Schädling Back.Door.Generic11.ZNE nicht weg zu bekommen

WaechterDerD · 02.07.2009, 08:41

Guten Morgen Liebe Helfer!!!

Ich hab da mal nen kleines problem.
Als ich heute morgen meinen an meinen Pc bin sah ich das mein download fertig war.
Ich entpackte das ganze und bin dann in die küche mir mal nen kaffee holen^^.
Als ich wieder am pc saß bekam ich nen schreck mir wurde angezeigt das ich diesen Back.Door.Generic11.ZNE schädling auf meinem System drauf habe.
Ich habe mein AVG durch laufen lassen und dann wurde mir angezeigt das der im System32 Ordner sein soll .
Aber wenn ich mein AVG durchlaufen lasse zeigt er 30 mal diesen Schädling an.
Nur bekomme ich denn nicht runter ,ich könnte grade wirklich hilfe gebrauchen.
Würde mich auf eine Positive antwort von euch freuen.
Ich habe auch schon goolgle benutzt aber wenn ich ehrlich bin nichts gefunden.

Ich bedanke mich schonmal im Vorraus

MFG WaechterDerDrachen

Aldi123 · 02.07.2009, 09:12

Poste mal einen HijackThis log^^
thx und mfg Aldi

WaechterDerD · 02.07.2009, 09:16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:15, on 02.07.2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Users\***\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [StartCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

--
End of file - 6627 bytes

P.S. hab Vista^^
mfg WaechterDerDrachen

WaechterDerD · 02.07.2009, 10:52

Malwarebytes' Anti-Malware 1.38
Datenbank Version: 2361
Windows 6.0.6000

02.07.2009 11:48:19
mbam-log-2009-07-02 (11-48-19).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 220778
Laufzeit: 1 hour(s), 34 minute(s), 43 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AeLookupSvcALG (Trojan.Downloader) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

Wäre nicht schlecht wenn mir jemand helfen könnte, da die ganze zeit immer angezeigt wird das meine platte infiziert ist, odwohl AVG nichts findet.
Und CCleaner hat auch alles behoben und gereinigt.

MFG WaechterDerDrachen

WaechterDerD · 02.07.2009, 12:09

Die Datei soll hier drinne sein nur ist die nicht mal vorhanden

C:\Windows\System32\SKYNETdporhbix.dll

ich weiß echt nicht mehr was ich machen soll

mfg WaechterDerDrachen

WaechterDerD · 02.07.2009, 13:33

hmmmm....scheint wohl als könne mir keiner in dieser sache helfen

Chris4You · 02.07.2009, 13:36

Hi,

das ist ein Rootkit...

Combofix
Lade Combo Fix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.
Weitere Anleitung unter:http://www.bleepingcomputer.com/combofix/de/wie-combofix-benutzt-wird
Hinweis: unter : C:\WINDOWS\erdnt
wird ein Backup angelegt.

Danach bitte sofort MAM updaten und Fullscan, Log posten und noch:
SilentRunner:
Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen.
Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten.
http://www.silentrunners.org/Silent%20Runners.zip

chris

WaechterDerD · 02.07.2009, 13:39

Alles klar danke dir werde mal anfangen damit hoffe es klappt alles und ich bin das ding los ^^

WaechterDerD · 02.07.2009, 15:53

So jetzt kommen die sachen die du sehen möchtest hab alles so gemacht wie du gesagt hast.

ComboFix:

ComboFix 09-07-01.04 - *** 02.07.2009 14:57.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.49.1031.18.2046.1086 [GMT 2:00]
ausgeführt von:: c:\users\***\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows-Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\struct~.ini
c:\windows\system32\drivers\SKYNETrrnabhep.sys
c:\windows\system32\SKYNETcymkhwqx.dat
c:\windows\system32\SKYNETdqorhbix.dll
c:\windows\system32\SKYNETeytcwalr.dat
c:\windows\system32\SKYNETuiwgiryw.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETwulftaie

((((((((((((((((((((((( Dateien erstellt von 2009-06-02 bis 2009-07-02 ))))))))))))))))))))))))))))))
.

2009-07-02 08:11 . 2009-07-02 08:11 -------- d-----w- c:\users\***\AppData\Roaming\Malwarebytes
2009-07-02 08:11 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 08:11 . 2009-07-02 09:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 08:11 . 2009-07-02 08:11 -------- d-----w- c:\programdata\Malwarebytes
2009-07-02 08:11 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 08:10 . 2009-07-02 08:10 -------- d-----w- c:\program files\CCleaner
2009-07-01 19:38 . 2009-07-01 20:06 -------- d-----w- c:\users\***\AppData\Roaming\Apple Computer
2009-07-01 19:38 . 2009-07-01 19:48 -------- d-----w- c:\users\***\AppData\Local\Apple Computer
2009-07-01 19:38 . 2009-07-01 19:38 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-01 19:38 . 2009-03-19 14:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-01 19:38 . 2008-04-17 10:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-01 19:38 . 2009-07-01 19:38 -------- d-----w- c:\program files\iPod
2009-07-01 19:37 . 2009-07-01 19:38 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-01 19:37 . 2009-07-01 19:38 -------- d-----w- c:\program files\iTunes
2009-07-01 19:37 . 2009-07-01 19:37 -------- d-----w- c:\program files\Bonjour
2009-07-01 19:37 . 2009-07-01 19:37 -------- d-----w- c:\program files\QuickTime
2009-07-01 19:37 . 2009-07-01 19:37 -------- d-----w- c:\programdata\Apple Computer
2009-07-01 19:37 . 2009-07-01 19:37 -------- d-----w- c:\users\***\AppData\Local\Apple
2009-07-01 19:37 . 2009-07-01 19:37 -------- d-----w- c:\program files\Apple Software Update
2009-07-01 19:36 . 2009-07-01 19:37 -------- d-----w- c:\program files\Common Files\Apple
2009-07-01 19:36 . 2009-07-01 19:36 -------- d-----w- c:\programdata\Apple
2009-07-01 16:38 . 2009-07-01 16:39 -------- d-----w- c:\programdata\PrettyMay
2009-07-01 16:37 . 2009-07-01 16:37 81920 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\callburner\eSellerateControl350.dll
2009-07-01 16:37 . 2009-07-01 16:37 642560 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\slplugin.dll
2009-07-01 16:37 . 2009-07-01 16:37 626688 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\callburner\msvcr80.dll
2009-07-01 16:37 . 2009-07-01 16:37 5687296 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\callburner\CallBurner.exe
2009-07-01 16:37 . 2009-07-01 16:37 563200 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\callburner\SLHook.dll
2009-07-01 16:37 . 2009-07-01 16:37 428032 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\rubit.exe
2009-07-01 16:37 . 2009-07-01 16:37 356352 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\callburner\eSellerateEngine.dll
2009-07-01 16:37 . 2009-07-01 16:37 29184 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\callburner\sl_wmf.dll
2009-07-01 16:37 . 2009-07-01 16:37 288768 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\callburner\eWebClient.dll
2009-07-01 16:37 . 2009-07-01 16:37 1700352 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\callburner\GdiPlus.dll
2009-07-01 16:37 . 2009-07-01 16:37 114688 ----a-w- c:\programdata\Skype\Plugins\Plugins\7A35F6B8E3B747518F5737995988E6FB\callburner\eWebControl.dll
2009-07-01 13:44 . 2009-07-01 13:47 -------- d-----w- c:\users\***\AppData\Local\Adobe
2009-07-01 13:43 . 2009-07-01 13:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-30 10:59 . 2004-07-14 12:44 23040 ----a-w- c:\windows\system32\auth.dll
2009-06-30 08:16 . 2006-05-21 13:15 966144 ----a-w- c:\windows\system32\NCTAudioInformation2.dll
2009-06-30 08:16 . 2006-05-21 13:15 877568 ----a-w- c:\windows\system32\NCTAudioFile2.dll
2009-06-30 08:16 . 2006-05-21 13:15 634880 ----a-w- c:\windows\system32\NCTAudioEditor2.dll
2009-06-30 08:16 . 2006-05-21 13:15 522752 ----a-w- c:\windows\system32\NCTAudioTransform2.dll
2009-06-30 08:16 . 2006-05-21 13:15 467968 ----a-w- c:\windows\system32\NCTAudioRecord2.dll
2009-06-30 08:16 . 2006-05-21 13:15 467456 ----a-w- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-30 08:16 . 2006-05-21 13:15 237568 ----a-w- c:\windows\system32\lame_enc.dll
2009-06-29 14:29 . 2006-10-26 17:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-06-29 14:27 . 2009-06-29 14:27 -------- d-----w- c:\program files\Microsoft Works
2009-06-29 14:26 . 2009-06-29 14:26 -------- d-----w- c:\windows\PCHEALTH
2009-06-29 14:26 . 2009-06-29 14:26 -------- d-----w- c:\program files\Microsoft.NET
2009-06-29 14:24 . 2009-06-29 14:24 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-06-29 14:24 . 2009-06-29 14:24 -------- d-----w- c:\users\***\AppData\Local\Microsoft Help
2009-06-29 14:23 . 2009-06-29 14:29 -------- d-----w- c:\programdata\Microsoft Help
2009-06-29 14:23 . 2009-06-29 14:23 -------- d--h--r- C:\MSOCache
2009-06-29 11:35 . 2009-06-30 07:44 -------- d-----w- c:\program files\PowerISO
2009-06-27 11:30 . 2009-06-27 11:30 4096 ----a-w- c:\windows\d3dx.dat
2009-06-27 11:06 . 2009-06-27 11:06 -------- d-----w- c:\users\***\AppData\Local\AVG Security Toolbar
2009-06-27 11:04 . 2009-06-27 11:04 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-06-26 07:59 . 2009-06-26 07:59 268800 ----a-w- c:\windows\system32\es.dll
2009-06-25 13:09 . 2009-06-25 13:09 229888 ----a-w- c:\windows\system32\msshsq.dll
2009-06-25 13:08 . 2007-11-17 21:22 3636 ----a-w- c:\windows\system32\drivers\nvphy.bin
2009-06-25 12:19 . 2009-06-25 12:19 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-06-25 12:19 . 2009-06-25 12:19 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-06-25 12:19 . 2009-06-25 12:19 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-06-25 12:19 . 2009-06-25 12:19 272896 ----a-w- c:\windows\system32\polstore.dll
2009-06-25 12:18 . 2009-06-25 12:18 8192 ----a-w- c:\windows\system32\riched32.dll
2009-06-25 12:15 . 2009-06-25 12:15 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-06-25 12:15 . 2009-06-25 12:15 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-06-25 12:15 . 2009-06-25 12:15 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-06-25 12:10 . 2009-06-25 12:10 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-06-25 12:10 . 2009-06-25 12:10 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-06-25 12:10 . 2009-06-25 12:10 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-25 12:07 . 2009-06-25 12:07 87040 ----a-w- c:\windows\system32\msoert2.dll
2009-06-25 12:07 . 2009-06-25 12:07 39424 ----a-w- c:\windows\system32\ACCTRES.dll
2009-06-25 12:07 . 2009-06-25 12:07 205824 ----a-w- c:\windows\system32\msoeacct.dll
2009-06-25 12:04 . 2009-06-25 12:04 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2009-06-25 12:04 . 2009-06-25 12:04 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2009-06-25 12:04 . 2009-06-25 12:04 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2009-06-25 12:04 . 2009-06-25 12:04 258232 ----a-w- c:\windows\system32\drivers\acpi.sys
2009-06-25 12:04 . 2009-06-25 12:04 542720 ----a-w- c:\windows\system32\sysmain.dll
2009-06-25 12:04 . 2009-06-25 12:04 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-06-25 12:04 . 2009-06-25 12:04 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-06-25 12:04 . 2009-06-25 12:04 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-06-25 12:04 . 2009-06-25 12:04 502784 ----a-w- c:\windows\system32\wlansvc.dll
2009-06-25 12:04 . 2009-06-25 12:04 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-06-25 12:02 . 2009-06-25 12:02 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-06-25 12:02 . 2009-06-25 12:02 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-06-25 11:59 . 2009-06-25 11:59 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-06-25 11:57 . 2009-06-25 11:57 49664 ----a-w- c:\windows\system32\csrsrv.dll
2009-06-25 11:57 . 2009-06-25 11:57 376320 ----a-w- c:\windows\system32\winsrv.dll
2009-06-25 11:50 . 2009-06-25 11:50 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-06-25 11:47 . 2009-06-25 11:47 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-06-25 11:45 . 2009-06-25 11:45 1060920 ----a-w- c:\windows\system32\drivers\ntfs.sys
2009-06-25 11:45 . 2009-06-25 11:45 41984 ----a-w- c:\windows\system32\drivers\monitor.sys
2009-06-25 11:43 . 2009-06-25 11:43 211456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-06-25 11:40 . 2009-06-25 11:40 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-06-25 11:40 . 2009-06-25 11:40 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-06-25 11:36 . 2009-06-25 11:36 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-06-25 11:35 . 2009-06-25 11:35 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-06-25 11:35 . 2009-06-25 11:35 1687040 ----a-w- c:\windows\system32\gameux.dll
2009-06-25 11:33 . 2009-06-25 11:33 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-06-25 11:32 . 2009-06-25 11:32 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-06-25 11:32 . 2009-06-25 11:32 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-06-25 11:30 . 2009-06-25 11:30 414208 ----a-w- c:\windows\system32\msscp.dll
2009-06-25 11:28 . 2009-06-25 11:28 356864 ----a-w- c:\windows\system32\MediaMetadataHandler.dll
2009-06-25 11:24 . 2009-06-25 11:24 86016 ----a-w- c:\windows\system32\icfupgd.dll
2009-06-25 11:24 . 2009-06-25 11:24 63488 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2009-06-25 11:24 . 2009-06-25 11:24 396800 ----a-w- c:\windows\system32\MPSSVC.dll
2009-06-25 11:24 . 2009-06-25 11:24 392192 ----a-w- c:\windows\system32\FirewallAPI.dll
2009-06-25 11:24 . 2009-06-25 11:24 61952 ----a-w- c:\windows\system32\cmifw.dll
2009-06-25 11:24 . 2009-06-25 11:24 16896 ----a-w- c:\windows\system32\wfapigp.dll
2009-06-25 11:24 . 2009-06-25 11:24 23040 ----a-w- c:\windows\system32\drivers\tunnel.sys
2009-06-25 11:24 . 2009-06-25 11:24 178688 ----a-w- c:\windows\system32\iphlpsvc.dll
2009-06-25 11:24 . 2009-06-25 11:24 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2009-06-25 11:20 . 2009-06-25 11:20 2048 ----a-w- c:\windows\system32\tzres.dll
2009-06-25 11:17 . 2009-06-25 11:17 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-06-25 11:17 . 2009-06-25 11:17 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-06-25 11:17 . 2009-06-25 11:17 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-06-25 11:09 . 2009-06-25 11:09 696832 ----a-w- c:\windows\system32\localspl.dll
2009-06-25 11:00 . 2009-06-25 11:00 45112 ----a-w- c:\windows\system32\drivers\pciidex.sys
2009-06-25 11:00 . 2009-06-25 11:00 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-06-25 11:00 . 2009-06-25 11:00 15928 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-06-25 11:00 . 2009-06-25 11:00 110136 ----a-w- c:\windows\system32\drivers\ataport.sys
2009-06-25 11:00 . 2009-06-25 11:00 211000 ----a-w- c:\windows\system32\drivers\volsnap.sys
2009-06-25 11:00 . 2009-06-25 11:00 154624 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-06-25 10:59 . 2009-06-25 10:59 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2009-06-25 10:57 . 2009-06-25 10:57 2923520 ----a-w- c:\windows\explorer.exe
2009-06-25 10:55 . 2009-06-25 10:55 8704 ----a-w- c:\windows\system32\hccoin.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 13:03 . 2009-05-11 10:30 644542 ----a-w- c:\windows\system32\perfh007.dat
2009-07-02 13:03 . 2009-05-11 10:30 117692 ----a-w- c:\windows\system32\perfc007.dat
2009-07-02 10:34 . 2009-05-11 00:57 -------- d-----w- c:\users\***\AppData\Roaming\Skype
2009-07-02 10:31 . 2009-05-11 00:58 -------- d-----w- c:\users\***\AppData\Roaming\skypePM
2009-07-02 10:06 . 2009-05-11 00:51 101424 ----a-w- c:\users\***\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-02 08:02 . 2009-05-11 03:05 -------- d-----w- c:\programdata\avg8
2009-06-30 10:59 . 2009-06-30 08:16 -------- d-----w- c:\users\***\AppData\Roaming\concept design
2009-06-30 10:59 . 2009-06-30 08:16 -------- d-----w- c:\program files\concept design
2009-06-30 08:22 . 2009-06-30 08:22 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-30 08:22 . 2009-06-30 08:22 -------- d-----w- c:\program files\Common Files\Real
2009-06-30 08:22 . 2009-06-30 08:22 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-06-30 08:22 . 2009-06-30 08:22 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-06-30 08:22 . 2009-06-30 08:22 -------- d-----w- c:\program files\Real
2009-06-29 14:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2009-06-28 16:42 . 2009-05-19 19:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-27 11:03 . 2009-05-11 03:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-27 11:03 . 2009-05-11 03:06 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-27 11:03 . 2009-05-11 03:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 18:26 . 2009-05-20 23:43 -------- d-----w- c:\users\***\AppData\Roaming\dvdcss
2009-06-25 12:55 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-25 12:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-25 12:54 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-25 12:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-25 12:48 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-25 10:44 . 2009-06-25 10:44 4616192 ----a-w- c:\windows\system32\NlsLexicons0414.dll
2009-06-25 10:29 . 2009-06-25 10:29 40960 ----a-w- c:\windows\system32\srclient.dll
2009-06-25 09:17 . 2009-06-25 09:17 72704 ----a-w- c:\windows\system32\admparse.dll
2009-06-25 09:17 . 2009-06-25 09:17 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 09:17 . 2009-06-25 09:17 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 09:17 . 2009-06-25 09:17 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-06-25 09:17 . 2009-06-25 09:17 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-06-25 09:17 . 2009-06-25 09:17 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-06-14 07:23 . 2009-05-11 04:25 -------- d-----w- c:\users\***\AppData\Roaming\Hamachi
2009-06-05 06:43 . 2009-05-19 19:08 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-25 18:30 . 2009-05-25 18:30 -------- d-----w- c:\program files\Common Files\Logitech
2009-05-25 18:15 . 2009-05-24 13:03 -------- d-----w- c:\programdata\Logishrd
2009-05-24 13:03 . 2009-05-24 13:03 -------- d-----w- c:\users\***\AppData\Roaming\Leadertech
2009-05-24 13:03 . 2009-05-17 13:17 -------- d-----w- c:\program files\Common Files\logishrd
2009-05-24 13:03 . 2009-05-24 13:03 -------- d-----w- c:\programdata\Logitech
2009-05-24 13:03 . 2009-05-24 13:03 -------- d-----w- c:\program files\Logitech
2009-05-22 11:21 . 2009-05-22 11:21 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-22 11:20 . 2009-05-22 11:20 -------- d-----w- c:\program files\Java
2009-05-20 23:43 . 2009-05-20 23:43 -------- d-----w- c:\users\***\AppData\Roaming\vlc
2009-05-20 23:42 . 2009-05-20 23:42 -------- d-----w- c:\program files\VideoLAN
2009-05-19 21:29 . 2009-05-19 21:26 -------- d-----w- c:\program files\ICQ6.5
2009-05-19 21:29 . 2009-05-19 21:27 -------- d-----w- c:\users\***\AppData\Roaming\ICQ
2009-05-19 21:28 . 2009-05-19 21:28 -------- d-----w- c:\program files\ICQ6Toolbar
2009-05-19 21:28 . 2009-05-19 21:28 -------- d-----w- c:\programdata\ICQ
2009-05-19 00:17 . 2009-05-19 00:17 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-05-19 00:07 . 2009-05-19 00:07 -------- d-----w- c:\program files\Games-Masters.com
2009-05-16 11:34 . 2009-05-16 11:34 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-16 09:46 . 2009-05-16 09:46 -------- d-----w- c:\users\***\AppData\Roaming\EasyMangosHandler
2009-05-13 10:44 . 2009-05-13 10:44 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-13 10:43 . 2009-05-13 10:43 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-05-13 10:43 . 2009-05-13 10:43 -------- d-----w- c:\users\***\AppData\Roaming\TuneUp Software
2009-05-13 10:43 . 2009-05-13 10:41 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-05-13 10:41 . 2009-05-13 10:41 -------- d-----w- c:\programdata\TuneUp Software
2009-05-13 10:38 . 2009-05-13 10:38 -------- d-sh--w- c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-05-12 20:33 . 2009-05-12 20:33 1080648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-05-12 08:41 . 2009-05-12 08:41 -------- d-----w- c:\programdata\Blizzard
2009-05-11 10:29 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-05-11 10:29 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-05-11 10:29 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-05-11 10:29 . 2009-05-11 10:30 36916 ----a-w- c:\windows\system32\perfd007.dat
2009-05-11 10:29 . 2009-05-11 10:30 290748 ----a-w- c:\windows\system32\perfi007.dat
2009-05-11 10:29 . 2009-05-11 10:29 36916 ----a-w- c:\windows\inf\PERFLIB\0407\perfd.dat
2009-05-11 10:29 . 2009-05-11 10:29 36916 ----a-w- c:\windows\inf\PERFLIB\0407\perfc.dat
2009-05-11 10:29 . 2009-05-11 10:29 290748 ----a-w- c:\windows\inf\PERFLIB\0407\perfi.dat
2009-05-11 10:29 . 2009-05-11 10:29 290748 ----a-w- c:\windows\inf\PERFLIB\0407\perfh.dat
2009-05-11 04:25 . 2009-05-11 04:25 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-05-11 03:06 . 2009-05-11 03:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-11 03:05 . 2009-05-11 03:05 -------- d-----w- c:\program files\AVG
2009-05-11 01:10 . 2009-05-11 01:10 -------- d-----w- c:\users\***\AppData\Roaming\ATI
2009-05-11 00:58 . 2009-05-11 00:58 0 ----a-w- c:\windows\nsreg.dat
2009-05-11 00:57 . 2009-05-11 00:57 -------- d-----w- c:\program files\Common Files\Skype
2009-05-11 00:57 . 2009-05-11 00:56 -------- d-----r- c:\program files\Skype
2009-05-11 00:57 . 2009-05-11 00:56 -------- d-----w- c:\programdata\Skype
2009-05-11 00:48 . 2009-05-11 00:48 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-05-11 00:48 . 2009-05-11 00:48 43544 ----a-w- c:\windows\system32\wups2.dll
2009-05-11 00:48 . 2009-05-11 00:48 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-05-11 00:48 . 2009-05-11 00:48 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-05-11 00:48 . 2009-05-11 00:48 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-05-11 00:48 . 2009-05-11 00:48 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-05-11 00:48 . 2009-05-11 00:48 34328 ----a-w- c:\windows\system32\wups.dll
2009-05-11 00:47 . 2009-05-11 00:47 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-05-11 00:47 . 2009-05-11 00:47 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-05-11 00:46 . 2009-05-11 00:46 -------- d-sh--we c:\programdata\Vorlagen
2009-05-11 00:46 . 2009-05-11 00:46 -------- d-sh--we c:\programdata\Startmenü
2009-05-11 00:46 . 2009-05-11 00:46 -------- d-sh--we c:\programdata\Favoriten
2009-05-11 00:46 . 2009-05-11 00:46 -------- d-sh--we c:\programdata\Dokumente
2009-05-11 00:46 . 2009-05-11 00:46 -------- d-sh--we c:\programdata\Anwendungsdaten
2009-05-11 00:46 . 2009-05-11 00:46 -------- d-sh--we c:\program files\Gemeinsame Dateien
2009-05-07 08:24 . 2009-05-07 08:24 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-04-27 12:21 . 2009-05-13 10:44 17152 ----a-w- c:\windows\system32\authuitu.dll
2009-04-27 12:21 . 2009-05-13 10:44 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2007-05-30 17:12 . 2007-05-30 17:12 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.

WaechterDerD · 02.07.2009, 15:56

"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(9796)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\MICROS~3\Office12\GR99D3~1.DLL
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\conime.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-07-02 15:13 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-07-02 13:12

Vor Suchlauf: 8 Verzeichnis(se), 65.699.573.760 Bytes frei
Nach Suchlauf: 8 Verzeichnis(se), 65.538.297.856 Bytes frei

415 --- E O F --- 2009-06-30 07:52

MAM:

Malwarebytes' Anti-Malware 1.38
Datenbank Version: 2363
Windows 6.0.6000

02.07.2009 16:24:54
mbam-log-2009-07-02 (16-24-54).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Durchsuchte Objekte: 219040
Laufzeit: 1 hour(s), 3 minute(s), 33 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\Qoobox\quarantine\C\Windows\System32\SKYNETdqorhbix.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

Silent Runner:

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"StartCCC" = "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [null data]
"DAEMON Tools Lite" = ""C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"PWRISOVM.EXE" = "C:\Program Files\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."]
"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\ssv.dll" ["Sun Microsystems, Inc."]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\Windows\System32\uxtuneup.dll" ["TuneUp Software"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\SDShelEx-win32.dll" ["TuneUp Software"]
"{4838CD50-7E5D-4811-9B17-C47A85539F28}" = "TuneUp Disk Space Explorer Shell Extension"
-> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\DseShExt-x86.dll" ["TuneUp Software"]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\SDShelEx-win32.dll" ["TuneUp Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
TuneUp Disk Space Explorer Shell Extension\(Default) = "{4838CD50-7E5D-4811-9B17-C47A85539F28}"
-> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\DseShExt-x86.dll" ["TuneUp Software"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2009\SDShelEx-win32.dll" ["TuneUp Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\***\AppData\Local\Microsoft\Wallpaper1.bmp"

WaechterDerD · 02.07.2009, 15:57

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-burn"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-burn\Command\(Default) = ""C:\Program Files\Ashampoo\Ashampoo Burning Studio 6 FREE\burningstudio.exe" -autoplay -selectdrive "%l"" ["ashampoo Technology GmbH & Co. KG"]

ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-copy"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-copy\Command\(Default) = "C:\Program Files\Ashampoo\Ashampoo Burning Studio 6 FREE\burningstudio.exe" -autoplay -selectdrive "%l" -copy" [file not found]

ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL\
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-rip"
HKLM\SOFTWARE\Classes\Ashampoo.BurningStudio6FREE\shell\autoplay-rip\Command\(Default) = ""C:\Program Files\Ashampoo\Ashampoo Burning Studio 6 FREE\burningstudio.exe" -autoplay -selectdrive "%l" -rip" ["ashampoo Technology GmbH & Co. KG"]

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda://%1" ["the VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file dvd://%1" ["the VideoLAN Team"]

WIA_{24A316D7-B548-4432-BBB3-6FC7030DC2C5}\
"Provider" = "Microsoft Office Word"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /IMG_WIA;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

WIA_{7EB6E354-3F0E-421A-920B-A9428985354B}\
"Provider" = "Microsoft Office Publisher"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Program Files\Microsoft Office\Office12\MSPUB.EXE /IMG_WIA;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

WIA_{8D4C9234-1BE1-499C-9B53-AC5C9EC2549D}\
"Provider" = "Microsoft Office Publisher"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Program Files\Microsoft Office\Office12\MSPUB.EXE /IMG_STI /StiDevice:%1 /StiEvent:%2;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

WIA_{CCCB076D-42E2-4E50-8466-5F2686B30FB2}\
"Provider" = "Microsoft Office OneNote"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE /IMG_WIA;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

Startup items in "***" & "All Users" startup folders:
--------------------------------------------------------

C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
"OneNote 2007 Bildschirmausschnitt- und Startprogramm" -> shortcut to: "C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000007\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 18

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll" [MS]

{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
-> {HKLM...CLSID} = "Skype add-on (button)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Program Files\ICQ6.5\ICQ.exe" ["ICQ, LLC."]

Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "Tabs" = "C:\ProgramData\ICQ\ICQNewTab\newTab.html" [null data]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Ati External Event Utility, Ati External Event Utility, "C:\Windows\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Free8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Bonjour-Dienst, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
Computerbrowser, Browser, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
LVCOMSer, LVCOMSer, ""C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe"" ["Logitech Inc."]
Process Monitor, LVPrcSrv, ""C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"" ["Logitech Inc."]
TuneUp Designerweiterung, UxTuneUp, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\uxtuneup.dll" ["TuneUp Software"]}
TuneUp Program Statistics Service, TuneUp.ProgramStatisticsSvc, "C:\Windows\System32\TUProgSt.exe" ["TuneUp Software"]
Windows Driver Foundation - Benutzermodus-Treiberframework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Media Player-Netzwerkfreigabedienst, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS]
Windows-Bilderfassung, stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Zugriff auf Eingabegeräte, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

---------- (launch time: 2009-07-02 15:28:49)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 73 seconds, including 5 seconds for message boxes)

Ich hoffe es ist alles so wie es jetzt sein soll denn bis jetzt kam noch keine weitere meldung

MFG WaechterDerDrachen

Chris4You · 02.07.2009, 16:10

Hi,

das sieht doch schon recht gut aus...

Combofix deinstallieren
Start->Ausführen combofix /u
C:\Qoobox - loeschen und Papierkorb leeren (ComboFix Backups)

http://www.prevx.com/freescan.asp
Falls das Tool was findet, nicht das Log posten sondern einen Screenshot des dann angezeigten Fensters...

chris

WaechterDerD · 02.07.2009, 16:32

hi Chris

so hab wieder alles so gemacht wie du es geschrieben hast.
das tool sagt der pc is clean

bild ist mit dabei^^(sicher ist sicher du kennst dich da besser aus^^)

Mfg Lars

Chris4You · 03.07.2009, 06:58

Hi,

ist Okay, das sollte es gewesen sein...

chris & out

Schädling Back.Door.Generic11.ZNE nicht weg zu bekommen

Plagegeister aller Art und deren Bekämpfung: Schädling Back.Door.Generic11.ZNE nicht weg zu bekommen