Hupigon13, Win32.Delf.uv - Antivir und Hijackthis gehen nicht

phaos · 27.05.2009, 14:23

Hallo zusammen,

ich habe folgendes Problem: Spybot findet auf meinem Rechner einige Trojaner-Dateien (Hupigon13, Win32.Delf.uv etc) (Das Log von Spybot ist unten angehängt). Antivir lässt sich nicht mehr starten, ebenso wenig Hijackthis.
Mein System: Windows XP SP3.
Wie kann ich vorgehen?
Vielen Dank

Log von Spybot (nur der Anfang, die anderen Sachen sind glaub ich nur Gebrauchsspurenhinweise):
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $B067B5B7] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explore r.exe

Hupigon13: [SBI $D5A7DCB6] Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

Hupigon13: [SBI $8D4AFC92] Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com

Hupigon13: [SBI $79919CB3] Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe

Hupigon13: [SBI $46DBB063] Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe

Win32.Delf.uv: [SBI $E73FD4D9] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE\Debugger

Win32.Delf.uv: [SBI $9554BC9A] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE\Debugger

Win32.Delf.uv: [SBI $C83CB234] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.EXE\Debugger

Win32.Delf.uv: [SBI $4D759A7F] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE\Debugger

Win32.Delf.uv: [SBI $F963F0F7] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger

Win32.Delf.uv: [SBI $83CDDB58] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.EXE\Debugger

Win32.Delf.uv: [SBI $AB0D8EB4] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE\Debugger

Win32.Delf.uv: [SBI $C53439DD] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE\Debugger

Win32.Delf.uv: [SBI $0809137C] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE\Debugger

Win32.Delf.uv: [SBI $95619944] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE\Debugger

Win32.Delf.uv: [SBI $AE0ED1C1] Einstellungen (Registrierungsdatenbank-Wert, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE\Debugger

Online Content Ltd.: Lesezeichen (Firefox: default) (Lesezeichen, nothing done)

Common Dialogs: History (178 files) (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Chris4You · 27.05.2009, 14:44

Hi,

in dem Fall probieren wir mal MAM, runterladen und direkt im Downloadidalog umbenennen ggf. im abgesicherten Modus probieren (F8 beim Booten drücken).

Malwarebytes Antimalware (MAM).
Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html
Fullscan und alles bereinigen lassen! Log posten.
Alternativer Download: http://filepony.de/download-malwarebytes_anti_malware/, http://www.gt500.org/malwarebytes/mbam.jsp

chris
Ps.: Diese Reg.-Einträge:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
verhindern das Starten der AV-Programme, wäre interessant auszuprobieren ob die vom Virus überwacht werden....
Hmmm...
Lust auf ein Experiment?
Lade Dir: http://www.chip.de/downloads/c1_downloads_12991462.html (RegCleaner) runter, navigiere zu dem Schlüssel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
und lösche dort den Eintrag "regedit.exe".
Dann versuche Regedit zu starten (start->ausführen->regedit.exe)
Wenn das geht, mache ich ein Script um den Rest weg zubekommen, damit Avira wieder läuft....

phaos · 28.05.2009, 18:26

Hallo Chris,
ich habe MAM ausgeführt, dieses hat auch eine ganze Reihe von Sachen gefunden, ich habs löschen lassen, und das Log gespeichert, ABER:
Jetzt funktioniert der PC nicht mehr richtig, beim Laden der Taskleiste bleibt er irgendwie hängen, ich kann nichts in Startmenü, kann keine Programme öffnen und kein Kontextmenü anzeigen. Folglich kann ich dir auch nicht mehr die Logdatei geben, die ist zwar auf dem Desktop, aber ich kann sie nicht bearbeiten. Das einzige was zu gehen scheint ist der Taskmanager. Mir kommt ungewöhnlich vor, dass in der Prozessliste nur ein einziges Prozess SYSTEM als Benutzername hat, alle anderen haben keinen. Das war doch sonst anders...?! Hab ich jetzt irgendwelche Systemdateien gelöscht durch MAM?
Vielen Dank und Grüße,

Michael

Chris4You · 29.05.2009, 07:17

Hi,

shit, dazu bräuchte ich das Log...

Notfalls wie folgt vorgehen:
TaskManager->Reiter "Anwendungen"->Neuer Task...->explorer.exe

Startet die dann?

Probiere das gleiche mit Notepad.exe, damit Du das Log mal Laden/posten kannst...

Wenn gar nichts geht, versuchen über diesen Weg MAM aufzurufen (mbam.exe),
dann auf Reiter Quarantäne, da lässt sich alles wiederherstellen...

Wir schauen mal tiefer in das System (allerdings beschleicht mich das ungute Gefühl, dass wir ggf. Neuaufsetzen müssen...)

RSIT
Random's System Information Tool (RSIT) von random/random liest Systemdetails aus und erstellt ein aussagekräftiges Logfile.

* Lade Random's System Information Tool (RSIT) herunter (http://filepony.de/download-rsit/)
* speichere es auf Deinem Desktop.
* Starte mit Doppelklick die RSIT.exe.
* Klicke auf Continue, um die Nutzungsbedingungen zu akzeptieren.
* Wenn Du HijackThis nicht installiert hast, wird RSIT das für Dich herunterladen und installieren.
* In dem Fall bitte auch die Nutzungsbedingungen von Trend Micro (http://de.trendmicro.com/de/home) für HJT akzeptieren "I accept".
* Wenn Deine Firewall fragt, bitte RSIT erlauben, ins Netz zu gehen.
* Der Scan startet automatisch, RSIT checkt nun einige wichtige System-Bereiche und produziert Logfiles als Analyse-Grundlage.
* Wenn der Scan beendet ist, werden zwei Logfiles erstellt und in Deinem Editor geöffnet.
* Bitte poste den Inhalt von C:\rsit\log.txt und C:\rsit\info.txt (<= minimiert) hier in den Thread.

chris

phaos · 30.05.2009, 09:08

Hallo Chris,

ich habe es nun doch geschafft den PC wieder lauffähig zu machen, nachdem ich im abgesichterten Modus avast deinstalliert habe, das hatte ich mir nämlich vor Tagen heruntergeladen, nachdem Antirvir nicht mehr ging.
Nun folgt gleich erstmal das MAM log, und danach auch noch das RSIT log.
Ich hab mir auch diesen RegCleaner heruntergeladen, weiß aber grad nicht, wie ich damit diesen Registryschlüssel von dir finde. Antivir läuft nämlich noch nicht.

MAMlog:
Malwarebytes' Anti-Malware 1.37
Datenbank Version: 2185
Windows 5.1.2600 Service Pack 3

27.05.2009 22:48:00
mbam-log-2009-05-27 (22-48-00).txt

Scan-Methode: Vollständiger Scan (C:\|F:\|)
Durchsuchte Objekte: 331590
Laufzeit: 3 hour(s), 10 minute(s), 31 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 97
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 4
Infizierte Verzeichnisse: 0
Infizierte Dateien: 9

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{386a771c-e96a-421f-8ba7-32f1b706892f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{db893839-10f0-4af9-92fa-b23528f530af} (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Dropper) -> Data: digiwet.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\dokumente und einstellungen\michael schultheis\lokale einstellungen\temporary internet files\Content.IE5\HAYLM7AB\load[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0ff17727-9f83-4d7c-919c-3a3eac40f985}\RP634\A0218322.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0ff17727-9f83-4d7c-919c-3a3eac40f985}\RP636\A0218401.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0ff17727-9f83-4d7c-919c-3a3eac40f985}\RP641\A0219054.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\netsik.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\digiwet.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\systemntmi.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Fortsetzung....

phaos · 30.05.2009, 09:11

...folgt:

RSIT-Log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Michael Schultheis at 2009-05-30 09:58:11
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 49 GB (43%) free of 114 GB
Total RAM: 1023 MB (41% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:58:31, on 30.05.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\avmwlanstick\WlanNetService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\oodag.exe
C:\Programme\Sandboxie\SbieSvc.exe
C:\Programme\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Programme\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\D-Link\Air USB Utility\AirCFG.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\avmwlanstick\wlangui.exe
C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\RSIT.exe
C:\Programme\trend micro\Michael Schultheis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programme\Search Settings\kb127\SearchSettings.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programme\Search Settings\kb127\SearchSettings.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programme\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Programme\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [WD Anywhere Backup] C:\Programme\WD\WD Anywhere Backup\MemeoLauncher2.exe --silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HDDHealth] H:\HDD Health\hddhealth.exe -wl
O4 - Global Startup: Adobe Reader - Schnellstart.lnk.disabled
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download All by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
O8 - Extra context menu item: &Download by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1088778804203
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCABE8A3-616C-4193-A970-E9382778410C}: NameServer = 192.168.0.1
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Avira AntiVir Planer (antivirschedulerservice) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Upgrade Service (antivirupgradeservice) - Unknown owner - C:\DOKUME~1\MICHAE~1\LOKALE~1\Temp\AVSETUP_4a1a9fb9\basic\avupgsvc.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ATI Smart ATIusnsvc (ATIusnsvc) - Unknown owner - C:\WINDOWS\system32\AgCPanelFrenchb.exe
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Programme\avmwlanstick\WlanNetService.exe
O23 - Service: Intelligenter Hintergrundübertragungsdienst (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Programme\WD\WD Anywhere Backup\MemeoBackgroundService.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programme\Sandboxie\SbieSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Programme\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Automatische Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programme\WZCBDL Service\WZCBDLS.exe

--
End of file - 10283 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2275205704-1375463252-582915583-1006.job
C:\WINDOWS\tasks\ISP-Anmeldungserinnerung 1.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Programme\Orbitdownloader\orbitcth.dll [2009-01-20 134344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1F364306-AA45-47B5-9F9D-39A8B94E7EF1}]
FG2CatchUrl - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll [2008-08-19 104016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
SearchSettings Class - C:\Programme\Search Settings\kb127\SearchSettings.dll [2008-06-12 1111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Programme\Orbitdownloader\GrabPro.dll [2009-01-20 646264]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"D-Link Air USB Utility"=C:\Programme\D-Link\Air USB Utility\AirCFG.exe [2003-07-23 2695168]
"ATIPTA"=C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-05-15 339968]
"SpybotSnD"=C:\Programme\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 4891984]
"AVMWlanClient"=C:\Programme\avmwlanstick\wlangui.exe [2007-12-20 1748992]
"WD Drive Manager"=C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [2008-01-30 438272]
"WD Anywhere Backup"=C:\Programme\WD\WD Anywhere Backup\MemeoLauncher2.exe [2008-11-07 197856]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"wininet.dll"= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Programme\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]
"HDDHealth"=H:\HDD Health\hddhealth.exe -wl []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Programme\Creative\SBLive\Diagnostics\diagent.exe [2002-04-03 135264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Programme\IncrediMail\bin\IncMail.exe [2005-05-25 188459]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Programme\MSN Messenger\MsnMsgr.Exe [2006-07-29 5354792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programme\QuickTime\qttask.exe -atboottime []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Programme\Real\RealPlayer\RealPlay.exe [2007-10-23 214296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
C:\Programme\Desktop Sidebar\dsidebar.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
Adobe Reader - Schnellstart.lnk.disabled - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-05-15 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
:\WINDOWS\syste
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"NoDispAppearancePage"=0
"NoColorChoice"=0
"NoSizeChoice"=0
"NoDispScrSavPage"=0
"NoDispCPL"=0
"NoVisualStyleChoice"=0
"NoDispSettingsPage"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=91000000
"NoActiveDesktop"=0
"NoThemesTab"=0
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutoRun"=
"NoActiveDesktopChanges"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programme\Trillian\trillian.exe"="C:\Programme\Trillian\trillian.exe:*:Enabled:Trillian"
"C:\Programme\Real\RealPlayer\realplay.exe"="C:\Programme\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Programme\Maple 7\BIN.WNT\mserver.exe"="C:\Programme\Maple 7\BIN.WNT\mserver.exe:*:Enabled:mserver"
"C:\Programme\IncrediMail\bin\IMApp.exe"="C:\Programme\IncrediMail\bin\IMApp.exe:*:Enabled:IncrediMail"
"C:\Programme\IncrediMail\bin\IncMail.exe"="C:\Programme\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail"
"C:\Programme\IncrediMail\bin\ImpCnt.exe"="C:\Programme\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\Programme\IncrediMail\bin\ImLc.exe"="C:\Programme\IncrediMail\bin\ImLc.exe:*:Enabled:IncrediMail"
"C:\Programme\Azureus\Azureus.exe"="C:\Programme\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Programme\Windows Media Player\wmplayer.exe"="C:\Programme\Windows Media Player\wmplayer.exe:*:Enabled:Windows Media Player"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Programme\Opera\Opera.exe"="C:\Programme\Opera\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\Programme\ICQ6\ICQ.exe"="C:\Programme\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Programme\Mozilla Firefox\firefox.exe"="C:\Programme\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"E:\fsetup.exe"="E:\fsetup.exe:*:Enabled:AVM FSetup Application"
"C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\MUTE\fileSharingMUTE.exe"="C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\MUTE\fileSharingMUTE.exe:*

isabled:fileSharingMUTE"
"C:\Programme\Half-Life 2\hl2.exe"="C:\Programme\Half-Life 2\hl2.exe:*

isabled:hl2"
"C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\HL 2\hl2.exe"="C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\HL 2\hl2.exe:*

isabled:hl2"
"C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\Counter - Strike - Source [ PC ] ++ Crack\Counter-Strike Source\Counter-Strike Source\hl2.exe"="C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\Counter - Strike - Source [ PC ] ++ Crack\Counter-Strike Source\Counter-Strike Source\hl2.exe:*

isabled:hl2"
"C:\Programme\Nero\Nero 7\Nero Home\NeroHome.exe"="C:\Programme\Nero\Nero 7\Nero Home\NeroHome.exe:*

isabled:Nero Home"
"C:\Programme\Gemeinsame Dateien\Ahead\Nero Web\SetupX.exe"="C:\Programme\Gemeinsame Dateien\Ahead\Nero Web\SetupX.exe:*

isabled:Nero ProductSetup"
"C:\Programme\Nero\Nero 7\Nero ShowTime\ShowTime.exe"="C:\Programme\Nero\Nero 7\Nero ShowTime\ShowTime.exe:*

isabled:Nero ShowTime"
"C:\Programme\Orbitdownloader\orbitnet.exe"="C:\Programme\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"
"C:\Programme\Orbitdownloader\orbitdm.exe"="C:\Programme\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe"="C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\ChemDraw.exe"="C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\ChemDraw.exe:*:Enabled:ChemDraw Ultra 10.0"
"C:\Programme\OO Software\Defrag Professional\oodcnt.exe"="C:\Programme\OO Software\Defrag Professional\oodcnt.exe:LocalSubNet:Enabled

odcnt.exe"
"C:\Programme\OO Software\Defrag Professional\oodcmd.exe"="C:\Programme\OO Software\Defrag Professional\oodcmd.exe:*:Enabled

odcmd.exe"
"C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe"="C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe:*

isabled:svchost"
"C:\Programme\Internet Explorer\iexplore.exe"="C:\Programme\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\UT2004\System\UT2004.exe"="C:\UT2004\System\UT2004.exe:*:Enabled:UT2004"
"C:\WINDOWS\SYSTEM32\javaw.exe"="C:\WINDOWS\SYSTEM32\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Programme\WinHTTrack\WinHTTrack.exe"="C:\Programme\WinHTTrack\WinHTTrack.exe:*:Enabled:WinHTTrack Website Copier, Web Site mirroring for professional and private purposes"
"C:\Programme\FlashGet Network\FlashGet universal\flashget.exe"="C:\Programme\FlashGet Network\FlashGet universal\flashget.exe:*:Enabled:flashget"
"C:\Programme\ICQ6.5\ICQ.exe"="C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Programme\eMule.de\emule.exe"="C:\Programme\eMule.de\emule.exe:*:Enabled:eMule"
"C:\Dokumente und Einstellungen\Michael Schultheis\Lokale Einstellungen\Temp\ImInstaller\IncrediMail\incredimail_install.exe"="C:\Dokumente und Einstellungen\Michael Schultheis\Lokale Einstellungen\Temp\ImInstaller\IncrediMail\incredimail_install.exe:*

isabled:IncrediMail Installer"
"C:\Programme\iTunes\iTunes.exe"="C:\Programme\iTunes\iTunes.exe:*

isabled:iTunes"
"C:\Programme\Unreal Tournament 3\Binaries\UT3.exe"="C:\Programme\Unreal Tournament 3\Binaries\UT3.exe:*

isabled:UT3"
"C:\Programme\MSN Messenger\msnmsgr.exe"="C:\Programme\MSN Messenger\msnmsgr.exe:*

isabled:Windows Live Messenger 8.0"
"C:\Programme\MSN Messenger\msncall.exe"="C:\Programme\MSN Messenger\msncall.exe:*

isabled:Windows Live Messenger 8.0 (Phone)"
"C:\WINDOWS\SYSTEM32\ati2evxx.exe"="C:\WINDOWS\SYSTEM32\ati2evxx.exe:*:Enabled:ENABLE"
"C:\Programme\D-Link\Air USB Utility\AirCFG.exe"="C:\Programme\D-Link\Air USB Utility\AirCFG.exe:*:Enabled:ENABLE"
"C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe:*:Enabled:ENABLE"
"C:\Programme\avmwlanstick\WLanGUI.exe"="C:\Programme\avmwlanstick\WLanGUI.exe:*:Enabled:ENABLE"
"C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe"="C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe:*:Enabled:ENABLE"
"C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe:*:Enabled:ENABLE"
"C:\Programme\WD\WD Anywhere Backup\MemeoBackup.exe"="C:\Programme\WD\WD Anywhere Backup\MemeoBackup.exe:*:Enabled:ENABLE"
"C:\Dokumente und Einstellungen\Michael Schultheis\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe"="C:\Dokumente und Einstellungen\Michael Schultheis\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe:*:Enabled:ENABLE"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programme\MSN Messenger\msnmsgr.exe"="C:\Programme\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\Programme\MSN Messenger\msncall.exe"="C:\Programme\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b07f7157-36ad-11dc-81d4-000f3ddf1f20}]
shell\AutoRun\command - I:\setupSNK.exe

======File associations======

.js - open - "C:\Programme\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"

======List of files/folders created in the last 2 months======

2009-05-30 09:58:10 ----D---- C:\rsit
2009-05-27 19:33:57 ----D---- C:\Dokumente und Einstellungen\Michael Schultheis\Anwendungsdaten\Malwarebytes
2009-05-27 19:33:49 ----D---- C:\Programme\Malwarebytes' Anti-Malware
2009-05-27 19:33:49 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-05-26 18:37:24 ----D---- C:\Programme\Alwil Software
2009-05-26 18:21:54 ----D---- C:\Programme\Avira
2009-05-26 18:21:54 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2009-05-25 21:03:53 ----D---- C:\Programme\Trend Micro
2009-05-25 20:24:46 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-19 22:48:18 ----RSH---- C:\WINDOWS\system32\AgCPanelFrenchb.exe
2009-04-15 23:39:02 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-15 23:38:38 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-15 23:30:05 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-15 23:29:16 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-15 23:28:51 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-15 23:28:10 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$

Fortsetzung....

phaos · 30.05.2009, 09:12

...folgt:

RSIT-Log Teil 2

======List of files/folders modified in the last 2 months======

2009-05-30 09:57:51 ----D---- C:\WINDOWS\Prefetch
2009-05-30 09:57:16 ----D---- C:\Dokumente und Einstellungen\Michael Schultheis\Anwendungsdaten\Orbit
2009-05-30 09:55:07 ----D---- C:\Programme\Orbitdownloader
2009-05-30 09:51:48 ----D---- C:\WINDOWS\temp
2009-05-30 09:51:44 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-30 09:48:25 ----D---- C:\WINDOWS\SYSTEM32
2009-05-30 09:48:14 ----D---- C:\WINDOWS\system32\DRIVERS
2009-05-27 22:52:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-27 22:51:52 ----D---- C:\WINDOWS
2009-05-27 19:36:22 ----D---- C:\Dokumente und Einstellungen\Michael Schultheis\Anwendungsdaten\Azureus
2009-05-27 19:33:49 ----RD---- C:\Programme
2009-05-26 21:35:29 ----D---- C:\WINDOWS\system32\CONFIG
2009-05-26 18:32:30 ----D---- C:\WINDOWS\system32\oodag
2009-05-26 18:22:11 ----HD---- C:\WINDOWS\INF
2009-05-26 18:21:00 ----SHD---- C:\WINDOWS\Installer
2009-05-26 18:20:58 ----D---- C:\WINDOWS\WinSxS
2009-05-26 18:19:18 ----D---- C:\Programme\Spybot - Search & Destroy
2009-05-25 13:52:19 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe
2009-05-25 13:51:36 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2009-05-24 17:49:16 ----A---- C:\WINDOWS\NeroDigital.ini
2009-05-14 21:25:42 ----D---- C:\Programme\DVD Decrypter
2009-05-14 21:21:33 ----A---- C:\WINDOWS\cdplayer.ini
2009-05-07 09:16:30 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-04 17:30:37 ----SD---- C:\WINDOWS\Tasks
2009-04-21 16:16:42 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-16 09:20:58 ----D---- C:\WINDOWS\system32\WBEM
2009-04-16 09:20:58 ----D---- C:\WINDOWS\AppPatch
2009-04-15 23:39:13 ----A---- C:\WINDOWS\imsins.BAK
2009-04-15 23:37:57 ----D---- C:\WINDOWS\system32\de-de
2009-04-15 23:37:56 ----D---- C:\Programme\Internet Explorer
2009-04-15 23:29:41 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-15 14:22:42 ----RSD---- C:\WINDOWS\Fonts
2009-04-13 13:28:37 ----D---- C:\Programme\Azureus
2009-04-12 18:05:25 ----D---- C:\Programme\Postal2STP
2009-04-10 13:21:27 ----D---- C:\Programme\Trillian
2009-03-31 20:03:39 ----D---- C:\WINDOWS\system32\FxsTmp
2009-03-31 15:52:59 ----A---- C:\WINDOWS\SIERRA.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Intel-Prozessortreiber; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 40448]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-04-09 31548]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2009-03-28 5632]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-04-05 267192]
R1 truecrypt;truecrypt; C:\WINDOWS\System32\drivers\truecrypt.sys [2008-09-24 235840]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-03-24 55640]
R2 CVPNDRVA;Cisco Systems IPsec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R2 NIOC;NIOC Service; \??\C:\WINDOWS\System32\NIOC.SYS []
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2004-05-15 745984]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2003-07-24 139604]
R3 DynCal;Dynamic Calibration Service; C:\WINDOWS\System32\Drivers\DynCal.sys [2001-05-21 8051]
R3 FWLANUSB;AVM FRITZ!WLAN; C:\WINDOWS\system32\DRIVERS\fwlanusb.sys [2007-12-20 265088]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HidUsb;Microsoft HID Class-Treiber; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\System32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
R3 P16X;Creative SB Live! Series (WDM); C:\WINDOWS\system32\drivers\P16X.sys [2003-09-22 1330048]
R3 SbieDrv;SbieDrv; \??\C:\Programme\Sandboxie\SbieDrv.sys []
R3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB-Druckerklasse; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 USBSTOR;USB-Massenspeichertreiber; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Miniporttreiber für universellen Microsoft USB-Hostcontroller; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-05-02 2432]
S1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2007-05-02 2560]
S1 P3;Intel PentiumIII-Prozessortreiber; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-14 46848]
S3 aa00vdpi;aa00vdpi; C:\WINDOWS\system32\drivers\aa00vdpi.sys []
S3 avmeject;AVM Eject; C:\WINDOWS\system32\drivers\avmeject.sys [2007-12-20 4352]
S3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [2005-05-31 20480]
S3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [2005-04-30 10804]
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys [2005-05-31 23000]
S3 BTHidEnum;Bluetooth HID Enumerator; C:\WINDOWS\system32\DRIVERS\vbtenum.sys [2005-04-30 11860]
S3 CCDECODE;Untertiteldecoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2003-05-01 5220]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2002-09-19 139776]
S3 EL90XBC;3Com EtherLink XL 90XB/C-Adaptertreiber; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\System32\DRIVERS\ENTECH.SYS []
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-03 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-03 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-03 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-03 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-03 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-03 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-03 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-03 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-03 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-03 23615]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-08-23 58288]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-08-23 8336]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-08-23 94064]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-08-23 85408]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-08-23 83344]
S3 mouhid;Maus-HID-Treiber; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-18 12288]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI-Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV-/Videoverbindung; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nm;Netzwerkmonitortreiber; C:\WINDOWS\System32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 NMSCFG;NIC Management Service Configuration Driver; \??\C:\WINDOWS\System32\drivers\NMSCFG.SYS []
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver; C:\WINDOWS\System32\DRIVERS\PRISMUSB.sys [2003-04-10 636416]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-02-13 28376]
S3 streamip;BDA-IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 SymEvent;SymEvent; \??\C:\Programme\Symantec\SYMEVENT.SYS []
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-04-05 17976]
S3 usbscan;USB-Scannertreiber; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 utblfilt;utblfilt; C:\WINDOWS\System32\drivers\utblfilt.sys [2001-05-23 12084]
S3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys [2004-10-19 61312]
S3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys [2005-03-25 82148]
S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WSTCODEC;World Standard Teletext-Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agpCPQ;Compaq AGP-Bus-Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP-Bus-Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP-Bus-Filtertreiber; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-14 5504]
S4 sisagp;SIS AGP-Bus-Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP-Bus-Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 antivirschedulerservice;Avira AntiVir Planer; C:\Programme\Avira\AntiVir Desktop\sched.exe [2009-04-01 108289]
R2 antivirservice;Avira AntiVir Guard; C:\Programme\Avira\AntiVir Desktop\avguard.exe [2009-03-02 185089]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2004-05-15 376832]
R2 AVM WLAN Connection Service;AVM WLAN Connection Service; C:\Programme\avmwlanstick\WlanNetService.exe [2007-12-20 364544]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.exe [1999-12-13 44032]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Programme\Cisco Systems\VPN Client\cvpnd.exe [2004-07-22 1433616]
R2 Iprip;RIP-Überwachung; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-10-21 303104]
R2 O&O Defrag;O&O Defrag; C:\WINDOWS\System32\oodag.exe [2004-05-17 184320]
R2 SbieSvc;Sandboxie Service; C:\Programme\Sandboxie\SbieSvc.exe [2008-09-02 48640]
R2 Seagate Sync Service;Seagate Sync Service; C:\Programme\Seagate\Sync\SeaSyncServices.exe [2007-01-18 24120]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service; C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-01-30 106496]
R2 WZCBDLService;WZCBDL Service; C:\Programme\WZCBDL Service\WZCBDLS.exe [2002-03-19 36864]
S2 antivirupgradeservice;Avira Upgrade Service; C:\DOKUME~1\MICHAE~1\LOKALE~1\Temp\AVSETUP_4a1a9fb9\basic\avupgsvc.exe /TEMPSTART:C:\DOKUME~1\MICHAE~1\LOKALE~1\Temp\AVSETUP_4a1a9fb9\basic\setup.exe /NOTEMPCLEANUP /CROSSUPGRADE []
S2 ATI Smart;ATI Smart; C:\WINDOWS\SYSTEM32\ati2sgag.exe [2004-05-15 516096]
S2 ATIusnsvc;ATI Smart ATIusnsvc; C:\WINDOWS\system32\AgCPanelFrenchb.exe [2009-05-19 53248]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 268800]
S2 MemeoBackgroundService;MemeoBackgroundService; C:\Programme\WD\WD Anywhere Backup\MemeoBackgroundService.exe [2008-11-07 25824]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 iPod Service;iPod-Dienst; C:\Programme\iPod\bin\iPodService.exe [2007-06-28 501048]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe [2007-04-19 68096]
S3 NBService;NBService; C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-01-15 774144]
S3 NMIndexingService;NMIndexingService; C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe [2007-01-15 266240]
S3 NMSSvc;Intel(R) NMS; C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 1118208]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe [2005-04-05 206552]
S3 usnsvc;Messenger Sharing USN Journal Reader-Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

Vielen Dank,
Michael

Chris4You · 30.05.2009, 10:19

Hi,

die startverhindernden Regeinträge sollten weg sein, ...

Wir fixen erstmal nichts, bitte combofix...

Lade Dir Avira neu runter http://www.free-av.de/de/download/1/...antivirus.html, erst mal nicht installieren.

Offline gehen, combofix ausführen, danach weiterhin offline Avira deinstallieren und die neue Version installieren, online gehen, Avira updaten,
Combofix-Log posten.
Dann stelle Dein Antivir wie folgt ein, wie hier beschrieben:
http://www.trojaner-board.de/54192-a...tellungen.html.
Fullscan und auch dieses Log posten...

Combofix
Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.
Weitere Anleitung unter:http://www.bleepingcomputer.com/comb...x-benutzt-wird
Hinweis: unter : C:\WINDOWS\erdnt
wird ein Backup angelegt.
Alternative downloads: http://subs.geekstogo.com/ComboFix.exe

chris

phaos · 30.05.2009, 15:24

Hallo,

Wenn ich combofix starten will, kommt die Meldung, ich müsste erst Antivir deaktivieren. Aber ich weiß nicht wie...? Es ist in der Symbolleiste, und ich habs auch schon zu deinstallieren versucht, aber die Meldung kommt trotzdem. Was soll ich tun?

Vg, Michael

Chris4You · 01.06.2009, 11:22

Hi,

lösche ComboFix bzw. wenn Du ihn schon installiert hast wie folgt:
Start->Ausführen->combofix /u
Jetzt ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) neu runterladen (er wird täglich neu erstellt), ebenfalls dieses Tool runterladen (Avira 9 hast Du ja schon runtergeladen, oder):
Avira-uninstall tool
http://dl1.pro.antivir.de/down/windows/tool_de.exe
Dann offline gehen, Avirauninstall-Tool starten, nach erfolgreicher Deinstallation Combofix laufen lassen, danach Avira 9 installieren...

chris

phaos · 01.06.2009, 16:33

Hallo Chris,

sorry dass ich es so kompliziert mache ;-), aber irgendwie hat noch nicht ganz geklappt. Habe das Tool laufen lassen (hat keine infizierte Datei gefunden), und Antivir steht auch nicht mehr in der Windows Software-Liste. Trotzdem - wenn ich Combofix starten will, kommt immer noch die Warnmeldung, dass Antivir noch aktiv sei. Außerdem behauptet das Windows Sicherheitscenter, dass mehrere Antivirenprogramme vorhanden seien, von denen mindestens eins aktiv ist...Soll ich einfach Combofix trotzdem mal laufen lassen?

Chris4You · 02.06.2009, 06:40

Hi,

bitte noch mal ein neues HJ-Log...
Ich möchte nachschauen, ob noch Teile von Avira aktiv sind, die wir ggf. fixen können...
Eventuell brauche ich wegen den Treibern noch ein aktuelles RST-Log, da ist ein Eintrag der
seltsam aussieht:
S2 antivirupgradeservice;Avira Upgrade Service; C:\DOKUME~1\MICHAE~1\LOKALE~1\Temp\AVSETUP_4a1a9fb 9\basic\avupgsvc.exe /TEMPSTART:C:\DOKUME~1\MICHAE~1\LOKALE~1\Temp\AVSET UP_4a1a9fb9\basic\setup.exe /NOTEMPCLEANUP /CROSSUPGRADE []
Hast Du schon mal den upgrade probiert?

Weiterhin läuft bei Dir noch Spybot, der muss unbedingt ebenfalls abgeschaltet bzw. deinstalliert werden (der Teatimer verhindert eine Bereinigung)...

Bei den Treibern habe ich noch was gefunden:
Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:

Als erstes versteckte Dateien anzeigen lassen! (nur Punkt 1 durchführen!)

Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:

Code:

ATTFilter

C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe <- das ist garantiert Malware
C:\WINDOWS\system32\drivers\aa00vdpi.sys <-????

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

chris

phaos · 02.06.2009, 10:14

Hallo,

Spybot habe ich mal deinstalliert.

Hijackthis log folgt unten. Ich konnte das Programm nicht direkt ausführen, daher hab ich es umbenannt und diese Anleitung http://www.trojaner-board.de/51130-anleitung-hijackthis.html befolgt.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:36, on 02.06.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programme\avmwlanstick\WlanNetService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\oodag.exe
C:\Programme\Sandboxie\SbieSvc.exe
C:\Programme\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Programme\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\D-Link\Air USB Utility\AirCFG.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\avmwlanstick\wlangui.exe
C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Dokumente und Einstellungen\Michael Schultheis\Desktop\prüfung.com
C:\Programme\WD\WD Anywhere Backup\MemeoBackup.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programme\Search Settings\kb127\SearchSettings.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programme\Search Settings\kb127\SearchSettings.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programme\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Programme\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [WD Anywhere Backup] C:\Programme\WD\WD Anywhere Backup\MemeoLauncher2.exe --silent
O4 - HKCU\..\Run: [HDDHealth] H:\HDD Health\hddhealth.exe -wl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk.disabled
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download All by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
O8 - Extra context menu item: &Download by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1088778804203
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCABE8A3-616C-4193-A970-E9382778410C}: NameServer = 192.168.0.1
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Avira Upgrade Service (antivirupgradeservice) - Unknown owner - C:\DOKUME~1\MICHAE~1\LOKALE~1\Temp\AVSETUP_4a1a9fb9\basic\avupgsvc.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ATI Smart ATIusnsvc (ATIusnsvc) - Unknown owner - C:\WINDOWS\system32\AgCPanelFrenchb.exe
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Programme\avmwlanstick\WlanNetService.exe
O23 - Service: Intelligenter Hintergrundübertragungsdienst (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Programme\WD\WD Anywhere Backup\MemeoBackgroundService.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programme\Sandboxie\SbieSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Programme\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Automatische Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programme\WZCBDL Service\WZCBDLS.exe

--
End of file - 9384 bytes

RSIT habe ich nochmal ausgeführt:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Michael Schultheis at 2009-06-02 10:56:59
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 49 GB (43%) free of 114 GB
Total RAM: 1023 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:08, on 02.06.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programme\avmwlanstick\WlanNetService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\oodag.exe
C:\Programme\Sandboxie\SbieSvc.exe
C:\Programme\Seagate\Sync\SeaSyncServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Programme\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\D-Link\Air USB Utility\AirCFG.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\avmwlanstick\wlangui.exe
C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Dokumente und Einstellungen\Michael Schultheis\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Dokumente und Einstellungen\Michael Schultheis\Desktop\RSIT(1).exe
C:\Programme\trend micro\Michael Schultheis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programme\Search Settings\kb127\SearchSettings.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programme\Orbitdownloader\orbitcth.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programme\Search Settings\kb127\SearchSettings.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Programme\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Programme\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [WD Drive Manager] C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [WD Anywhere Backup] C:\Programme\WD\WD Anywhere Backup\MemeoLauncher2.exe --silent
O4 - HKCU\..\Run: [HDDHealth] H:\HDD Health\hddhealth.exe -wl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk.disabled
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download All by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
O8 - Extra context menu item: &Download by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programme\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1088778804203
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCABE8A3-616C-4193-A970-E9382778410C}: NameServer = 192.168.0.1
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Avira Upgrade Service (antivirupgradeservice) - Unknown owner - C:\DOKUME~1\MICHAE~1\LOKALE~1\Temp\AVSETUP_4a1a9fb9\basic\avupgsvc.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ATI Smart ATIusnsvc (ATIusnsvc) - Unknown owner - C:\WINDOWS\system32\AgCPanelFrenchb.exe
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Programme\avmwlanstick\WlanNetService.exe
O23 - Service: Intelligenter Hintergrundübertragungsdienst (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Programme\WD\WD Anywhere Backup\MemeoBackgroundService.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Programme\Sandboxie\SbieSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Programme\Seagate\Sync\SeaSyncServices.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
O23 - Service: Automatische Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programme\WZCBDL Service\WZCBDLS.exe

--
End of file - 9648 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2275205704-1375463252-582915583-1006.job
C:\WINDOWS\tasks\ISP-Anmeldungserinnerung 1.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - C:\Programme\Orbitdownloader\orbitcth.dll [2009-01-20 134344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1F364306-AA45-47B5-9F9D-39A8B94E7EF1}]
FG2CatchUrl - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll [2008-08-19 104016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
SearchSettings Class - C:\Programme\Search Settings\kb127\SearchSettings.dll [2008-06-12 1111904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - C:\Programme\Orbitdownloader\GrabPro.dll [2009-01-20 646264]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"D-Link Air USB Utility"=C:\Programme\D-Link\Air USB Utility\AirCFG.exe [2003-07-23 2695168]
"ATIPTA"=C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-05-15 339968]
"SpybotSnD"=C:\Programme\Spybot - Search & Destroy\SpybotSD.exe []
"AVMWlanClient"=C:\Programme\avmwlanstick\wlangui.exe [2007-12-20 1748992]
"WD Drive Manager"=C:\Programme\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [2008-01-30 438272]
"WD Anywhere Backup"=C:\Programme\WD\WD Anywhere Backup\MemeoLauncher2.exe [2008-11-07 197856]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"wininet.dll"= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"HDDHealth"=H:\HDD Health\hddhealth.exe -wl []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
C:\Programme\Creative\SBLive\Diagnostics\diagent.exe [2002-04-03 135264]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Programme\IncrediMail\bin\IncMail.exe [2005-05-25 188459]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Programme\MSN Messenger\MsnMsgr.Exe [2006-07-29 5354792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programme\QuickTime\qttask.exe -atboottime []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Programme\Real\RealPlayer\RealPlay.exe [2007-10-23 214296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
C:\Programme\Desktop Sidebar\dsidebar.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
Adobe Reader - Schnellstart.lnk.disabled - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-05-15 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

phaos · 02.06.2009, 10:15

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
:\WINDOWS\syste
scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"NoDispAppearancePage"=0
"NoColorChoice"=0
"NoSizeChoice"=0
"NoDispScrSavPage"=0
"NoDispCPL"=0
"NoVisualStyleChoice"=0
"NoDispSettingsPage"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=91000000
"NoActiveDesktop"=0
"NoThemesTab"=0
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutoRun"=
"NoActiveDesktopChanges"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programme\Trillian\trillian.exe"="C:\Programme\Trillian\trillian.exe:*:Enabled:Trillian"
"C:\Programme\Real\RealPlayer\realplay.exe"="C:\Programme\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Programme\Maple 7\BIN.WNT\mserver.exe"="C:\Programme\Maple 7\BIN.WNT\mserver.exe:*:Enabled:mserver"
"C:\Programme\IncrediMail\bin\IMApp.exe"="C:\Programme\IncrediMail\bin\IMApp.exe:*:Enabled:IncrediMail"
"C:\Programme\IncrediMail\bin\IncMail.exe"="C:\Programme\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail"
"C:\Programme\IncrediMail\bin\ImpCnt.exe"="C:\Programme\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\Programme\IncrediMail\bin\ImLc.exe"="C:\Programme\IncrediMail\bin\ImLc.exe:*:Enabled:IncrediMail"
"C:\Programme\Azureus\Azureus.exe"="C:\Programme\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\Programme\Windows Media Player\wmplayer.exe"="C:\Programme\Windows Media Player\wmplayer.exe:*:Enabled:Windows Media Player"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Programme\Opera\Opera.exe"="C:\Programme\Opera\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\Programme\ICQ6\ICQ.exe"="C:\Programme\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Programme\Mozilla Firefox\firefox.exe"="C:\Programme\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"E:\fsetup.exe"="E:\fsetup.exe:*:Enabled:AVM FSetup Application"
"C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\MUTE\fileSharingMUTE.exe"="C:\Dokumente und Einstellungen\Michael Schultheis\Eigene Dateien\Downloads\MUTE\fileSharingMUTE.exe:*