Dropper Gen

xyz12345 · 22.03.2010, 16:10

Ich habe mir das Dropper Gen einegfangen.

Habs versucht mit Antivir zu beheben, war aber nicht möglich. In einem anderen Thread stand, das jeder seinen eigenen Thread aufmachen sollte, damitt jedem individuell geholfen werden kann

so hier ist mal mein escan:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
find.bat Version 2008.03.07

Microsoft Windows XP [Version 5.1.2600]
Bootmodus: Normal

eScan Version: 11.0.86
Sprache: German
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\MWAV.LOG

~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
Datei C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1QTW2XQV\dotnetfx35setup[1].exe ist durch den Virus "NULL.Corrupted" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\Programme\NavExcel\NavHelper\v2.0.4a\NHelper.dll ist durch den Virus "Application.Browser.Modifier.Navexcel.Search.Toolbar.AR (DB)" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\Programme\NavExcel\NavHelper\v2.0.4a\NHUninstaller.exe ist durch den Virus "Adware.Navexcel.A (DB)" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\Programme\NavExcel\NavHelper\v2.0.4a\NHUpdater.exe ist durch den Virus "Adware.Navexcel.A (DB)" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\Programme\NavExcel\NavHelper\v2.0.4a\v2.0.4a.cab ist durch den Virus "Application.Browser.Modifier.Navexcel.Search.Toolbar.AS (DB)" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\WINDOWS\Downloaded Program Files\IDropPTB.dll ist durch den Virus "NULL.Corrupted" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\WINDOWS\Temp\0tfqjxb4.dll ist durch den Virus "NULL.Corrupted" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\WINDOWS\Temp\lodbo60k.dll ist durch den Virus "NULL.Corrupted" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\WINDOWS\Temp\tcx05r03.dll ist durch den Virus "NULL.Corrupted" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\WINDOWS\Temp\zvq-anyk.dll ist durch den Virus "NULL.Corrupted" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Spyware (Vorsicht: Oft Fehlalarm!)
~~~~~~~~~~~
eScan-Antiviren- und Antispyware-Werkzeugsatz.
Antiviren- und Antispywaredatenbanken werden heruntergeladen...
Indexed Spyware Databases Successfully Created...
eScan-Antiviren- und Antispyware-Werkzeugsatz.
Scannen Spyware: Deaktiviert
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
~~~~~~~~~~~
Registry
~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Diverses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
laufende Prozesse - commandline
~~~~~~~~~~~~~~~~~~~~~~
System Idle Process -
System -
smss.exe - \SystemRoot\System32\smss.exe
csrss.exe -
winlogon.exe - winlogon.exe
services.exe - C:\WINDOWS\system32\services.exe
lsass.exe - C:\WINDOWS\system32\lsass.exe
svchost.exe - C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe -
svchost.exe - C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe -
svchost.exe -
explorer.exe - C:\WINDOWS\Explorer.EXE
firefox.exe - "C:\Programme\Mozilla Firefox\firefox.exe"
cmd.exe - cmd /c ""D:\Downloads\find.bat" "
cscript.exe - cscript C:\escan\prclst.vbs //nologo
wmiprvse.exe -
~~~~~~~~~~~~~~~~~~~~~~
Scanfehler
~~~~~~~~~~~~~~~~~~~~~~
ERROR!!! Invalid Entry = C:\Programme\ICQLite\ICQLite.exe (in key HKLM\Software\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}). No Action Taken.
ERROR!!! Invalid Entry StubPath = C:\WINDOWS\system32\spynet\server.exe (in key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}). No Action Taken.
ERROR!!! Invalid Entry Policies = C:\WINDOWS\system32\spynet\server.exe (in key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run). No Action Taken.
ERROR!!! Invalid Entry HKLM = C:\WINDOWS\system32\spynet\server.exe (in key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.
ERROR!!! Invalid Entry %SystemRoot%\System32\appmgmts.dll in HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters. Action Taken: No Action Taken.
ERROR!!! Invalid Entry \??\C:\PROGRA~1\GEMEIN~1\SYMANT~1\SymcData\IDS-DI~1\20040813.178\symidsco.sys in HKLM\SYSTEM\CurrentControlSet\Services\SYMIDSCO. Action Taken: No Action Taken.
ERROR!!! Invalid Entry \??\C:\WINDOWS\system32\vsdatant.sys in HKLM\SYSTEM\CurrentControlSet\Services\vsdatant. Action Taken: No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~
Hosts-Datei
~~~~~~~~~~~~~~~~~~~~~~
DataBasePath: %SystemRoot%\System32\drivers\etc
Zeilen die nicht dem Standard entsprechen:
C:\WINDOWS\System32\drivers\etc\hosts:
C:\WINDOWS\System32\drivers\etc\hosts:127.0.0.1 localhost
C:\WINDOWS\System32\drivers\etc\hosts:127.0.0.1 localhost
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Downloaded Installations\{2D16E00D-5039-4137-8AA2-0C11C8C5CCD4}\Nokia PC Suite.msi!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NokiaSoftwareUpdaterSetup_1.6.13DE.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Packages\CCD\Setup\Nokia_Connectivity_Cable_Driver.msi!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Thunderbird\Profiles\fa883lmc.default\Mail\Local Folders\Inbox!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Thunderbird\Profiles\fa883lmc.default\Mail\Local Folders\Junk!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\Markus\Desktop\projekt\Waldraff-1260291095.zip!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Adobe\Updater6\Install\reader9rdr-de_DE\AdbeRdr930_de_DE.msi!!!
Zeit überschritten beim Scannen von !!!
Zeit überschritten beim Scannen von C:\Programme\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1031-7B44-A91000000001}\Data1.cab!!!
Zeit überschritten beim Scannen von C:\Programme\Java\jre6\lib\rt.jar!!!
Zeit überschritten beim Scannen von C:\WINDOWS\Driver Cache\i386\driver.cab!!!
Zeit überschritten beim Scannen von D:\Downloads\mwav.exe!!!
Zeit überschritten beim Scannen von D:\MSOCache\All Users\{90120000-0015-0407-0000-0000000FF1CE}-D\AccLR.cab!!!
Zeit überschritten beim Scannen von D:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-D\EnterWW.cab!!!
Zeit überschritten beim Scannen von D:\MSOCache\All Users\{90120000-006E-0407-0000-0000000FF1CE}-D\OfficeLR.cab!!!
Zahl der gescannten Objekte: 429448
Zahl der kritischen Objekte: 4
Zahl der desinfizierten Objekte: 0
Zahl der umbenannten Objekte: 0
Zahl der gelöschten Objekte: 0
Zeit verstrichen: 02:32:40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan-Optionen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Speicherüberprüfung: Aktiviert
Überprüfung der Registrierungsdatenbank: Aktiviert
Überprüfung des Startordners: Aktiviert
Überprüfung des Systemordners: Aktiviert
Überprüfung der Dienste: Aktiviert
Überprüfung der Laufwerke: Deaktiviert
Überprüfung aller Laufwerke:Aktiviert
Überprüfung der Ordner: Deaktiviert

Batchstart: 15:46:34,79
Batchende: 15:47:09,78

xyz12345 · 22.03.2010, 16:27

hier die ausgabe vom silentrunner:

"Silent Runners.vbs", revision 60, Silent Runners - Adware? Disinfect, don't reformat!
Operating System: Windows XP SP3
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"Policies" = "C:\WINDOWS\system32\spynet\server.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = ""C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"SoundMAXPnP" = "C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = "C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray" ["Analog Devices, Inc."]
"SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"MagicKeyboard" = "C:\Programme\SAMSUNG\MagicKBD\PreMKBD.exe" [empty string]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"PCSuiteTrayApplication" = "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup" ["Nokia"]
"SunJavaUpdateSched" = "C:\Programme\Java\jre6\bin\jusched.exe" ["Sun Microsystems, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"GrooveMonitor" = ""D:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"QuickTime Task" = ""C:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"HKLM" = "C:\WINDOWS\system32\spynet\server.exe"
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Browseranpassungen"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\(Default) = (no title provided)
\StubPath = "C:\WINDOWS\system32\spynet\server.exe" [file not found]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Programme\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Adressbuch 6"
\StubPath = ""C:\Programme\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Windows Desktop-Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe" [MS]
{89B4C1CD-B018-4511-B0A1-5476DBF70820}\(Default) = (no title provided)
\StubPath = "C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre6\bin\ssv.dll" ["Sun Microsystems, Inc."]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Programme\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]

{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

Groove Explorer Icon Overlay 1 (GFS Unread Stub)\(Default) = "{99FD978C-D287-4F50-827F-B2C658EDA8E7}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

Groove Explorer Icon Overlay 2 (GFS Stub)\(Default) = "{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)\(Default) = "{920E6DB1-9907-4370-B3A0-BAFC03D81399}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

Groove Explorer Icon Overlay 3 (GFS Folder)\(Default) = "{16F3DD56-1AF5-4347-846D-7C10C4192619}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

Groove Explorer Icon Overlay 4 (GFS Unread Mark)\(Default) = "{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{B94E2601-D7A1-11d4-A1EE-444553540000}" = "PNAgent IconH"
-> {HKLM...CLSID} = "DesktopPortal Icon Handler"
\InProcServer32\(Default) = "C:\Programme\Citrix\ICA Client\dpihand.dll" ["Citrix Systems, Inc."]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\MLSHEXT.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> grooveLocalGWS\CLSID = "{88FED34C-F0CA-4636-A375-3CB6248B04CD}"
-> {HKLM...CLSID} = "Local Groove Web Services Protocol"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL" [MS]

<<!>> ms-help\CLSID = "{314111c7-a502-11d2-bbca-00c04f8ec294}"
-> {HKLM...CLSID} = "HxProtocol Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\

Nokia\(Default) = "{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

InventorMenu\(Default) = "{6FDE7A70-351B-11d6-988B-0010B57A8BB7}"
-> {HKLM...CLSID} = "Autodesk Inventor Part"
\InProcServer32\(Default) = "C:\Programme\Autodesk\Inventor 2008\Bin\DT.dll" [file not found]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(Kein)"

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay2CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CopyCD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /Dialog

iscCopy /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Programme\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2PlayAudioCD\
"Provider" = "Nero Media Player"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayMusicFilesOnArrival_PlayAudioCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayMusicFilesOnArrival_PlayAudioCD\command\(Default) = "C:\Programme\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe /Play %L" ["Ahead software"]

NeroAutoPlay2PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayVideoFilesOnArrival_PlayDVD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayVideoFilesOnArrival_PlayDVD\command\(Default) = "C:\Programme\Ahead\Nero ShowTime\ShowTime.exe /Play %L" ["Nero Software AG"]

NeroAutoPlay2VideoCapture\
"Provider" = "NeroVision Express SE"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Programme\Ahead\NeroVision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay2ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "ShowPicturesOnArrival_ViewPhotos"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\ShowPicturesOnArrival_ViewPhotos\command\(Default) = "C:\Programme\Ahead\Nero PhotoSnap\PhotoSnapViewer.exe /Drive:%L" ["Ahead Software AG"]

NMMPlayCDAudioOnArrival\
"Provider" = "Nokia Music Manager"
"InvokeProgID" = "NokiaMusicManager"
"InvokeVerb" = "NMMPlayCD"
HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MusicManager.exe /playCD "%L"" ["Nokia"]

NMMRipCDAudioOnArrival\
"Provider" = "Nokia Music Manager"
"InvokeProgID" = "NokiaMusicManager"
"InvokeVerb" = "NMMRipCD"
HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MusicManager.exe /ripCD "%L"" ["Nokia"]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Programme\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]

SAMSUNGAVStationPremiumAudioCDOnArrival\
"Provider" = "Samsung AVStation premium"
"InvokeProgID" = "AVSP.main"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\AVSP.main\shell\Play\Command\(Default) = "C:\Programme\Samsung\AVStation premium\bin\AVStation premium.exe %L" [empty string]

SAMSUNGAVStationPremiumDVDMovieOnArrival\
"Provider" = "Samsung AVStation premium"
"InvokeProgID" = "AVSP.DVD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\AVSP.DVD\shell\Play\Command\(Default) = "C:\Programme\Samsung\AVStation premium\bin\AVStation premium.exe %L -DVD" [empty string]

SAMSUNGAVStationPremiumFileOnArrival\
"Provider" = "Samsung AVStation premium"
"InvokeProgID" = "AVSP.main"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\AVSP.main\shell\Play\Command\(Default) = "C:\Programme\Samsung\AVStation premium\bin\AVStation premium.exe %L" [empty string]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = ""C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file cdda://%1" ["the VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = ""C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file dvd://%1" ["the VideoLAN Team"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" [file not found]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6.5\ICQ.exe" ["ICQ, LLC."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "Tabs" = "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ICQ\ICQNewTab\newTab.html" [null data]

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Anwendungsverwaltung, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]}
ASP.NET-Zustandsdienst, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe"" ["Autodesk"]
Automatische Konfiguration (verkabelt), Dot3svc, "C:\WINDOWS\System32\svchost.exe -k dot3svc" {"C:\WINDOWS\System32\dot3svc.dll" [MS]}
Dienst für Seriennummern der tragbaren Medien, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Extensible Authentication-Protokolldienst, EapHost, "C:\WINDOWS\System32\svchost.exe -k eapsvcs" {"C:\WINDOWS\System32\eapsvc.dll" [MS]}
InstallDriver Table Manager, IDriverT, ""C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
Integritätsschlüssel- und Zertifikatverwaltungsdienst, hkmsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\kmsvc.dll" [MS]}
Java Quick Starter, JavaQuickStarterService, ""C:\Programme\Java\jre6\bin\jqs.exe" -service -config "C:\Programme\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Microsoft Office Diagnostics Service, odserv, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE"" [MS]
Microsoft Office Groove Audit Service, Microsoft Office Groove Audit Service, ""D:\Programme\Microsoft Office\Office12\GrooveAuditService.exe"" [MS]
NAP-Agent (Network Access Protection), napagent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\qagentrt.dll" [MS]}
Office Source Engine, ose, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
ServiceLayer, ServiceLayer, ""C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe"" ["Nokia."]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Programme\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
SQL Server (AUTODESKVAULT), MSSQL$AUTODESKVAULT, ""C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sAUTODESKVAULT" [MS]
SQL Server VSS Writer, SQLWriter, ""C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]
Verwaltungsdienst für die Verwaltung logischer Datenträger, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Windows CardSpace, idsvc, ""C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"" [MS]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}
Windows Media Player-Netzwerkfreigabedienst, WMPNetworkSvc, ""C:\Programme\Windows Media Player\WMPNetwk.exe"" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]
PDFCreator\Driver = "pdfcmnnt.dll" ["internet-support foehr.com"]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

---------- (launch time: 2010-03-22 16:22:57)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 37 seconds, including 4 seconds for message boxes)

xyz12345 · 23.03.2010, 09:21

kann mir denn keiner weiterhelfen??? ich hab nicht so viel ahnung von computern.....

hab jetzt spybot drüberlaufen lassen... der hat was im system 32 gefunden....hab das problem behoben

aber dieses dropper gen hat er nicht gefunden!

Was soll ich machen???????

Dropper Gen

Plagegeister aller Art und deren Bekämpfung: Dropper Gen

Dropper Gen

Dropper Gen

Dropper Gen

Ähnliche Themen: Dropper Gen

23.03.2010, 09:21	#3
xyz12345	Dropper Gen kann mir denn keiner weiterhelfen??? ich hab nicht so viel ahnung von computern..... hab jetzt spybot drüberlaufen lassen... der hat was im system 32 gefunden....hab das problem behoben aber dieses dropper gen hat er nicht gefunden! Was soll ich machen??????? __________________