Bitte um Lofgile-Auswertung

cosinus · 17.03.2008, 19:53

Zitat:

Seit gestern passieren auf meinem Rechner seltsame Dinge.... und verbindet mich mit Seiten, die angeblich meinen Rechner von einem Virus befreien können, der ihn befallen hat.

Du hast Dir gestern nicht rein zufällig einen angeblichen Codec installiert, um gewisse Filme sehen zu können?

Aber ist auch egal, das klingt deiner Beschreibung nach sehr nach Zlob, evtl kann es auch ein Vundo sein. Werte mal diese Dateien bei Virustotal aus und poste die Ergebnisse incl md5/sha1:

C:\WINDOWS\drnpfdxsfn.dll
C:\WINDOWS\bokpkov.dll
C:\WINDOWS\altvxvm.dll

Folge mal meiner Sig und klick auf diese verlinkten Tools, beachte die Anleitungen und poste die Logs:

1.) Blacklight
2.) Silentrunners
3.) combofix

Pfeife · 17.03.2008, 23:23

Zitat:

Zitat von root24

Du hast Dir gestern nicht rein zufällig einen angeblichen Codec installiert, um gewisse Filme sehen zu können?

No, garantiert nicht. Ich weiß noch nicht einmal, was ein Codec ist. Ich kenne den Ausdruck nur im Zusammenhang mit Software, um eigene Videos zu bearbeiten (seit einem Monat habe ich eine Videokamera).

Aber jetzt erst mal vielen Dank, daß Du Dich meines Problems annimmst!

Der 1. Schritt, die Auswertung der 3 Dateien bei Virustotal, brachte diese Ergebnisse:

C:\WINDOWS\drnpfdxsfn.dll

File size: 221184 bytes
MD5: adb79e48ca57a904d2070740fadd0138
SHA1: 27a6f78e3344b076fba1c5fcd28e1fa1074ce62c
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=92F4B65000855DED605D034BCD13EC008075D15A

C:\WINDOWS\bokpkov.dll

File size: 221184 bytes
MD5: 98cf33b8630acfa30c9fe975a6956cb2
SHA1: 35a5b679f72678a6b6ab9bddb28d187eb2c67e92
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E37CBFFE00864886605D03473AE7BF00BA42F05F

C:\WINDOWS\altvxvm.dll

File size: 241664 bytes
MD5: 040e636bfb25bdad86c39ba0ecfeb749
SHA1: 7c8a37129bf777bcbbde8280a3f79b2b6418370a
PEiD: -

Außerdem wurde mir noch angezeigt, welche Scanprogramme welche Resultate brachten. Soll ich das auch noch posten?

Als nächstes werde ich die drei von Dir genannten Tools arbeiten lassen und dann die Resultate ins nächste Posting setzen.

Vielen Dank für Deine Hilfe!

Pfeife · 17.03.2008, 23:51

Ergebnis von Silentrunners, 1. Hälfte (ich mußte den Text kürzen):

"Silent Runners.vbs", revision 56, h**p://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\wcescomm.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"SystemTray" = "SysTray.Exe" [MS]
"BDMCon" = ""C:\Programme\Softwin\BitDefender10\bdmcon.exe" /reg" ["SOFTWIN S.R.L."]
"BDAgent" = ""C:\Programme\Softwin\BitDefender10\bdagent.exe"" ["SOFTWIN S.R.L."]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data]
"TrueImageMonitor.exe" = "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe" ["Acronis"]
"Acronis Scheduler2 Service" = ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"" ["Acronis"]
"PhraseExpress" = "C:\Programme\PhraseExpress\PhraseExpress.exe" ["Bartels Media"]
"Spamihilator" = ""C:\Programme\Spamihilator\spamihilator.exe"" ["Michel Krämer"]
"AVMFBoxMonitor" = ""C:\Programme\FRITZ!Box Monitor\FRITZBoxMonitor.exe"" ["AVM Berlin"]
"SetDefPrt" = "C:\Programme\Brother\Brmfl04b\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter2.0" = "C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\(Default) = "NetMeeting 3.01"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.NT" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided)
-> {HKLM...CLSID} = "HelperObject Class"
\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItBHO.dll" ["TechSmith Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0B660087-931C-4056-A04F-0423890E40B6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PreispiratenSearchURL"
\InProcServer32\(Default) = "C:\Programme\Preispiraten\Preispiraten2\PPSearchURL.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{6D7990CB-1D01-4554-9EED-75BDC6406FC2}\(Default) = (no title provided)
-> {HKLM...CLSID} = "GNX Rolex"
\InProcServer32\(Default) = "C:\WINDOWS\drnpfdxsfn.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{84B94901-3645-4D80-A6B7-4D0050B19455}\(Default) = (no title provided)
-> {HKLM...CLSID} = "metaspinner media GmbH"
\InProcServer32\(Default) = "C:\Programme\Preispiraten\Preispiraten2\IEButtonAmazonInterface.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Germany GmbH"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{CD9B7762-DFBC-42B1-BB30-02A78287B456}\(Default) = (no title provided)
-> {HKLM...CLSID} = "metaspinner media GmbH"
\InProcServer32\(Default) = "C:\Programme\Preispiraten\Preispiraten2\IEButtonEBayInterface.dll" [null data]
{D3AA56A9-8137-4950-A6F9-D0190A82AF2A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "metaspinner media GmbH"
\InProcServer32\(Default) = "C:\Programme\Preispiraten\Preispiraten2\IEButtonPPInterface.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP10\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP10\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP10\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP10\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{DB83BC37-4AC3-49D9-B397-2E46D166B6D0}" = "Quick Uninstall Start Menu Extension"
-> {HKLM...CLSID} = "Quick Uninstall Start Menu Extension"
\InProcServer32\(Default) = "C:\Programme\Tidy Start Menu\qUninstall.dll" ["SprigSoft"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
"{55D1FC7D-474E-4154-96D0-472EBBD2E835}" = "PdfGrabber Context Menu Shell Extension"
-> {HKLM...CLSID} = "PdfGrabber Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\PdfGrabberShellExt.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Programme\Unlocker\UnlockerCOM.dll" [null data]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{FCF608CF-5716-47C3-A1A8-991D873AF72B}" = "Delphi Context Menu Shell Extension Example"
-> {HKLM...CLSID} = "Delphi Context Menu Shell Extension Example"
\InProcServer32\(Default) = "C:\Programme\Exifer\exifershellext.dll" [null data]
"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]
"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"
-> {HKLM...CLSID} = "Studio.Project"
\InProcServer32\(Default) = "C:\Programme\Pinnacle\Studio 11\programs\BlueShellExt.dll" [null data]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2008\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobiles Gerät"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Wcesview.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
"bokpkov" = "{194AF025-DCD4-4E61-8BF8-9DC93EC69984}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\bokpkov.dll" [null data]
"SrvDrv" = "{baa8c74c-43b5-453b-ab33-285fa8b45603}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\Installer\{baa8c74c-43b5-453b-ab33-285fa8b45603}\SrvDrv.dll" [null data]
"altvxvm" = "{7AFEBDF1-56F8-4CCB-89BD-51D303E0A5A1}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\altvxvm.dll" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"relog_ap"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]
GPGee\(Default) = "{A0820A59-3343-450B-A902-B481029CD9E8}"
-> {HKLM...CLSID} = "GNU Privacy Guard Explorer Extension"
\InProcServer32\(Default) = "C:\Programme\GNU\GnuPG\GPGee.dll" ["Kurt Fitzner <kfitzner@excelcia.org>"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2008\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
UltraEdit-32\(Default) = "{b5eedee0-c06e-11cf-8c56-444553540000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\UltraEdit\ue32ctmn.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP10\WZSHLSTB.DLL" ["WinZip Computing LP"]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
GPGee\(Default) = "{A0820A59-3343-450B-A902-B481029CD9E8}"
-> {HKLM...CLSID} = "GNU Privacy Guard Explorer Extension"
\InProcServer32\(Default) = "C:\Programme\GNU\GnuPG\GPGee.dll" ["Kurt Fitzner <kfitzner@excelcia.org>"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2008\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP10\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ContMenu\(Default) = "{FCF608CF-5716-47C3-A1A8-991D873AF72B}"
-> {HKLM...CLSID} = "Delphi Context Menu Shell Extension Example"
\InProcServer32\(Default) = "C:\Programme\Exifer\exifershellext.dll" [null data]
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Programme\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP10\WZSHLSTB.DLL" ["WinZip Computing LP"]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Programme\Unlocker\UnlockerCOM.dll" [null data]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop" = (REG_BINARY) hex:00 00 00 00
{Disable Active Desktop}

"NoSaveSettings" = (REG_DWORD) dword:0x00000000
{Don't save settings at exit}

"ClearRecentDocsOnExit" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}

"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableTaskMgr" = (REG_DWORD) dword:0x00000001
{Remove Task Manager}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"NoInternetOpenWith" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = (value not set)

Startup items in "vorinstall" & "All Users" startup folders:
------------------------------------------------------------

C:\Dokumente und Einstellungen\vorinstall\Startmenü\Programme\Autostart
"GPGrelay" -> shortcut to: "C:\Programme\GPGrelay\GPGrelay.exe" [".tSCc. - h**p://tscc.atari.org"]
"HotSync Manager" -> shortcut to: "C:\Programme\Sony Handheld\HOTSYNC.EXE" ["Palm, Inc."]
"SonyPDA USB Switcher" -> shortcut to: "C:\Programme\Sony Handheld\USBSwt.exe" ["Sony Corporation"]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Firefox Preloader" -> shortcut to: "C:\Programme\FirefoxPreloader\FirefoxPreloader.exe" ["6XGate Incorporated"]
"Status Monitor" -> shortcut to: "C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe Brother MFC-5440CN /STARTUP" ["Brother Industries, Ltd."]

Pfeife · 17.03.2008, 23:52

Silentrunners, 2. Teil:

Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2008\OneClick.exe /schedulestart" ["TuneUp Software GmbH"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Germany GmbH"]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{6D685611-B7A8-4B4C-A161-346390B5189C}"
-> {HKLM...CLSID} = "Zonelink iClip Recorder"
\InProcServer32\(Default) = "C:\PROGRA~1\zoneLINK\ICLIPR~1\ICLIPI~1.DLL" [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided)
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{982E186D-7E13-45AC-9789-50B535246E28}" = "FBFBar"
-> {HKLM...CLSID} = "FBFBar"
\InProcServer32\(Default) = "C:\Programme\FRITZ!Box Monitor\fbfbar.dll" ["AVM Berlin"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Germany GmbH"]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{6D685611-B7A8-4B4C-A161-346390B5189C}" = (no title provided)
-> {HKLM...CLSID} = "Zonelink iClip Recorder"
\InProcServer32\(Default) = "C:\PROGRA~1\zoneLINK\ICLIPR~1\ICLIPI~1.DLL" [null data]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Recherchieren"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{2638A03E-1669-43BE-8119-B47087629A7F}\
"ButtonText" = "Preispiraten 2.5"
"Exec" = "C:\Programme\Preispiraten\Preispiraten2\preispiraten2ie.exe" [null data]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
Adobe Active File Monitor V6, AdobeActiveFileMonitor6.0, "C:\Programme\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe" [null data]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
BitDefender Communicator, XCOMM, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Desktop Update Service, LIVESRV, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]
BitDefender Scan Server, bdss, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
BitDefender Virus Shield, VSSERV, ""C:\Programme\Softwin\BitDefender10\vsserv.exe" /service" ["SOFTWIN S.R.L."]
Brother Popup Suspend service for Resource manager, brmfrmps, ""C:\WINDOWS\system32\Brmfrmps.exe" -service " ["Brother Industries, Ltd."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\system32\brsvc01a.exe" ["brother Industries Ltd"]
CHIPDRIVE SCARD Service, TWKSCARDSRV, "C:\WINDOWS\SCARDS32.EXE" ["SCM Microsystems"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Programme\CyberLink\Shared Files\RichVideo.exe"" [empty string]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]
StarWind iSCSI Service, StarWindService, "C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
FRITZ!fax Color Port Monitor\Driver = "FritzColorPort.dll" ["AVM Berlin GmbH"]
FRITZ!fax Port Monitor\Driver = "FritzPort.dll" ["AVM Berlin GmbH"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]
Redirected Port\Driver = "redmonnt.dll" [null data]
VSP1:\Driver = "vsmon1.dll" [null data]

---------- (launch time: 2008-03-17 23:43:03)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 162 seconds, including 18 seconds for message boxes)

Pfeife · 17.03.2008, 23:55

Blacklight sagt:
Scan complete, no hidden items found.

Resulktat der Combobox folgt.

Pfeife · 18.03.2008, 01:05

Logfile von Combofix sagt:

ComboFix 08-03-17.1 - vorinstall 2008-03-18 0:42:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.1479 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\vorinstall\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\vorinstall\Desktop\Error Cleaner.url
C:\Dokumente und Einstellungen\vorinstall\Desktop\Privacy Protector.url
C:\Dokumente und Einstellungen\vorinstall\Desktop\Spyware&Malware Protection.url
C:\Dokumente und Einstellungen\vorinstall\Favoriten\Error Cleaner.url
C:\Dokumente und Einstellungen\vorinstall\Favoriten\Privacy Protector.url
C:\Dokumente und Einstellungen\vorinstall\Favoriten\Spyware&Malware Protection.url
.
---- Previous Run -------
.
C:\Dokumente und Einstellungen\vorinstall\Desktop\Error Cleaner.url
C:\Dokumente und Einstellungen\vorinstall\Desktop\Privacy Protector.url
C:\Dokumente und Einstellungen\vorinstall\Desktop\Spyware&Malware Protection.url
C:\Dokumente und Einstellungen\vorinstall\Favoriten\Error Cleaner.url
C:\Dokumente und Einstellungen\vorinstall\Favoriten\Privacy Protector.url
C:\Dokumente und Einstellungen\vorinstall\Favoriten\Spyware&Malware Protection.url
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((( Dateien erstellt von 2008-02-17 bis 2008-03-17 ))))))))))))))))))))))))))))))
.

2008-03-17 16:52 . 2008-03-17 18:37 <DIR> d-------- C:\Programme\HijckThis
2008-03-17 07:34 . 2008-03-17 07:34 16,520 -r-hs---- C:\Programme\tmp1.exe
2008-03-17 00:12 . 2008-03-17 00:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-17 00:12 . 2008-03-17 00:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-16 23:34 . 2008-03-16 23:34 16,520 -r-hs---- C:\Programme\tmp0.exe
2008-03-16 23:33 . 2008-03-16 16:35 241,664 --a------ C:\WINDOWS\altvxvm.dll
2008-03-16 23:33 . 2008-03-16 16:35 221,184 --a------ C:\WINDOWS\drnpfdxsfn.dll
2008-03-16 23:33 . 2008-03-16 16:35 221,184 --a------ C:\WINDOWS\bokpkov.dll
2008-03-16 23:33 . 2008-03-16 16:35 176,128 --a------ C:\WINDOWS\etlrlws.dll
2008-03-16 23:33 . 2008-03-16 16:35 98,304 --a------ C:\WINDOWS\fmsxwqs.exe
2008-03-16 23:33 . 2008-03-16 23:33 21,644 --a------ C:\Programme\antiviirus.exe
2008-03-16 18:15 . 2008-03-16 18:15 <DIR> d-------- C:\Programme\SBSH
2008-03-15 21:50 . 2008-03-16 01:30 891 --a------ C:\WINDOWS\Edit.000
2008-03-15 09:41 . 2008-03-15 09:41 <DIR> d-------- C:\Programme\FlexMail
2008-03-15 00:12 . 2008-03-15 00:12 <DIR> d-------- C:\Programme\PocketTune
2008-03-13 18:39 . 2008-03-13 18:39 <DIR> d-------- C:\Programme\Windows Mobile-Ressourcen
2008-03-13 14:07 . 2008-03-13 14:07 <DIR> d-------- C:\WINDOWS\ASTULogTemp
2008-03-13 14:07 . 2008-03-13 14:07 71,097 --a------ C:\WINDOWS\system32\ASTULog.cab
2008-03-13 14:07 . 2008-03-13 14:07 1,050 --a------ C:\WINDOWS\system32\setup.inf
2008-03-13 14:07 . 2008-03-13 14:07 283 --a------ C:\WINDOWS\system32\setup.rpt
2008-03-12 14:53 . 2008-03-12 14:49 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-12 14:53 . 2008-03-12 14:53 2,551 --a------ C:\WINDOWS\unins000.dat
2008-03-03 19:27 . 2008-03-03 19:27 <DIR> d-------- C:\WINDOWS\Agenda Fusion for Pocket PC
2008-03-03 19:27 . 2008-03-03 19:27 <DIR> d-------- C:\Programme\Agenda Fusion for Pocket PC
2008-02-29 23:42 . 2008-02-29 23:42 <DIR> d-------- C:\Dokumente und Einstellungen\vorinstall\Anwendungsdaten\Nero
2008-02-29 23:42 . 2008-02-29 23:42 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LightScribe
2008-02-29 23:41 . 2008-02-29 23:41 <DIR> d-------- C:\Programme\Gemeinsame Dateien\LightScribe
2008-02-29 23:33 . 2008-02-29 23:35 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Nero
2008-02-29 23:33 . 2008-02-29 23:33 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero
2008-02-28 18:26 . 2005-10-21 02:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-02-28 18:26 . 2005-10-21 02:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-02-28 18:25 . 2008-03-16 18:09 <DIR> d-------- C:\Programme\Microsoft ActiveSync
2008-02-28 10:08 . 2008-02-28 10:08 90,112 --a------ C:\WINDOWS\system32\MBLINK.OCX
2008-02-28 10:07 . 2008-02-28 10:07 <DIR> d-------- C:\Programme\Net Concept 24
2008-02-21 23:50 . 2008-02-21 23:50 65 --a------ C:\WINDOWS\EasyCash.ini
2008-02-21 23:28 . 2008-02-21 23:50 179 --a------ C:\WINDOWS\EasyCT.INI
2008-02-21 23:25 . 2008-02-21 23:50 <DIR> d-------- C:\Programme\EasyCash&Tax
2008-02-18 08:25 . 2008-02-18 08:25 <DIR> d-------- C:\Programme\SIW

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 23:51 --------- d-----w C:\Dokumente und Einstellungen\vorinstall\Anwendungsdaten\GPGrelay
2008-03-17 22:40 --------- d-----w C:\Programme\The Bat!
2008-03-17 22:37 --------- d-----w C:\Dokumente und Einstellungen\vorinstall\Anwendungsdaten\Spamihilator
2008-03-17 22:01 --------- d-----w C:\Dokumente und Einstellungen\vorinstall\Anwendungsdaten\The Bat!
2008-03-12 14:39 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-03-12 13:56 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-03-11 23:27 --------- d-----w C:\Programme\StarMoney 6.0
2008-02-29 22:33 --------- d-----w C:\Programme\Nero
2008-02-29 18:24 --------- d-----w C:\Programme\Gemeinsame Dateien\Ahead
2008-02-29 16:33 --------- d-----w C:\Programme\DHTML Menu Builder
2008-02-27 17:23 --------- d-----w C:\Dokumente und Einstellungen\vorinstall\Anwendungsdaten\PhraseExpress
2008-02-27 17:18 --------- d-----w C:\Programme\PhraseExpress
2008-02-27 17:15 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PhraseExpress
2008-02-22 08:16 --------- d-----w C:\Programme\Gothic III
2008-02-22 08:15 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-02-16 07:44 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-02-15 21:02 --------- d-----w C:\Programme\TuneUp Utilities 2008
2008-02-15 07:26 --------- d-----w C:\Programme\FRITZ!Box Monitor
2008-02-12 16:10 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Pinnacle Studio
2008-02-12 16:09 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Pinnacle
2008-02-12 16:06 --------- d-----w C:\Programme\Pinnacle
2008-02-12 15:55 --------- d-----w C:\Dokumente und Einstellungen\vorinstall\Anwendungsdaten\InstallShield
2008-02-12 15:48 --------- d-----w C:\Programme\DivX
2008-02-12 15:23 --------- d-----w C:\Programme\SmartSound Software
2008-02-12 15:23 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SmartSound Software Inc
2008-02-12 11:05 --------- d-----w C:\Programme\Tweak-XP Pro 4
2008-02-12 07:33 --------- d-----w C:\Programme\Tools&More
2008-02-10 07:47 --------- d-----w C:\Programme\ISCLIE
2008-01-27 14:26 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ulead Systems
2008-01-27 14:25 --------- d-----w C:\Programme\Ulead Systems
2008-01-27 14:25 --------- d-----w C:\Programme\Gemeinsame Dateien\Ulead Systems
2008-01-25 16:44 --------- d-----w C:\Dokumente und Einstellungen\vorinstall\Anwendungsdaten\Canon
2008-01-23 17:17 --------- d-----w C:\Programme\Acoustica MP3 CD Burner
2008-01-23 17:01 --------- d-----w C:\Programme\audiograbber
2008-01-22 13:22 --------- d-----w C:\Programme\40tude Dialog
2008-01-19 16:10 --------- d-----w C:\Programme\eBay
2008-01-17 14:14 --------- d-----w C:\Dokumente und Einstellungen\vorinstall\Anwendungsdaten\Sibelius Software
2008-01-17 13:54 --------- d-----w C:\Programme\Sibelius Software
2007-11-30 23:25 30 -c--a-w C:\Programme\Exiferupdate.ini
2007-04-09 19:49 130 ----a-w C:\Dokumente und Einstellungen\All Users\pcwCleaner.REG
2006-11-02 14:29 111,616 ----a-w C:\Dokumente und Einstellungen\vorinstall\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2006-08-03 10:23 457 ----a-w C:\Programme\INSTALL.LOG
2006-06-20 08:40 604 ---ha-w C:\Programme\STLL Notifier
2004-09-28 01:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
2001-11-23 20:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\audio3d.dll
2007-09-28 16:57 6,275,816 ----a-w C:\Programme\mozilla firefox\plugins\ScorchPDFWrapper.dll
2007-09-28 16:57 6,275,816 ----a-w C:\Programme\opera\program\plugins\ScorchPDFWrapper.dll
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B660087-931C-4056-A04F-0423890E40B6}]
2005-03-18 11:18 129536 --a------ C:\Programme\Preispiraten\Preispiraten2\PPSearchURL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D7990CB-1D01-4554-9EED-75BDC6406FC2}]
2008-03-16 16:35 221184 --a------ C:\WINDOWS\drnpfdxsfn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6D685611-B7A8-4B4C-A161-346390B5189C}"= "C:\PROGRA~1\zoneLINK\ICLIPR~1\ICLIPI~1.DLL" [2007-12-10 13:04 911360]

[HKEY_CLASSES_ROOT\clsid\{6d685611-b7a8-4b4c-a161-346390b5189c}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6D685611-B7A8-4B4C-A161-346390B5189C}"= C:\PROGRA~1\zoneLINK\ICLIPR~1\ICLIPI~1.DLL [2007-12-10 13:04 911360]

[HKEY_CLASSES_ROOT\clsid\{6d685611-b7a8-4b4c-a161-346390b5189c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:50 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-10 14:49 7286784]
"SystemTray"="SysTray.Exe" [2004-08-04 13:00 3072 C:\WINDOWS\system32\systray.exe]
"BDMCon"="C:\Programme\Softwin\BitDefender10\bdmcon.exe" [2007-04-17 12:51 290816]
"BDAgent"="C:\Programme\Softwin\BitDefender10\bdagent.exe" [2007-03-29 13:15 69632]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30 45632]
"TrueImageMonitor.exe"="C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-16 16:05 1009806]
"Acronis Scheduler2 Service"="C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2005-11-16 16:05 118784]
"PhraseExpress"="C:\Programme\PhraseExpress\PhraseExpress.exe" [2008-01-29 18:47 2550888]
"Spamihilator"="C:\Programme\Spamihilator\spamihilator.exe" [2007-08-17 16:24 716800]
"AVMFBoxMonitor"="C:\Programme\FRITZ!Box Monitor\FRITZBoxMonitor.exe" [2007-05-08 02:00 1482752]
"SetDefPrt"="C:\Programme\Brother\Brmfl04b\BrStDvPt.exe" [2004-05-25 09:16 49152]
"ControlCenter2.0"="C:\Programme\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 09:34 851968]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-10-30 19:30 23552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bokpkov"= {194AF025-DCD4-4E61-8BF8-9DC93EC69984} - C:\WINDOWS\bokpkov.dll [2008-03-16 16:35 221184]
"SrvDrv"= {baa8c74c-43b5-453b-ab33-285fa8b45603} - C:\WINDOWS\Installer\{baa8c74c-43b5-453b-ab33-285fa8b45603}\SrvDrv.dll [2008-03-16 23:33 18670]
"altvxvm"= {AAAA97F1-6629-4E11-BF49-D50A11462F8C} - C:\WINDOWS\altvxvm.dll [2008-03-16 16:35 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^ISDNWatch.lnk]

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^NkvMon.exe.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Picture Package Menu.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Picture Package VCD Maker.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^vorinstall^Startmenü^Programme^Autostart^FAXRX.lnk]
path=C:\Dokumente und Einstellungen\vorinstall\Startmenü\Programme\Autostart\FAXRX.lnk
backup=C:\WINDOWS\pss\FAXRX.lnkStartup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^vorinstall^Startmenü^Programme^Autostart^PhraseExpress.lnk]
path=C:\Dokumente und Einstellungen\vorinstall\Startmenü\Programme\Autostart\PhraseExpress.lnk
backup=C:\WINDOWS\pss\PhraseExpress.lnkStartup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^vorinstall^Startmenü^Programme^Autostart^Windows Privacy Tray.lnk]
path=C:\Dokumente und Einstellungen\vorinstall\Startmenü\Programme\Autostart\Windows Privacy Tray.lnk
backup=C:\WINDOWS\pss\Windows Privacy Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Programme\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-06-11 23:57 2321600 C:\Programme\Gemeinsame Dateien\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2006-06-19 13:51 233512 C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVMFBoxMonitor]
--a------ 2007-05-08 02:00 1482752 C:\Programme\FRITZ!Box Monitor\FRITZBoxMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Echo Control]
--a------ 2001-12-05 16:47 147456 C:\Programme\PCI Audio Applications\Bin\EchoCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a--c--- 2002-01-29 01:16 1228800 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2005-05-19 14:47 57344 C:\Programme\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2007-10-30 19:30 23552 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
--a------ 2007-07-28 22:05 277328 C:\Programme\Eraser\eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
--------- 2006-11-22 21:10 151552 C:\Programme\CyberLink\PCM4Everio\EverioService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Foxmail-Hotmail Proxy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreePDF Assistant]
--a------ 2007-06-26 19:27 312320 C:\Programme\FreePDF_XP\fpassist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:50 1289000 C:\PROGRA~1\MICROS~4\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-03-09 15:15 40960 C:\Programme\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\klickIdentPP.exe]
C:\Programme\klickIdent Herbst 2005\klickIdentPP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Performance Center]
--a------ 2007-05-31 16:17 3039232 C:\Programme\Ascentive\Performance Center\ApcMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhonostarTimer]
--a------ 2007-06-18 15:59 126976 C:\Programme\phonostar\ps_timer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programme\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
C:\Programme\Desktop Sidebar\dsidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TypingSatellite]
--a------ 2005-01-11 09:47 761856 C:\Programme\TypingMaster\KBOOST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualDesktop]
--a------ 2004-09-28 02:00 70144 C:\Programme\Tweak-XP Pro 4\virtuald.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vspdfprsrv.exe]
--a------ 2006-05-04 05:58 998912 C:\Programme\Visagesoft\eXPert PDF\vspdfprsrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XSubst]
--a------ 2007-07-07 13:21 245760 C:\Programme\XSubst\XSubst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yodm3D]
--a------ 2007-03-22 16:27 1818624 E:\Downloads\Yod'm3D\yodm3D\Yodm3D.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SSBkgdUpdate"="C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Sony Handheld\\HOTSYNC.EXE"=
"C:\\Programme\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"C:\\Programme\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\Media Player Classic\\mplayerc.exe"=
"E:\\Downloads\\Adobe Acrobat Reader\\utorrent.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=
"C:\\Programme\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"C:\\Programme\\CyberLink\\PCM4Everio\\EverioService.exe"=
"C:\\Programme\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"C:\\Programme\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"C:\\Programme\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"C:\\Programme\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"C:\\Programme\\PhraseExpress\\PhraseExpress.exe"=
"C:\Programme\Microsoft ActiveSync\rapimgr.exe"= C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Programme\Microsoft ActiveSync\wcescomm.exe"= C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Programme\Microsoft ActiveSync\WCESMgr.exe"= C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Programme\Gemeinsame Dateien\LightScribe\LSRunOnce.exe"
.
Inhalt des "geplante Tasks" Ordners
"2008-03-14 16:51:41 C:\WINDOWS\Tasks\1-Klick-Wartung.job"
- C:\Programme\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 00:50:43
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\bokpkov.dll
-> C:\WINDOWS\altvxvm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\oodag.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\SCARDS32.EXE
C:\Programme\Tools&More\WinExit-Pro\winexit.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Update Service\livesrv.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programme\FirefoxPreloader\FirefoxPreloader.exe
C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Programme\GPGrelay\GPGrelay.exe
C:\Programme\Sony Handheld\HOTSYNC.EXE
C:\Programme\Sony Handheld\USBSwt.exe
C:\Programme\Softwin\BitDefender10\vsserv.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-03-18 0:59:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-17 23:59:46
.
2008-03-12 08:47:08 --- E O F ---

############################################

Kannst Du tatsächlich mt diesen vielen Angaben etwas anfangen? Wahrscheinlich schon, denn Du wirst wissen, wonach man suchen muß. Habe schon mal im Voraus vielen Dank für Deine Hilfe!

Sabina · 18.03.2008, 11:44

Hallo

Information
antiviirus.exe / tmp0.exe löschen

------------------------------------------------------------------------------------------

deaktiviere kurzzeitig den Search & Destroy\TeaTimer.exe

1.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als cfscript.txt mit 'Speichern unter' auf dem Desktop. Gib an "Alle Dateien" - Speichern

Code:

ATTFilter

KILLALL:: 

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D7990CB-1D01-4554-9EED-75BDC6406FC2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bokpkov"=-
"SrvDrv"=-
"altvxvm"=-

File:: 
C:\Programme\tmp1.exe
C:\Programme\tmp0.exe
C:\WINDOWS\altvxvm.dll
C:\WINDOWS\drnpfdxsfn.dll
C:\WINDOWS\bokpkov.dll
C:\WINDOWS\etlrlws.dll
C:\WINDOWS\fmsxwqs.exe
C:\Programme\antiviirus.exe

Folder:: 
C:\WINDOWS\Installer\{baa8c74c-43b5-453b-ab33-285fa8b45603}

Man sollte jetzt auf dem Desktop diese Datei cfscript.txt finden.

cfscript.txt und mit der rechten Maustaste auf das Symbol von Combofix ziehen

danach: Combofix noch einmal anwenden

PC neustarten

poste hier das neue Log von Combofix zur Überprüfung

---------------

2.
wende sdfix an (funktioniert nur im abgesicherten Modus)
SDFix

poste hier den report

3.
scanne, lasse alles, was gefunden wird entfernen + poste den report
Malwarebytes Anti-Malware

«

Bitte um Lofgile-Auswertung

Log-Analyse und Auswertung: Bitte um Lofgile-Auswertung