingen die sich genau so benannt haben, auf die Schliche zu kommen. Denn wenn Dateien/Ordner mit dem gleichen Namen schon da sind, kann man nicht noch ein Objekt mit dem gleichen Namen ins gleiche Verzeichnis erstellen...

oke, hab ich gemacht und nirgendwo wurde ein schädling gefunden, vielen dank, für die schnelle hilfe

hier ist nochmal mein jetziger hijackthislog zum drübersehen

Code: Alles auswählenAufklappen

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:54:12, on 05.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programme\CyberLink\Shared files\RichVideo.exe
C:\Programme\Spyware Doctor\svcntaux.exe
C:\Programme\Spyware Doctor\swdsvc.exe
C:\Programme\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe
C:\Programme\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\ASUS\WLAN Card Utilities\Center.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Comodo\Firewall\CPF.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Programme\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://google.daemonsearch.com/de/ý
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Control Center] C:\Programme\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programme\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Programme\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Programme\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programme\Comodo\Firewall\cmdagent.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\swdsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Programme\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7822 bytes