TR/VB.aqt.58
 

hallo zusammen,

ich hab im januar meinen neuen laptop in betrieb genommen mit einem 90-tage abo von norton. habe den fehler gemacht und das genutzt. das abo ist abgelaufen und ich wollte heute wieder auf antivir umstellen. habe nun gelesen, dass man norton nicht so schnell loswird. daher habe ich erstmal nur alle dienste soweit möglich deaktiviert und den autostart unterbunden.

avira ist installiert und meldet jetzt auf den festplatten d und e einen befall mit TR/VB.aqt.58. die maleware ist in quarantäne.

anbei poste ich mein hijack-log. könnt ihr mal nachschauen, ob alles in ordnung ist oder euch etwas auffällt?

danke von newbie sunamo

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:50, on 18.05.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\mein name\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ycomp/defaults/sp/*http://de.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ycomp/defaults/su/*http://de.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Programme\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll (disabled by BHODemon)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programme\Free Download Manager\iefdm2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Programme\FlashGet\getflash.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - .DEFAULT User Startup: DSL-Manager.lnk = C:\Program Files\T-Online\DSL-Manager\DslMgr.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Alles mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://D:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Videos mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlfvideo.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11265 bytes

Hi :)

Poste bitte den genauen Pfad des gemeldeten Befalls, also in welcher Datei der Schädling gefunden wurde, sonst können wir nicht viel zu dem Fund sagen.

Dein Hijackthislog is sauber, auch wenn man noch ein paar Einträge von Norton sieht. Norton lässt sich übrigens ganz einfach deinstallieren, wenn man weiß, dass es ein Removaltool gibt. Das einfach durchführen, danach sollte Norton deaktiviert sein.
Beachte aber, dass dadurch auch andere Nortonprogramme in Mitleidenschaft gezogen werden können. (Vom Log her sieht es allerdings nicht so aus als würdest du andere Nortonprogramme nutzen)

lg myrtille

hi,

danke für die schnelle antwort. der pfad zum schädling war:

E:\autorun.inf

und

D:\autorun.inf

andere norton-software habe ich nicht - jedenfalls nicht wissentlich.

von dem removal-tool hatte ich schon gehört, aber es gibt wohl danach auch probleme mit antivir. deshalb habe ich da noch nicht weiter gemacht.

Hi :)

Mach bitte mal alle Dateien sichtbar.
Suche eine der Dateien raus und wähle sie mit einem Rechtsklick (keinen ! Linksklick machen, das könnte die eventuelle Malware ausführen), wähle dann "öffnen mit" aus und dann den Editor aus.

Poste den Inhalt der Autorun.inf dann hier.

lg myrtille

also, beide dateien haben laut editor folgenden inhalt:

[autorun]
shellexecute=Recycled\ctfmon.exe
shell\Open(&0)\command=Recycled\ctfmon.exe
shell=Open(&0)

danke für die unterstützung

Hi,
da sind definitiv Malwarespuren zu sehen.

Gibt es den Ordner Recycled noch? Die Datei ctfmon.exe darin noch vorhanden?

Erstelle bitte ein Log mit ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

• Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

• Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
  Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

• Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

• Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

• Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

lg myrtille

nur so als vorabinfo:

beide autorun.inf-dateien waren schon in der antivir-quarantäne. ich habe sie noch einmal wiederhergestellt und mit dem editor geöffnet. jetzt sind sie wieder unter verschluss. antivir hat auch nicht wieder angeschlagen.

klar gibt es den ordner recycled noch. auf beiden festplatten bzw. partitionen. d. und e. sind "nur" partitionen. in den recycled-ordnern sind aber nur die dateien, die auch im normalen papierkorb von c enthalten sind. die sind ja irgendwie miteinander verknüpft.

was genau sind denn die maleware-spuren, die man hier erkennen kann. und was genau macht dieser trojaner eigentlich?

vor combofix fürchte ich mich ja. ich habe von diesem laptop aus noch nichts gesichert. die systemwiederherstellung funktioniert nicht. das betriebssystem und die ganze software sind in einer versteckten partition. ich habe keine ahnung, ob ich das je alleine wieder zum laufen bekomme, wenn bei combofix was schief läuft. scheiß oem-versionen.

Hi,
die schädliche ctfmon sollte eigentlich auch von den Antivirenprogrammen erkannt werden.
Wurde denn von deinem alten Antivirenprogramm mal eine Datei in Quarantäne gesteckt?


Combofix ist an sich nicht wirklich gefährlicher als andere Tools auch. Es macht nur etwas "offensichtlicher" auf die Gefahren aufmerksam.
Wenn du das Tool nicht nutzen willst, ist das kein Problem. Warum geht denn dine Systemwiederherstellung nicht?

Erstelle dann noch folgende Logs (die Tools tun nichts ;) ):
Silentrunners und DSS(ausführen, abwarten und die beiden Dateien "main.txt" und "extra.txt" hier posten.)
Im Hijackthislog scheint die Infektion nicht aktiv zu sein.

lg myrtille

ich kann mich erinnern, dass norton mal was gefunden hat und das ist in quarantäne. hieß aber etwas anders. leider kann ich auf die quarantäne nicht mehr zugreifen, weil der norton account ja nun gesperrt ist. das ist ein SCHEISS-Programm!

bei meinem usb-stick hat auch mal ein scanner auf einem befreundeten pc angeschlagen. der stick ist aber wieder sauber.

ich habe übrigens 2mal eine ctfmon.exe und 2mal eine ctfmon.exe.mui auf dem rechner unter c. virustotal meldet bei den dateien aber keinen befall.

warum die systemwiederherstellung nicht funktioniert, weiß ich nicht. immer wenn ich einen systemwiederherstellungspunkt aufrufen mußte, kam nach abschluß der hinweis auf einen "unbekannten" fehler. ich habe das schon in diversen foren gepostet, aber ohne erfolg. im zweifelsfall bekommt man immer den rat: "schmeiß vista runter, hol dir xp" oder "format c:". dafür brauche ich kein forum. da ich mir eh eine externe festplatte zur sicherung kaufen will, habe ich mich um diese dinge noch nicht gekümmert. aber so wies aussieht, muß ich das ja nun, denn dieser vb.aqt.58 ist ja wohl ein feind aller externen laufwerke ;-)

DANKE für dein verständnis ob meiner berührungsängste bei combofix :-) ich mache mich jetzt an die beiden anderen logs.

ps: antivir hatte auch gemeldet, dass es die beiden dateien

C:\hiberfil.sys und C:\pagefile.sys nicht öffnen konnte. ist mir gerade erst aufgegangen. die sind beide weit über 1 GB groß. hat das was damit zu tun?

Nein :)

Das eine ist die Datei in der Windows alles speichert, wenn du es in den Ruhezustand fährst und das andere ist die Auslagerungsdatei von Windows.

Da darf niemand drauf zugreifen, es ist vollkommen normal, dass dein Antivirenprogramm die Dateien nicht analysieren kann. ;)

lg myritlle

EDIT: Wenn du alles gesichert hast und eh neuaufsetzen willst, kannst du ja mal Combofix durchlaufen lassen. Mal sehen, ob er deine Systemwiederherstellung wieder zum laufen kriegt. :blabla:
Aber wenn du schon in verschiedenen Foren gepostet hast, werd ich da wohl auch nimmer viel beitragen können, falls ihr rausfindet woran es lag wär ich auch interessiert. :D


DSS erstellt meines Erachtens auch einen Systemwiederherstellungspunkt, wenn das Programm also an der Stelle stockt, dann sag Bescheid. Dann schau ich nach was anderem.

wenn du dich meiner systemwiederherstellung annehmen möchtest, ich bin für jeden tipp dankbar. in den anderen foren gabs nämlich wirklich nur "format c" und "hol dir xp" als rat. einer meinte auch, die systemwiederherstellung sei eh für'n a... damit würde man die kunden in sicherheit wiegen. im bedarfsfall regiert dann murphys law und das ding tut es nicht - wie bei mir.

ich will das system eigentlich nicht neu aufsetzen müssen. ich will nur vorbereitet sein auf den ernstfall, wenn ich es muß.

so, hier nun die logs. silentrunner lief nicht bei mir auf dem rechner. da gabs einen link zu dem skribt online. habs da gemacht. mit dss gabs keine probleme, nur zwei dateien.

insgesamt sind die dateien aber für dieses forumlar hier zu groß. soll ich die hochladen oder verteilen?

falls hier wieder norton auftaucht. das ist ok. das mußte ich noch mal aktivieren. ich hatte probleme, word und excel zu öffnen, was wohl an einem norton-plugin liegt, das von denen automatisch gestartet wird.

ansonsten bin ich von der netten hilfe und der ruhigen art begeistert. :):):aplaus:

Deckard's System Scanner v20071014.68
Run by benutzername on 2008-05-19 14:04:18
Computer is in Normal Mode.

-- Last 4 Restore Point(s) --
4: 2008-05-18 13:19:32 UTC - RP269 - Avira AntiVir Personal - 18.05.2008 06:19
3: 2008-05-18 09:22:10 UTC - RP267 - Windows-Sicherung
2: 2008-05-18 09:19:20 UTC - RP266 - Windows-Sicherung
1: 2008-05-17 14:23:47 UTC - RP265 - Windows Update

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.83 GiB (less than 15%) free.

-- HijackThis (run as benutzername.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:06:43, on 19.05.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Users\benutzername\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Users\benutzername\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\benutzername.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! Deutschland
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo! Deutschland
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! Deutschland
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! Deutschland
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Programme\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll (disabled by BHODemon)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programme\Free Download Manager\iefdm2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Programme\FlashGet\getflash.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - .DEFAULT User Startup: DSL-Manager.lnk = C:\Program Files\T-Online\DSL-Manager\DslMgr.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Alles mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://D:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Videos mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlfvideo.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12221 bytes

-- File Associations

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ssmdrv - c:\windows\system32\drivers\ssmdrv.sys <Not Verified; AVIRA GmbH; >

S3 MTOnlPktAlyX (MTOnlPktAlyX NDIS Protocol Driver) - \??\c:\progra~1\t-online\t-onli~1\basis-~1\basis1\mtonlpktalyx.sys
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
S3 tapvpn (TAP VPN Adapter) - c:\windows\system32\drivers\tapvpn.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ALaunchService (ALaunch Service) - c:\acer\alaunch\alaunchsvc.exe <Not Verified; ; ALaunchSvc Service Image>
R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Planer) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 eLockService (eLock Service) - c:\acer\empowering technology\elock\service\elockserv.exe <Not Verified; Acer Inc.; Acer eLock Management>
R2 eNet Service - c:\acer\empowering technology\enet\enet service.exe <Not Verified; Acer Inc.; Acer eNet Management>
R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>
R2 eSettingsService (eSettings Service) - c:\acer\empowering technology\esettings\service\capuserv.exe <Not Verified; ; Service>
R2 MobilityService - c:\acer\mobility center\mobilityservice.exe -p
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
R2 WMIService (ePower Service) - c:\acer\empowering technology\epower\epowersvc.exe <Not Verified; acer; Acer ePower Management>

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -

2008-04-13 12:55:29 528 --a------ C:\Windows\Tasks\Norton Internet Security - Vollständige Systemprüfung ausführen - benutzername.job


-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-18 12:05:15 0 d-------- C:\Program Files\Trend Micro
2008-05-18 06:19:59 0 d-------- C:\Users\All Users\Avira
2008-05-18 06:19:59 0 d-------- C:\Program Files\Avira
2008-04-21 14:45:11 0 d-------- C:\Users\All Users\FreeDownloadManager.ORG


-- Find3M Report

2008-05-19 13:55:50 27525 --a------ C:\Users\benutzername\AppData\Roaming\nvModes.001
2008-05-19 11:03:18 641344 --a------ C:\Windows\system32\perfh007.dat
2008-05-19 11:03:18 116706 --a------ C:\Windows\system32\perfc007.dat
2008-05-18 02:11:32 0 d-------- C:\Program Files\Acer GameZone
2008-05-17 12:53:20 0 d-------- C:\Users\benutzername\AppData\Roaming\Power Sound Editor Free
2008-05-17 12:47:16 0 d-------- C:\Users\benutzername\AppData\Roaming\foobar2000
2008-05-13 11:42:00 0 d-------- C:\Users\benutzername\AppData\Roaming\Free Download Manager
2008-05-12 14:10:04 0 d-------- C:\Program Files\a-squared Free
2008-05-08 11:45:55 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-04-17 14:52:32 0 d-------- C:\Users\benutzername\AppData\Roaming\DivX
2008-04-14 12:35:40 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-14 12:35:39 0 d-------- C:\Program Files\Common Files
2008-04-12 19:09:06 0 d-------- C:\Program Files\Apple Software Update
2008-04-12 13:24:14 0 d-------- C:\Users\benutzername\AppData\Roaming\Real
2008-04-12 13:20:56 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-12 13:20:53 0 d-------- C:\Program Files\Common Files\Real
2008-04-06 10:49:54 0 d-------- C:\Program Files\Common Files\Sandlot Shared
2008-04-04 14:54:09 0 d-------- C:\Program Files\CCleaner
2008-04-04 14:37:27 0 d-------- C:\Program Files\Ss-Tools
2008-04-01 16:55:18 0 d-------- C:\Users\benutzername\AppData\Roaming\vlc
2008-04-01 15:48:55 0 d-------- C:\Program Files\CamStudio
2008-03-31 14:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 14:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 14:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-22 08:03:22 0 d-------- C:\Program Files\Power Sound Editor Free
2008-03-21 13:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 13:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 13:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 13:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-03-20 15:58:17 0 d-------- C:\Users\benutzername\AppData\Roaming\Move Networks
2008-03-20 15:44:42 0 d-------- C:\Users\benutzername\AppData\Roaming\Vidalia
2008-03-20 15:44:42 0 d-------- C:\Users\benutzername\AppData\Roaming\tor
2008-03-20 14:14:33 0 d-------- C:\Program Files\Vidalia Bundle
2008-03-19 16:09:59 0 d-------- C:\Program Files\VRtainment
2008-03-17 13:25:07 46 --a------ C:\Windows\system32\DonationCoder_rokusnooper_InstallInfo.dat
2008-03-10 15:56:35 0 -rahs---- C:\MSDOS.SYS
2008-03-10 15:56:35 0 -rahs---- C:\IO.SYS
2008-03-08 11:39:32 138 --a------ C:\Users\benutzername\AppData\Roaming\wklnhst.dat
2008-02-29 13:43:39 0 --a------ C:\Windows\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [14.08.2007 06:54]
"RtHDVCpl"="RtHDVCpl.exe" [05.07.2007 20:06 C:\Windows\RtHDVCpl.exe]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [25.04.2007 07:33]
"Acer Tour"="" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [25.07.2007 08:39]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [25.07.2007 08:39]
"PLFSetL"="C:\Windows\PLFSetL.exe" [05.07.2007 03:35]
"PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [24.05.2007 04:38]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21.03.2007 04:00]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [06.06.2007 01:06]
"eRecoveryService"="" []
"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [22.05.2007 06:49]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [05.11.2006 13:48]
"SetPanel"="C:\Acer\APanel\APanel.cmd" []
"eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [11.06.2007 06:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [21.02.2008 20:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 14:16]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12.04.2008 13:20]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [12.02.2008 10:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [20.11.2006 21:39]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [20.11.2006 21:36]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [29.01.2008 18:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02.11.2006 05:35]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28.01.2008 03:43]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Programme\Microsoft Office XP\Office10\OSA.EXE [13.02.2001 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe
"QuickTime Task"="D:\Programme\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9d7b93b-8357-11dc-9afd-806e6f6e6963}]
AutoRun\command- F:\setup.exe /AUTORUN
configure\command- F:\setup.exe
install\command- F:\setup.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 Command - Keeping Software Free
127.0.0.1 032439.com

8404 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-19 14:07:46 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: German

CPU 0: Intel(R) Core(TM)2 Duo CPU T5250 @ 1.50GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 2045.39 MiB / 1107.55 MiB
Pagefile Memory (total/avail): 4324.02 MiB / 3115.41 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915.26 MiB

C: is Fixed (NTFS) - 69.77 GiB total, 0.83 GiB free.
D: is Fixed (NTFS) - 149.05 GiB total, 69.29 GiB free.
E: is Fixed (NTFS) - 69.52 GiB total, 17.76 GiB free.
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - Hitachi HTS542516K9SA00 - 149.05 GiB - 3 partitions
\PARTITION0 - Unknown - 9.76 GiB
\PARTITION1 (bootable) - MS-DOS V4 Huge - 69.77 GiB - C:
\PARTITION2 - Installierbares Dateisystem - 69.52 GiB - E:

\\.\PHYSICALDRIVE1 - Hitachi HTS542516K9SA00 - 149.05 GiB - 1 partition
\PARTITION0 - Installierbares Dateisystem - 149.05 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FW: Norton Internet Security v2007 (Symantec Corporation) Disabled
AV: Avira AntiVir PersonalEdition v8.0.1.18 (Avira GmbH) Disabled
AV: Norton Internet Security v2007 (Symantec Corporation) Disabled
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled
AS: Windows-Defender v1.1.1505.0 (Microsoft Corporation)
AS: Norton Internet Security v2007 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\benutzername\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=benutzername-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\benutzername
LOCALAPPDATA=C:\Users\benutzername\AppData\Local
LOGONSERVER=\\benutzername-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\T-Online\T-Online_Software_6\Basis-Software\Basis2\;D:\Programme\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\benutzername\AppData\Local\Temp
TMP=C:\Users\benutzername\AppData\Local\Temp
USERDOMAIN=benutzername-PC
USERNAME=benutzername
USERPROFILE=C:\Users\benutzername
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

benutzername


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> D:\Programme\DivX\DivXConverterUninstall.exe /CONVERTER
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2638924D-DC58-4C40-BB1C-48C2B24B7B1B}\Setup.exe" -L0x7
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31403E22-2FDB-452F-AE9E-20854633226D}\Setup.EXE" -uninst
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52739387-B81C-4C55-9593-EB7A1044A657}\Setup.exe" -L0x7
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A450831D-25F6-4F42-9662-D000B25E0D82}\setup.exe" -uninstall
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA4BF92B-2AAF-11DA-9D78-000129760D75}\setup.exe" -uninstall
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.exe" -uninstall
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe" -uninstall
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.exe" -uninstall
a-squared Free 3.1 --> "C:\Program Files\a-squared Free\unins000.exe"
Acer Arcade Deluxe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\setup.exe" -uninstall
Acer Crystal Eye webcam --> C:\Program Files\InstallShield Installation Information\{AA047D7C-5E7C-4878-B75C-77589151B563}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer Crystal Eye Webcam Video Class Camera --> C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\setup.exe -runfromtemp -l0x0007 -removeonly -u
Acer eAudio Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57265292-228A-41FA-9AEC-4620CBCC2739}\Setup.exe" -uninstall
Acer eDataSecurity Management --> C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL
Acer eLock Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x7 -removeonly
Acer Empowering Technology --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x7 -removeonly
Acer eNet Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\setup.exe" -l0x7 -removeonly
Acer ePower Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -l0x7 -removeonly
Acer ePresentation Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\setup.exe" -l0x7 -removeonly
Acer eSettings Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE65A9A0-9686-45C6-9098-3C9543A412F0}\setup.exe" -l0x7 -removeonly
Acer GridVista --> C:\Windows\UnInst32.exe GridV.UNI
Acer Mobility Center Plug-In --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x7 -removeonly
Acer ScreenSaver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Acer Tour --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94389919-B0AA-4882-9BE8-9F0B004ECA35}\setup.exe" -l0x7 -removeonly
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> C:\Program Files\Apoint2K\Uninstap.exe ADDREMOVE
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Big Kahuna Reef 2 --> "C:\Program Files\Acer GameZone\Big Kahuna Reef 2\Uninstall.exe" "C:\Program Files\Acer GameZone\Big Kahuna Reef 2\install.log"
Cake Mania --> "C:\Program Files\Acer GameZone\Cake Mania\Uninstall.exe" "C:\Program Files\Acer GameZone\Cake Mania\install.log"
CamStudio --> C:\Program Files\CamStudio\uninstall.exe
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DivX Codec --> D:\Programme\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> D:\Programme\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> D:\Programme\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> D:\Programme\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dynasty --> "C:\Program Files\Acer GameZone\Dynasty\Uninstall.exe" "C:\Program Files\Acer GameZone\Dynasty\install.log"
FlashGet 1.9.6.1073 --> D:\Programme\FlashGet\uninst.exe
FLV Player 2.0, build 24 --> D:\Programme\FLV Player\uninst.exe
foobar2000 v0.9.5.1 --> "C:\Program Files\foobar2000\uninstall.exe"
Free Download Manager 2.5 --> "D:\Programme\Free Download Manager\unins000.exe"
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\UIU32m.exe -U -IAcrZUn32z.inf
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) Matrix Storage Manager --> C:\Windows\System32\Imsmudlg.exe
JAP --> C:\Program Files\JAP\uninstall.exe
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Launch Manager --> C:\Windows\UnInst32.exe LManager.UNI
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Luxor 2 --> "C:\Program Files\Acer GameZone\Luxor 2\Uninstall.exe" "C:\Program Files\Acer GameZone\Luxor 2\install.log"
Microsoft Office Excel MUI (German) 2007 --> MsiExec.exe /X{90120000-0016-0407-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (German) 2007 --> MsiExec.exe /X{90120000-00A1-0407-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (German) 2007 --> MsiExec.exe /X{90120000-0018-0407-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007 --> MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Italian) 2007 --> MsiExec.exe /X{90120000-001F-0410-0000-0000000FF1CE}
Microsoft Office Proofing (German) 2007 --> MsiExec.exe /X{90120000-002C-0407-0000-0000000FF1CE}
Microsoft Office Shared MUI (German) 2007 --> MsiExec.exe /X{90120000-006E-0407-0000-0000000FF1CE}
Microsoft Office Word MUI (German) 2007 --> MsiExec.exe /X{90120000-001B-0407-0000-0000000FF1CE}
Microsoft Office XP Professional mit FrontPage --> MsiExec.exe /I{90280407-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{4EA2F95F-A537-4d17-9E7F-6B3FF8D9BBE3}
Move Networks Media Player for Internet Explorer --> C:\Users\benutzername\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Mystery Case Files - Prime Suspects --> "C:\Program Files\Acer GameZone\Mystery Case Files - Prime Suspects\Uninstall.exe" "C:\Program Files\Acer GameZone\Mystery Case Files - Prime Suspects\install.log"
Mystery Case Files Ravenhearst --> "C:\Program Files\Acer GameZone\Mystery Case Files Ravenhearst\Uninstall.exe" "C:\Program Files\Acer GameZone\Mystery Case Files Ravenhearst\install.log"
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{3672B097-EA69-4bfe-B92F-29AE6D9D2B34}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_1_0_26\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
NTI Backup NOW! 4.7 --> "C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1031 CDM7
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Power Sound Editor Free v5.2.1 --> "C:\Program Files\Power Sound Editor Free\unins000.exe"
PowerProducer 3.72 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.EXE" -uninstall
Privoxy 3.0.6 --> "C:\Program Files\Vidalia Bundle\Uninstall.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x7 -removeonly
Registry System Wizard --> "C:\Program Files\Registry System Wizard\unins000.exe"
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x7 anything
RokuRadioSnooper v2.10.06 --> "C:\Program Files\Roku Radio Snooper\unins000.exe"
Sandlot Games Client Services --> "C:\Program Files\Common Files\Sandlot Shared\unins000.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Ss Uninstall Manager 2.1 --> "C:\Program Files\Ss-Tools\Uninstall Manager\unins000.exe"
Star Defender 3 --> "C:\Program Files\Acer GameZone\Star Defender 3\Uninstall.exe" "C:\Program Files\Acer GameZone\Star Defender 3\install.log"
T-Online 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B1275E23-717A-4D52-997A-1AD1E24BC7F3}\Setup.exe" CPAS
Tor 0.1.2.19 --> "C:\Program Files\Vidalia Bundle\Uninstall.exe"
Treasures of the Deep --> "C:\Program Files\Acer GameZone\Treasures of the Deep\Uninstall.exe" "C:\Program Files\Acer GameZone\Treasures of the Deep\install.log"
Unlocker 1.8.6 --> C:\Program Files\Unlocker\uninst.exe
Update for Office 2007 (KB934528) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {2B939677-2FFD-48F6-9075-7BF48CB87C80}
Update for Office System 2007 Setup (KB929722) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {D8E9BEBD-655F-467D-8176-CA9959C140A3}
Vidalia 0.0.16 --> "C:\Program Files\Vidalia Bundle\Uninstall.exe"
VideoLAN VLC media player 0.8.6e --> D:\Programme\VideoLAN\VLC\uninstall.exe
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
Yahoo! Toolbar mit Pop-Up-Blocker --> C:\PROGRA~1\Yahoo!\common\unyt.exe
Your Freedom --> "C:\Program Files\Your Freedom\uninstall.exe"
Zuma Deluxe --> "C:\Program Files\Acer GameZone\Zuma Deluxe\Uninstall.exe" "C:\Program Files\Acer GameZone\Zuma Deluxe\install.log"


-- Application Event Log -------------------------------------------------------

Event Record #/Type12370 / Warning
Event Submitted/Written: 05/19/2008 01:10:21 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/VB.aqt.58D:\autorun.inf

Event Record #/Type12369 / Warning
Event Submitted/Written: 05/19/2008 01:08:58 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/VB.aqt.58D:\autorun.inf

Event Record #/Type12368 / Warning
Event Submitted/Written: 05/19/2008 01:08:51 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/VB.aqt.58D:\autorun.inf

Event Record #/Type12363 / Error
Event Submitted/Written: 05/19/2008 00:15:44 PM
Event ID/Source: 2001 / Microsoft Office 10
Event Description:
Rejected Safe Mode action : Microsoft Excel.

Event Record #/Type12348 / Error
Event Submitted/Written: 05/19/2008 00:06:23 PM
Event ID/Source: 2001 / Microsoft Office 10
Event Description:
Rejected Safe Mode action : Microsoft Word.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type31146 / Warning
Event Submitted/Written: 05/19/2008 02:03:29 PM
Event ID/Source: 4 / b57nd60x
Event Description:
Broadcom NetLink (TM) Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type31136 / Warning
Event Submitted/Written: 05/19/2008 01:56:06 PM
Event ID/Source: 4 / b57nd60x
Event Description:
Broadcom NetLink (TM) Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type31105 / Warning
Event Submitted/Written: 05/19/2008 11:02:02 AM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
Der Druckspooler konnte eine vorhandene Druckerverbindung nicht erneut öffnen, weil er die Konfigurationsinformationen aus dem Registrierungsschlüssel S-1-5-18\Printers\Connections nicht lesen konnte. Der Druckspooler konnte den Registerierungsschlüssel nicht öffnen. Es könnte sein, dass der Registrierungsschlüssel beschädigt ist oder fehlt oder dass die Registrierung nicht mehr verfügbar ist.

Event Record #/Type31104 / Warning
Event Submitted/Written: 05/19/2008 11:02:02 AM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
Der Druckspooler konnte eine vorhandene Druckerverbindung nicht erneut öffnen, weil er die Konfigurationsinformationen aus dem Registrierungsschlüssel S-1-5-18\Printers\Connections nicht lesen konnte. Der Druckspooler konnte den Registerierungsschlüssel nicht öffnen. Es könnte sein, dass der Registrierungsschlüssel beschädigt ist oder fehlt oder dass die Registrierung nicht mehr verfügbar ist.

Event Record #/Type31090 / Error
Event Submitted/Written: 05/19/2008 10:58:11 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
PxHelp20



-- End of Deckard's System Scanner: finished at 2008-05-19 14:07:46 ------------

'Silent Runners.vbs -- find out what programs start up with Windows!
'
'DO NOT REMOVE THIS HEADER!
'
'Copyright Andrew ARONOFF 30 December 2004, Silent Runners - Adware? Disinfect, don't reformat!
'This script is provided without any warranty, either expressed or implied
'It may not be copied or distributed without permission
'
'** YOU RUN THIS SCRIPT AT YOUR OWN RISK! **
'HEADER ENDS HERE


Option Explicit

Dim strRevNo : strRevNo = "RED (R28)"

'This script is divided into 14 sections.
'Each section outputs the contents of
'registry keys (I-IX), INI/INF-files (X-XI), folders (XII),
'enabled scheduled tasks (XIII) and started services (XIV)
'which may harbor malware.
'Output is suppressed if registry key or file contents are deemed
'to be normal.

' I. HKCU/HKLM... Run/RunOnce/RunOnce\Setup
' HKLM... RunOnceEx/RunServices/RunServicesOnce
' HKCU/HKLM... Policies\Explorer\Run
' II. HKLM... Active Setup\Installed Components\
' HKCU... Active Setup\Installed Components\
' (StubPath <> "" And HKLM version # > HKCU version #)
' III. HKLM... Explorer\Browser Helper Objects\
' IV. HKLM... Explorer\SharedTaskScheduler\ (InProcServer32 <> "browseui.dll")
' V. HKCU/HKLM... ShellServiceObjectDelayLoad\
' VI. HKCU... Command Processor\AutoRun ((default) <> "")
' HKCU... Windows\load & run ((default) <> "")
' HKCU... Command Processor\AutoRun ((default) <> "")
' HKLM... Windows\AppInit_DLLs ((default) <> "")
' HKLM... Winlogon\Shell/Userinit/System/Ginadll ((default) <> explorer.exe, userinit.exe, "", "")
' VII. HKLM... Winlogon\Notify\ (subkey names/DLLName values <> O/S-specific dictionary data)
'VIII. HKCU/HKLM... Policies... Startup/Shutdown, Logon/Logoff
' IX. HKCR executable file type (bat/com/exe/hta/pif)
' (shell\open\command data <> "%1" %*; hta <> mshta.exe "%1" %*)
' X. WIN.INI (load/run <> ""), SYSTEM.INI (shell <> explorer.exe), WINSTART.BAT
' XI. AUTORUN.INF in root of fixed drive (open/shellexecute <> "")
' XII. %WINDIR%... Startup & All Users... Startup (W98/WME) or
' %USERNAME%... Startup & All Users... Startup folder contents
'XIII. Scheduled Tasks
' XIV. Started Services

Dim Wshso : Set Wshso = WScript.CreateObject("WScript.Shell")
Dim WshoArgs : Set WshoArgs = WScript.Arguments
Dim Fso : Set Fso = CreateObject("Scripting.FileSystemObject")
Dim oNetwk : Set oNetwk = WScript.CreateObject("WScript.Network")

Const HKLM = &H80000002 : Const HKCU = &H80000001

'determine whether output is via MsgBox/PopUp or Echo
Dim flagOut
If InStr(LCase(WScript.FullName),"wscript.exe") > 0 Then
flagOut = "W" 'WScript
ElseIf InStr(LCase(WScript.FullName),"cscript.exe") > 0 Then
flagOut = "C" 'CScript
Else
WScript.Echo "Neither WScript.exe nor CScript.exe was detected as " &_
"the script host." & vbCRLF & Chr(34) & "Silent Runners" & Chr(34) &_
" will exit!"
End If 'script host

Const SysFolder = 1 : Const WinFolder = 0
Dim strOS : strOS = "Unknown"
Dim strOSLong : strOSLong = "Unknown"
Dim intMB 'MsgBox return value
Public strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path 'FullPathSystemFolder
Public strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path 'FullPathWindowsFolder
Public strWDN : strWDN = Fso.GetDriveName(strFPWF) 'Windows Drive Name
Public strExeBareName 'bare file name w/o windows or system folder prefixes
Public flagFW : flagFW = "SO" 'FileWrite flag: SO = Script Output, EO = Echo Output
Public oFN 'output file via script object
Dim strSysVer 'Winver.exe version number
Dim intErrNum 'error number
Dim strURL 'download URL
'greater-than chr representation
Public strGT : strGT = " -> "

'Winver.exe is in \Windows under W98, but in \System32 for other O/S's
'trap GetFileVersion error for VBScript version < 5.1
On Error Resume Next
If Fso.FileExists (strFPSF & "\Winver.exe") Then
strSysVer = Fso.GetFileVersion(strFPSF & "\Winver.exe")
Else
strSysVer = Fso.GetFileVersion(strFPWF & "\Winver.exe")
End If
intErrNum = Err.Number
On Error Goto 0
Err.Clear

'if old VBScript version
If intErrNum <> 0 Then

'store dl URL
strURL = "http://tinyurl.com/7zh0"

'if using WScript
If flagOut = "W" Then

'explain the problem
intMB = MsgBox ("This script requires VBScript 5.1 or higher " &_
"to run." & vbCRLF & vbCRLF & "The latest version of VBScript can " &_
"be downloaded at: " & strURL & vbCRLF & vbCRLF &_
"Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_
"the download site or " & Chr(34) & "Cancel" & Chr(34) &_
" to quit." & vbCRLF & vbCRLF & "(WMI is also required. If it's " &_
"missing, download instructions will appear later.)", _
vbOKCancel + vbExclamation,"Unsupported VBScript Version!")

'if dl wanted now, send browser to dl site
If intMB = 1 Then Wshso.Run strURL

'if using CScript
Else 'flagOut = "C"

'explain the problem
WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
"VBScript 5.1 or higher to run." & vbCRLF & vbCRLF &_
"It can be downloaded at: " & strURL

End If 'WScript or CScript?

'quit the script
WScript.Quit

End If 'error encountered?

'use WINVER.EXE file version to determine O/S
If Instr(Left(strSysVer,3),"4.1") > 0 Then
strOS = "W98" : strOSLong = "Windows 98"

ElseIf Instr(Left(strSysVer,5),"4.0.1") > 0 Then
strOS = "NT4" : strOSLong = "Windows NT 4.0"

ElseIf Instr(Left(strSysVer,8),"4.0.0.95") > 0 Then
strOS = "W98" : strOSLong = "Windows 95 (interpreted as Windows 98)"

ElseIf Instr(Left(strSysVer,3),"5.0") > 0 Then
strOS = "W2K" : strOSLong = "Windows 2000"

ElseIf Instr(Left(strSysVer,3),"5.1") > 0 Then
'SP0 & SP1 = 5.1.2600.0, SP2 = 5.1.2600.2180
strOS = "WXP" : strOSLong = "Windows XP"

If Instr(strSysVer,".2180") > 0 Then strOSLong = "Windows XP SP2"

ElseIf Instr(Left(strSysVer,3),"4.9") > 0 Then
strOS = "WME" : strOSLong = "Windows Millennium"

ElseIf Instr(Left(strSysVer,3),"5.2") > 0 Then
strOS = "WS2K3" : strOSLong = "Windows Server 2003"

If flagOut = "W" Then

MsgBox "The " & Chr(34) & "Silent Runners" & Chr(34) & " script cannot " &_
"run under Windows Server 2003." & vbCRLF & vbCRLF & "This script will " &_
"exit.",48,"WS2K3 Detected!"

WScript.Quit

Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_
"run under Windows Server 2003." & vbCRLF & vbCRLF & "This script will " &_
"exit."

WScript.Quit

End If

Else

If flagOut = "W" Then

intMB = MsgBox ("The " & Chr(34) & "Silent Runners" & Chr(34) & " script cannot " &_
"determine the operating system." & vbCRLF & vbCRLF & "Click " &_
Chr(34) & "OK" & Chr(34) & " to send an e-mail to the author, providing the following information:" &_
vbCRLF & vbCRLF & "WINVER.EXE file version = " & strSysVer & vbCRLF & vbCRLF & "or click " & Chr(34) &_
"Cancel" & Chr(34) & " to quit.",49,"O/S Unknown!")

If intMB = 1 Then Wshso.Run "mailto:Andrew%20Aronoff%20" &_
"<%73%72.%6F%73.%76%65%72.%65%72%72%6F%72@%61%61%72%6F%6E%6F%66%66.%63%6F%6D>?subject=Silent%20Runners%20" &_
"OS%20Version%20Error&body=WINVER.EXE%20file%20version%20=%20" & strSysVer

Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_
"determine the operating system." & vbCRLF & vbCRLF & "This script will exit."

End If

WScript.Quit

End If

'array of Run keys, counter x 5, hive member, startup folder file, startup file shortcut
Dim arRunKeys, i, ii, j, k, l, oHiveElmt, oSUFi, oSUSC

'Run key names, keys x 2, value type, name member, key member x 2
Dim arNames(), arKeys(), arType, oName, oKey, oKey2
'values x 3, single character, startup folder name, startup folder
Dim strValue, strValue2, strValue3, strChr, arSUFN, oSUF

'output file msg x 2, warning string, title lines x 2, register key x 2, executable extension array
Dim strLine, strLine1, strLine2, strWarn, strTitleLine1, strTitleLine2, strKey, strKey2, arExeExt
'output file name string, short name, PIF path string, single binary character
Dim strFN, strFNS, strPIFTgt, bin1C

Public flagTLW : flagTLW = False 'flag Title Line Written
Public flagSTLW : flagSTLW = False 'flag Sub-Title Line Written
Dim flagInfect : flagInfect = False 'flag infected condition
Dim flagMatch 'flag matching keys

Dim ScrPath : ScrPath = Fso.GetParentFolderName(WScript.ScriptFullName)
If Right(ScrPath,1) <> "\" Then ScrPath = ScrPath & "\"
'initialize Path of Output File Folder to script path
Dim strPathOFFo : strPathOFFo = ScrPath

'constant dictionary
Dim arHives(1,1)
arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM"
arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002

'create output file name with computer name & today's date
'Startup Programs (pc_name_here) yyyy-mm-dd.txt
'check if output directory was supplied as argument
If WshoArgs.length > 0 Then

'if argument directory exists
If Fso.FolderExists(WshoArgs(0)) Then

'get the path
Dim oOFFo : Set oOFFo = Fso.GetFolder(WshoArgs(0))
strPathOFFo = oOFFo.Path
If Right(strPathOFFo,1) <> "\" Then strPathOFFo = strPathOFFo & "\"
Set oOFFo=Nothing

Else 'argument directory doesn't exist

If flagOut = "W" Then 'pop up a message window

Wshso.Popup "The specified directory:" & vbCRLF &_
Chr(34) & UCase(WshoArgs(0)) & Chr(34) & vbCRLF &_
"... can't be found." & vbCRLF & vbCRLF &_
"The output file will be put into the script directory:" &_
vbCRLF & Chr(34) & ScrPath & Chr(34),5, _
"Output Directory Not Found!", vbOKOnly + vbExclamation

Else 'flagOut = "C" 'write the message to the console

WScript.Echo "The specified directory: " &_
Chr(34) & UCase(WshoArgs(0)) & Chr(34) &_
" can't be found." & vbCRLF & vbCRLF &_
"The output file will be put into the script directory: " &_
Chr(34) & ScrPath & Chr(34) & vbCRLF

End If 'WScript host?

'since argument directory doesn't exist, use the script directory
strPathOFFo = ScrPath

End If 'argument directory exists?

End If 'directory argument was passed?

'assemble report file name: LFN for all O/S's except W98;
' SFN for W98 = root of system (boot) partition\SUPgms.txt
strFN = strPathOFFo & "Startup Programs [RED] (" & oNetwk.ComputerName & ") " & FmtDate & ".txt"
strFNS = strWDN & "\" & "SUPgms.txt"
Set oNetwk=Nothing

'try to create report file & write to it
On Error Resume Next
'delete report file if it exists to avoid bug with W2KFR SP0 that
'replaced chrs in file instead of replacing file with ">" redirection
If Fso.FileExists(strFN) Then Fso.DeleteFile(strFN)
Err.Clear
Set oFN = Fso.CreateTextFile(strFN,True)
oFN.WriteLine Chr(34) & "Silent Runners.vbs" & Chr(34) & ", revision " &_
strRevNo & ", launched at: " & FmtTime
intErrNum = Err.Number
On Error Goto 0
Err.Clear

'*****
intErrNum = 1

'if oFN can't be written to, echo must be used
If intErrNum > 0 Then

flagFW = "EO" 'switch to Echo output
strGT = " -^> " 'escape > for NT4/W2K/WXP
oFN = 0 'assign oFN non-object value

'prepare first line of report file
strLine = Chr(34) & "Silent Runners.vbs" & Chr(34) & ", revision " &_
strRevNo & " (Echo output), launched at: " & FmtTime & "> "

If strOS = "W98" Or strOs = "WME" Then
'echo into SFN (echo to LFN incurs 62-chr line length limit)
strLine = strLine & strFNS
'avoid > under W98 since it cannot be easily escaped
strGT = " -) "
Else
'for all other O/S's, echo into LFN
strLine = strLine & Chr(34) & strFN & Chr(34)
End If 'W98?

'create report file with Echo
Wshso.Run "%COMSPEC% /c echo " & strLine,0,TRUE

End If 'intErrNum > 0?

WriteOut "Operating System: " & strOSLong : SkipLine : SkipLine

'use WMI to connect to the registry
On Error Resume Next
Dim oReg : Set oReg = GetObject("winmgmts:root\default:StdRegProv")
intErrNum = Err.Number
On Error Goto 0
Err.Clear

If intErrNum <> 0 Then

strURL = "http://tinyurl.com/7wd7"
If strOS = "W98" Then strURL = "http://tinyurl.com/jbxe"

WriteOut "This script requires WMI, which can be downloaded at: " & strURL
If IsObject(oFN) Then oFN.Close

If flagOut = "W" Then

intMB = MsgBox ("This script requires " & Chr(34) & "WMI" & Chr(34) &_
", Windows Management Instrumentation, to run." & vbCRLF &_
vbCRLF & "It can be downloaded at: " & strURL & vbCRLF & vbCRLF &_
"Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_
"the download site or " & Chr(34) & "Cancel" & Chr(34) &_
" to quit.", vbOKCancel + vbExclamation,"WMI Not Installed!")

If intMB = 1 Then Wshso.Run strURL

Else 'flagOut = "C"

WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_
Chr(34) & "WMI" & Chr(34) & ", Windows Management Instrumentation, " &_
"to run." & vbCRLF & vbCRLF & "It can be downloaded at: " & strURL

End If

WScript.Quit

End If 'WMI execution error




'I. Examine HKCU/HKLM... Run/RunOnce/RunOnceEx/RunServices/RunServicesOnce
' and HKCU/HKLM... Policies\Explorer\Run

'put keys in array (Key Index 0 - 6)
arRunKeys = Array ("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", _
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _
"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce", _
"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup", _
"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx", _
"SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices", _
"SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce")

'Key Execution Flag/Subkey Recursion Flag array
'
'first number in the ordered pair in the array immediately below pertains to execution of the key:
'0: not executed (ignore)
'1: may be executed so display with EXECUTION UNLIKELY warning
'2: executable
'
'second number in the ordered pair pertains to subkey recursion
'0: subkeys not used
'1: subkey recursion necessary

'Hive HKCU - 0 HKLM - 1
'
'Key 0 1 2 3 4 5 6 0 1 2 3 4 5 6
'Index
'
'O/S:
'W98 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0
'WME 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0
'NT4 1,0 2,0 2,0 0,0 0,0 0,0 0,0 1,0 2,0 2,0 1,0 2,1 0,0 0,0
'W2K 2,1 2,1 2,1 0,0 0,0 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0
'WXP 2,0 2,0 2,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 1,0 2,1 0,0 0,0
'WS2K3 ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ???

'arRegFlag(i,j,k): put flags in array by O/S:
'hive = i (0 or 1), key_# = j (0-6), flags (key execution/subkey recursion) = k (0 or 1)
' k = 0 holds key execution value = 0/1/2
' 1 holds subkey recursion value = 0/1
Dim arRegFlag()
ReDim arRegFlag(1,6,1)

'initialize entire array to zero
For i = 0 To 1 : For j = 0 To 6 : For k = 0 To 1
arRegFlag(i,j,k) = 0
Next : Next : Next

'add data to array for O/S that's running

'W98 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0
If strOS = "W98" Or strOS = "WME" Then
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn
arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn
End If

'NT4 1,0 2,0 2,0 0,0 0,0 0,0 0,0 1,0 2,0 2,0 1,0 2,1 0,0 0,0
If strOS = "NT4" Then
arRegFlag(0,0,0) = 1 'HKCU,Explorer\Run = warning
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(1,0,0) = 1 'HKLM,Explorer\Run = warning
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,3,0) = 1 'HKLM,RunOnce\Setup = warning
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
End If

'W2K 2,1 2,1 2,1 0,0 0,0 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0
If strOs = "W2K" Then
arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(0,2,1) = 1 'HKCU,RunOnce = sub-keys
arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,2,1) = 1 'HKLM,RunOnce = sub-keys
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
End If

'WXP 2,0 2,0 2,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 1,0 2,1 0,0 0,0
If strOs = "WXP" Then
arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn
arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn
arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn
arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn
arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn
arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn
arRegFlag(1,3,0) = 1 'HKLM,RunOnce\Setup = warning
arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn
arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys
End If

'write registry header lines to file
strLine = "Startup items buried in registry:"
WriteOut strLine : WriteOut String(Len(strLine),"-") : SkipLine

'for each hive
For i = 0 To 1

'for each key
For j = 0 To 6

'if key is not ignored
If arRegFlag(i,j,0) > 0 Then

'intialize string with warning if necessary
strWarn = ""
If arRegFlag(i,j,0) = 1 Then strWarn = "EXECUTION UNLIKELY: "

'find key's entries
EnumKeyData arHives(i,1), arHives(i,0), arRunKeys(j), strWarn

'recurse subkeys if necessary
If arRegFlag(i,j,1) = 1 Then

'put all subkeys into array
oReg.EnumKey arHives(i,1),arRunKeys(j),arKeys

'if sub-keys exist
If IsArray(arKeys) Then

'in W98, if no sub-keys exist, IsArray(arKeys) = True & UBound(arKeys) = -1
'in W2K, False
If UBound(arKeys) >= 0 Then

'for each subkey
For Each oKey in arKeys

'find key's entries
EnumKeyData arHives(i,1), arHives(i,0), arRunKeys(j) & "\" & oKey, strWarn

Next

End If 'UBounds sub-keys array >= 0?

End If 'sub-keys array exists?

End If 'enum sub-keys?

End If 'arRegFlag(i,j,0) > 0

Next 'Run key

Next 'Hive

'recover array memory
ReDim arRunKeys(0)
ReDim arKeys(0)
ReDim arRegFlag(0,0,0)




'II. Examine HKLM... Active Setup\Installed Components

'flags True if only numeric & comma chrs in Version values
Dim flagHKLMVer, flagHKCUVer
'StubPath Value string, HKLM Version value, HKCU Version value
Dim strSPV, strHKLMVer, strHKCUVer
Dim arHKLMKeys, arHKCUKeys, oHKLMKey, oHKCUKey

strKey = "Software\Microsoft\Active Setup\Installed Components"

'find all the subkeys
oReg.EnumKey HKLM, strKey, arHKLMKeys 'HKLM
oReg.EnumKey HKCU, strKey, arHKCUKeys 'HKCU

'enumerate HKLM keys if present
If IsArray(arHKLMKeys) Then

'for each HKLM key
For Each oHKLMKey In arHKLMKeys

'get the StubPath value
oReg.GetStringValue HKLM,strKey & "\" & oHKLMKey,"StubPath",strSPV

'if the StubPath value exists
If Not IsNull(strSPV) And strSPV <> "" Then

flagMatch = False

'if HKCU keys present
If IsArray(arHKCUKeys) Then

'for each HKCU key
For Each oHKCUKey in arHKCUKeys

'if identical HKLM key exists
If oHKLMKey = oHKCUKey Then

'assume Version fmts are OK
flagHKLMVer = True : flagHKCUVer = True

'get HKLM & HKCU Version values
'if values are not set, returned strings will be random chrs (W2K) or empty string (W98)
oReg.GetStringValue HKLM,strKey & "\" & oHKLMKey,"Version",strHKLMVer 'HKLM Version #
oReg.GetStringValue HKCU,strKey & "\" & oHKCUKey,"Version",strHKCUVer 'HKCU Version #

'if HKLM Version name exists (value may not be set!)
If Not IsNull(strHKLMVer) Then

'the next two loops check for allowed chars (numeric & comma)
' in returned Version values

For i = 1 To Len(strHKLMVer)
strChr = Mid(strHKLMVer,i,1)
If Not IsNumeric(strChr) And strChr <> "," Then flagHKLMVer = False
Next

End If 'HKLM Version not null

'if HKCU Version name exists (value may not be set!)
If Not IsNull(strHKCUVer) Then

'check that value consists only of numeric & comma chrs
For i = 1 To Len(strHKCUVer)
strChr = Mid(strHKCUVer,i,1)
If Not IsNumeric(strChr) And strChr <> "," Then flagHKCUVer = False
Next

End If 'HKCU Version null or MT?

'if HKLM Ver # has illegal fmt (i.e., is not set) or doesn't exist (is Null)
' or is empty, match = True
'if HKCU/HKLM Ver # fmts OK And HKCU Ver # >= HKLM Ver #, match = True
'if HKLM Ver # = "0,0" and HKCU Ver # = "", key will output
' but StubPath will not launch
If Not flagHKLMVer Or IsNull(strHKLMVer) Or strHKLMVer = "" Then flagMatch = True
If flagHKLMVer And flagHKCUVer And strHKCUVer >= strHKLMVer Then flagMatch = True

End If 'HKCU key=HKLM key?

Next 'HKCU Installed Components key

End If 'HKCU Installed Components subkeys exist?

'if the StubPath will launch
If Not flagMatch Then

'get the default value (program name)
oReg.GetStringValue HKLM,strKey & "\" & oHKLMKey,"",strHKCUVer

'output the title line if not already done
If Not flagTLW Then
WriteOut "HKLM" & "\" & strKey & "\"
flagTLW = True
End If

On Error Resume Next
'write the quote-delimited name and default value to a file
WriteOut Chr(34) & oHKLMKey & "\(Default)" & Chr(34) & " = " &_
Chr(34) & strHKCUVer & Chr(34)
If Err.Number <> 0 Then WriteOut Chr(34) & oHKLMKey & "\(Default)" & Chr(34) &_
" = (no title provided)"
Err.Clear
WriteOut Space(Len(oHKLMKey)+1) & "\StubPath = " &_
Chr(34) & strSPV & Chr(34) & CoName(IDExe(strSPV))
If Err.Number <> 0 Then WriteOut Space(Len(oHKLMKey)+1) & "\StubPath = " &_
"** WARNING -- empty or invalid data! **"
Err.Clear
On Error GoTo 0

End If 'flagMatch false?

End If 'StubPath value exists?

Next 'HKLM Installed Components subkey

End If 'HKLM Installed Components subkeys exist?

If flagTLW Then SkipLine
flagTLW = False

'recover array memory
ReDim arHKLMKeys(0)
ReDim arHKCUKeys(0)




'III. Examine HKLM... Explorer\Browser Helper Objects

strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"

'find all the subkeys
oReg.EnumKey HKLM, strKey, arKeys

'enumerate data if present
If IsArray(arKeys) Then

'for each key
For Each oKey In arKeys

If Not flagTLW Then
WriteOut "HKLM" & "\" & strKey & "\"
flagTLW = True
End If

If Len(oKey) = 38 Then 'oKey is CLSID

'get the data
oReg.GetStringValue HKLM,strKey & "\" & oKey,"",strValue

'if the name doesn't exist
If IsNull(strValue) Or strValue = "" Then

'check the CLSID default value
strKey2 = "Software\Classes\CLSID\" & oKey
oReg.GetStringValue HKLM,strKey2,"",strValue

End If

'if the name doesn't exist
If IsNull(strValue) Or strValue = "" Then
'use a standard string
strValue = "(no title provided)"
Else 'the name exists so embed it in quotes
strValue = Chr(34) & strValue & Chr(34)
End If

'resolve the data via HKLM\Software\Classes\CLSID\{data}\InProcServer32
strKey2 = "Software\Classes\CLSID\" & oKey & "\InProcServer32"
oReg.GetExpandedStringValue HKLM,strKey2,"",strValue2

If IsNull(strValue2) Or strValue2 = "" Then strValue2 = "(no data)"

On Error Resume Next
'write the quote-delimited name and value to a file
WriteOut oKey & "\(Default) = " & strValue
If Err.Number <> 0 Then WriteOut oKey & "\(Default) = (no title provided)"
Err.Clear
WriteOut " " & strGT & "resolves to: {CLSID}\InprocServer32\(Default) = " &_
Chr(34) & strValue2 & Chr(34) & CoName(IDExe(strValue2))
If Err.Number <> 0 Then
WriteOut " " & strGT & "resolves to: {CLSID}\InprocServer32\(Default) = " &_
"** WARNING! empty or invalid data **"
End If
Err.Clear
On Error GoTo 0

End If 'oKey CSID?

Next 'BHO subkey

End If 'BHO subkeys exist?

If flagTLW Then SkipLine
flagTLW = False

'recover array memory
ReDim arKeys(0)




'IV. Examine HKLM... Explorer\SharedTaskScheduler

strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler"

'find all the names in the key
oReg.EnumValues HKLM, strKey, arNames, arType

'enumerate data if present
If IsArray(arNames) Then

'for each name
For Each oName In arNames

If Len(oName) = 38 Then 'oName is CLSID

'get the data
oReg.GetStringValue HKLM,strKey,oName,strValue

'resolve the data via HKLM\Software\Classes\CLSID\{data}\InProcServer32
strKey2 = "Software\Classes\CLSID\" & oName & "\InProcServer32"
oReg.GetExpandedStringValue HKLM,strKey2,"",strValue2
strLine = LCase(Fso.GetSpecialFolder(SysFolder).Path)
'write unexpected quote-delimited name and value to the file
If InStr(LCase(strValue2),strLine & "\browseui.dll") = 0 Then

'output the title line if not already done
If Not flagTLW Then
WriteOut "HKLM" & "\" & strKey & "\"
flagTLW = True
End If

On Error Resume Next
WriteOut "INFECTION WARNING! " & Chr(34) & oName & Chr(34) &_
" = " & Chr(34) & strValue & Chr(34)
If Err.Number <> 0 Then WriteOut Chr(34) & oName & Chr(34) &_
" = ** WARNING -- empty or invalid data! **"
Err.Clear
WriteOut " " & strGT & "resolves to: {CLSID}\InprocServer32\(Default) = " &_
strValue2 & CoName(IDExe(strValue2))
If Err.Number <> 0 Then WriteOut " " & strGT & "resolves to: " &_
"{CLSID}\InprocServer32\(Default) = ** WARNING -- empty or invalid data! **"
Err.Clear
On Error GoTo 0

End If 'unexpected data?

Else 'oName is _not_ CLSID

'output the title line if not already done
If Not flagTLW Then
WriteOut "HKLM" & "\" & strKey & "\"
flagTLW = True
End If

WriteOut Chr(34) & oName & Chr(34) & " = ** INVALID DATA (not CLSID) **"

End If 'oName CLSID?

Next 'arNames array member

End If 'arNames array exists

If flagTLW Then SkipLine
flagTLW = False

'recover array memory
ReDim arNames(0)




'V. Examine HKCU/HKLM... ShellServiceObjectDelayLoad

strKey = "Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"

'Dim arHives(1,1)
'arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM"
'arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002

For i = 0 To 1 'for each hive

'find all the names in the key
oReg.EnumValues arHives(i,1), strKey, arNames, arType

'enumerate data if present
If IsArray(arNames) Then

'write the full key name
WriteOut arHives(i,0) & "\" & strKey & "\"
flagTLW = True

'for each name
For Each oName In arNames

'get the data
oReg.GetStringValue arHives(i,1),strKey,oName,strValue

If Len(strValue) = 38 Then 'data is CLSID

'find the data for HKLM\Software\Classes\CLSID\{this data}\InProcServer32
strKey2 = "Software\Classes\CLSID\" & strValue & "\InProcServer32"

oReg.GetStringValue HKLM,strKey2,"",strValue2

'write the quote-delimited name and value to the file

On Error Resume Next
WriteOut Chr(34) & oName & Chr(34) & " = " & Chr(34) & strValue & Chr(34)
If Err.Number <> 0 Then WriteOut Chr(34) & oName & Chr(34) &_
" = ** WARNING -- empty or invalid data! **"
Err.Clear
WriteOut " " & strGT & "resolves to: {CLSID}\InprocServer32\(Default) = " &_
Chr(34) & strValue2 & Chr(34) & CoName(IDExe(strValue2))
If Err.Number <> 0 Then WriteOut " " & strGT & "resolves to: " &_
"{CLSID}\InprocServer32\(Default) = ** WARNING -- empty or invalid data! **"
Err.Clear
On Error GoTo 0

Else 'corrupt CLSID

'write the quote-delimited name and bad data warning to the file
WriteOut Chr(34) & oName & Chr(34) & " = ** INVALID DATA ** (not CLSID)"

End If

Next

End If 'arNames array exists

If flagTLW Then SkipLine
flagTLW = False

Next 'hive

strLine = ""

'recover array memory
ReDim arType(0)
ReDim arNames(0)




'VI. Find values of specific names:
' HKCU... Command Processor\AutoRun
' HKCU... Policies\System\Shell (XP only!)
' HKCU... Windows\load & run
' HKCU... Command Processor\AutoRun
' HKCU... Winlogon\Shell
' HKLM... Windows\AppInit_DLLs
' HKLM... Winlogon\Shell & Userinit & System & Ginadll

If strOS <> "W98" And strOS <> "WME" Then

'HKCU\Software\Microsoft\Command Processor\AutoRun
RegDataChk HKCU, "SOFTWARE\Microsoft\Command Processor", "AutoRun", strValue, ""
If flagTLW Then SkipLine
flagTLW = False

If strOS = "WXP" Then
'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell
'"Shell" = ""
RegDataChk HKCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "Shell", strValue, ""
If flagTLW Then SkipLine
flagTLW = False
End If

'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load & run
RegDataChk HKCU, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", "load", strValue, ""
RegDataChk HKCU, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", "run", strValue, ""
If flagTLW Then SkipLine
flagTLW = False

'HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
'"Shell" = "Explorer.exe"
RegDataChk HKCU, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", strValue, "explorer.exe"
If flagTLW Then SkipLine
flagTLW = False

'HKLM\Software\Microsoft\Command Processor\AutoRun
RegDataChk HKLM, "SOFTWARE\Microsoft\Command Processor", "AutoRun", strValue, ""
If flagTLW Then SkipLine
flagTLW = False

'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", "AppInit_DLLs", strValue, ""
If flagTLW Then SkipLine
flagTLW = False

'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL & Shell & Userinit & System
'"GinaDLL" = "MSGina.dll"; "Shell" = "Explorer.exe"; "Userinit" = "%SystemRoot%\system32\userinit.exe,"; "System" = ""
RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "GinaDLL", strValue, "msgina.dll"
RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", strValue, "explorer.exe"

'find value for "Userinit" name
strKey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
oReg.GetStringValue HKLM,strKey,"Userinit",strValue

If strOS = "NT4" And LCase(strValue) <> "userinit,nddeagnt.exe" Then
flagInfect = True
ElseIf strOS <> "NT4" And (InStr(strValue,",") > 0 And Len(Trim(Mid(strValue,InStr(strValue,",")+1))) > 0 Or _
InStr(LCase(strValue),"userinit.exe") = 0) Then
flagInfect = True

End If 'userinit string test

If flagInfect Then

If Not flagTLW Then
WriteOut "HKLM" & "\" & strKey
flagTLW = True
End If
strLine = "INFECTION WARNING! "
'write name and value to file
WriteOut strLine & Chr(34) & "Userinit" & Chr(34) & " = " &_
Chr(34) & strValue & Chr(34) & LRParse(strValue)

End If 'flagInfect
flagInfect = False

If strOS = "NT4" Then
RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "System", strValue, "lsass.exe"
Else
RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "System", strValue, ""
End If
If flagTLW Then SkipLine
flagTLW = False

'HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
strKey = "System\CurrentControlSet\Control\Session Manager"
oReg.GetMultiStringValue HKLM,strKey,"BootExecute",arNames

strLine = ""

'alert if autocheck not in string
For i = 0 To UBound(arNames)

If InStr(LCase(arNames(i)),"autocheck") = 0 Then

If Not flagTLW Then
WriteOut "HKLM" & "\" & strKey & "\"
flagTLW = True
End If
strLine = strLine & arNames(i) & " "

End If 'value = autocheck?

Next 'arNames member

'write name and value to file
On Error Resume Next
If flagTLW Then
WriteOut "INFECTION WARNING! " & Chr(34) & "BootExecute" &_
Chr(34) & " = " & Chr(34) & RTrim(strLine) & Chr(34) & LRParse(strLine)
If Err.Number <> 0 Then WriteOut strLine & Chr(34) &_
"BootExecute" & Chr(34) & " = ** WARNING -- empty or invalid data! **"
Err.Clear
On Error GoTo 0
SkipLine
End If

End If 'not W98/WME

flagTLW = False
strLine = ""




'VII. Examine HKLM... Winlogon\Notify\ subkey DLLName values

Dim arSK : Set arSK = CreateObject("Scripting.Dictionary") 'key, item

If strOS = "W2K" Then

arSK.Add "crypt32chain", "crypt32.dll"
arSK.Add "cryptnet", "cryptnet.dll"
arSK.Add "cscdll", "cscdll.dll"
arSK.Add "sclgntfy", "sclgntfy.dll"
arSK.Add "senslogn", "wlnotify.dll"
arSK.Add "termsrv", "wlnotify.dll"
arSK.Add "wzcnotif", "wzcdlg.dll"

ElseIf strOS = "WXP" Or strOS = "WS2K3" Then

arSK.Add "crypt32chain", "crypt32.dll"
arSK.Add "cryptnet", "cryptnet.dll"
arSK.Add "cscdll", "cscdll.dll"
arSK.Add "sccertprop", "wlnotify.dll"
arSK.Add "schedule", "wlnotify.dll"
arSK.Add "sclgntfy", "sclgntfy.dll"
arSK.Add "senslogn", "wlnotify.dll"
arSK.Add "termsrv", "wlnotify.dll"
arSK.Add "wlballoon", "wlnotify.dll"

End If

Dim arSKk : arSKk = arSK.Keys
Dim arSKi : arSKi = arSK.Items

If strOS <> "W98" And strOS <> "WME" Then

strKey = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"

'find all the subkeys
oReg.EnumKey HKLM, strKey, arKeys

'enumerate data if present
If IsArray(arKeys) Then

'for each key
For Each oKey In arKeys

'get the DLLName data
oReg.GetStringValue HKLM,strKey & "\" & oKey,"DLLName",strValue

flagInfect = True
For i = 0 To arSK.Count-1

'if key = dictionary key & value = dictionary item
If LCase(oKey) = arSKk(i) And LCase(strValue) = arSKi(i) Then
'toggle flag & exit -- no output necessary
flagInfect = False : Exit For
End If

Next 'dictionary key

If flagInfect Then 'if flag not found in O/S-specific dictionary

'output section title lines if not already done
If Not flagTLW Then
WriteOut "HKLM" & "\" & strKey & "\"
flagTLW = True
End If

'check for empty or null data
If IsNull(strValue) Or strValue = "" Then strValue = "(no data)"

'try writing, on error write "no data"
On Error Resume Next
'write the quote-delimited name and value to a file
WriteOut "INFECTION WARNING! " & Chr(34) & oKey & "\DLLName" &_
Chr(34) & " = " & Chr(34) & strValue & Chr(34) & CoName(IDExe(strValue))
If Err.Number <> 0 Then WriteOut "INFECTION WARNING! " &_
Chr(34) & oKey & "\DLLName" & Chr(34) & " = (no data)"
Err.Clear
On Error GoTo 0

End If 'flag not found in dictionary?

Next 'Notify subkey

End If 'Notify subkeys exist?

If flagTLW Then SkipLine
flagTLW = False

End If 'not W98/WME

'recover array memory
ReDim arKeys(0)

'VIII. For W2K & WXP, check for startup/shutdown & logon/logoff scripts

Dim strCmd : strCmd = "" 'script command line string

Select Case strOS

Case "W2K"

'collection flag
Dim flagColl : flagColl = False

'for every hive
For i = 0 To 1

'check for HKCU, then HKLM key
strKey = "Software\Policies\Microsoft\Windows\System\Scripts"
If oReg.EnumValues(arHives(i,1), strKey, arNames, arType) = 0 Then

'if name/value pairs exist in the Scripts key
If TypeName(arNames) <> "Null" Then

'for each name
For Each oName In arNames

'get the value
oReg.GetStringValue arHives(i,1),strKey,oName,strValue

'if value points to SCRIPTS.INI, parse the file
If Fso.FileExists(strValue & "\scripts.ini") Then

ScrIP strValue, oName
'if SCRIPTS.INI doesn't appear to exist, output a warning

ElseIf strValue <> "" Then

WriteOut arHives(i,0) & "\" & strKey
WriteOut " ** WARNING! Either " & Chr(34) & strValue & "\scripts.ini" &_
Chr(34) & " doesn't exist"
WriteOut Space(13) & "or there is insufficient permission to read it! **"
flagTLW = True

End If

Next 'Scripts key name

End If 'Scripts key name/value pairs exist?

End If 'Scripts key exists?

If flagTLW Then SkipLine
flagTLW = False

Next 'hive type

Case "WXP"

'Base Key string
Dim strBK : strBK = "Software\Policies\Microsoft\Windows\System\Scripts\"

Dim arXPS() 'WXP Script array
ReDim arXPS(1,1) '2 x 2 array
arXPS(0,0) = "Logoff" : arXPS(0,1) = "Logon"
arXPS(1,0) = "Shutdown" : arXPS(1,1) = "Startup"

Dim arNKSE 'Numbered (master) Keys containing Script Executable values
Dim strSPXP : strSPXP = "" 'Script Path XP string
'values: DisplayName, FileSysPath, Script, Parameter
Dim strDispName, strFSP, strScript, strParam

'for every hive
For i = 0 To 1

'for every script type
For j = 0 To 1

'look for script type subkeys
oReg.EnumKey arHives(i,1),strBK & arXPS(i,j),arKeys

'enumerate data if present
If IsArray(arKeys) Then

'for each numbered key header (containing numbered script keys)
For Each oKey in arKeys

'find DisplayName & FileSysPath
oReg.GetStringValue arHives(i,1),strBK & arXPS(i,j) & "\" & oKey,"DisplayName",strDispName
oReg.GetStringValue arHives(i,1),strBK & arXPS(i,j) & "\" & oKey,"FileSysPath",strFSP

'if FileSysPath value exists
If strFSP <> "" Then

'look for numbered script subkeys
oReg.EnumKey arHives(i,1),strBK & arXPS(i,j) & "\" & oKey,arNKSE

'enumerate data if present
If IsArray(arNKSE) Then

'for each numbered script key
For Each oKey2 in arNKSE

'find Parameter & Script values
oReg.GetStringValue arHives(i,1),strBK & arXPS(i,j) & "\" & oKey & "\" & oKey2,"Parameters",strParam
oReg.GetStringValue arHives(i,1),strBK & arXPS(i,j) & "\" & oKey & "\" & oKey2,"Script",strScript

'if executable string exists
If strScript <> "" Then

'form script executable string
'if script string has no backslash, use FileSysPath for directory
'and append \Scripts\[script type]\
If InStr(strScript,"\") = 0 Then
strSPXP = strFSP & "\Scripts\" & arXPS(i,j) & "\"
strCmd = strSPXP & strScript
End If
'if parameter string is not empty, append it
If Trim(strParam) <> "" Then strScript = strScript & " " & strParam

'write title lines if necessary for this master key
If Not flagTLW Then
WriteOut arHives(i,0) & "\" & strBK & arXPS(i,j) & "\" & oKey
WriteOut "DisplayName = " & Chr(34) & strDispName & Chr(34)
flagTLW = True
End If
'write script executable
WriteOut "\" & oKey2 & strGT & "launches: " & Chr(34) &_
strSPXP & strScript & Chr(34) & CoName(strCmd)
strSPXP = "" 'reset script path

End If 'executable string not empty?

Next 'numbered script executable key

If flagTLW Then SkipLine
flagTLW = False

End If 'script executable key array exists?

End If 'FileSysPath exists?

Next 'master key

If flagTLW Then SkipLine
flagTLW = False

End If 'master key array exists?

If flagTLW Then SkipLine
flagTLW = False

Next 'script type

If flagTLW Then SkipLine
flagTLW = False

Next 'hive type

If flagTLW Then SkipLine
flagTLW = False

'recover array memory
ReDim arXPS(0,0)

End Select 'W2K or WXP?




'IX. Check default executables (except "hta") for default string: "%1\" %*
' Check "hta" for mshta.exe "%1" %*

'set up executables array
arExeExt = Array("bat","com","exe","hta","pif")

'for each executable type
For i = 0 To 4

'form the registry key string
strKey = "SOFTWARE\Classes\" & arExeExt(i) & "file\shell\open\command"

'find the value
oReg.GetStringValue HKLM,strKey,"",strValue

'alert if "hta" value not system_folder_path\mshta.exe "%1" %*
'or if any other executable's value is not "%1" %*
If arExeExt(i) = "hta" Then

'check found "hta" value against expected value
If Trim(LCase(strValue)) <> LCase(Fso.GetSpecialFolder(1)) &_
"\mshta.exe ""%1"" %*" Then

'output section titles if not done already
If Not flagTLW Then DefExeTitles

'write name and value to file
strLine = "INFECTION WARNING! "
WriteOut "HKLM" & "\" & strKey & "\"

On Error Resume Next
WriteOut strLine & Chr(34) & "Default" & Chr(34) & " = " &_
Chr(34) & strValue & Chr(34) & CoName(IDExe(strValue))
If Err.Number <> 0 Then WriteOut strLine & Chr(34) &_
"Default" & Chr(34) & " = ** WARNING -- empty or invalid data! **"
Err.Clear
On Error GoTo 0
flagTLW = True

End If 'hta value = expected value?

'executable other than "hta"
Else

'check against expected value
If Trim(LCase(strValue)) <> """%1"" %*" Then

'output section titles if not done already
If Not flagTLW Then DefExeTitles

'write name and value to file
strLine = "INFECTION WARNING! "
WriteOut "HKLM" & "\" & strKey & "\"

On Error Resume Next
WriteOut strLine & Chr(34) & "Default" & Chr(34) & " = " &_
Chr(34) & strValue & Chr(34) & CoName(IDExe(strValue))
If Err.Number <> 0 Then WriteOut strLine & Chr(34) &_
"Default" & Chr(34) & " = ** WARNING -- empty or invalid data! **"
Err.Clear
On Error GoTo 0
flagTLW = True

End If 'value = expected value?

End If 'hta or not

Next 'next executable in array

If flagTLW Then SkipLine
flagTLW = False

'recover array memory
ReDim arExeExt(0)




'X. For W98/WME, check inside WIN.INI (load=, run=), SYSTEM.INI (shell=) &
' list contents of non-empty WINSTART.BAT

If strOS = "W98" Or strOS = "WME" Then

Dim oSCF 'System Configuration File
'true if in INI-file section containing targeted lines
Dim flagSection : flagSection = False
Dim intEqu 'pos'n of equals sign

'open WIN.INI
Set oSCF = Fso.OpenTextFile (strFPWF & "\WIN.INI",1)

'for each line of WIN.INI
Do While Not oSCF.AtEndOfStream

'read a line
strLine = oSCF.ReadLine

'if inside [windows] section
If flagSection Then

IniInfParse strLine, "load", "", "WIN.INI",""
IniInfParse strLine, "run", "", "WIN.INI",""

'if line is beginning of another section
If Left(LTrim(strLine),1) = "[" Then

'toggle flag to false and exit Do
flagSection = False
Exit Do

End If 'next section?

End If 'flagSection?

'if first 9 chars of line = [windows], then in the right section
'so toggle flagSection to True
If LCase(Left(LTrim(strLine),9)) = "[windows]" Then flagSection = True

Loop 'next line of WIN.INI

oSCF.Close 'close WIN.INI
flagSection = False

'open SYSTEM.INI
Set oSCF = Fso.OpenTextFile (strFPWF & "\SYSTEM.INI",1)

'for each line of SYSTEM.INI
Do While Not oSCF.AtEndOfStream

strLine = oSCF.ReadLine

'if inside [boot] section
If flagSection Then

IniInfParse strLine, "shell", "explorer.exe", "SYSTEM.INI",""

If Left(LTrim(strLine),1) = "[" Then

'toggle flagSection and exit
flagSection = False
Exit Do

End If 'shell line?

End If 'inside boot section?

'if first 6 chars of line = [boot], then in the right section
'so toggle flagSection to True
If LCase(Left(LTrim(strLine),6)) = "[boot]" Then flagSection = True

Loop

oSCF.Close
If flagTLW Then SkipLine
flagTLW = False
flagSTLW = False

'open WINSTART.BAT if it exists
If Fso.FileExists(strFPWF & "\WINSTART.BAT") Then

Set oSCF = Fso.OpenTextFile (strFPWF & "\WINSTART.BAT",1)

'for each line of WINSTART.BAT
Do While Not oSCF.AtEndOfStream

strLine = oSCF.ReadLine
If strLine <> "" Then 'examine line if it's not a CR

If Len(strLine) >= 3 Then 'test against REM if long enough

'if not REM, then output
If LCase(Left(LTrim(strLine),3)) <> "rem" Then

If Not flagTLW Then
SkipLine
WriteOut "WINSTART.BAT contents:" : WriteOut String(22,"-") : SkipLine
flagTLW = True
End If
WriteOut strLine & CoName(IDExe(strLine))

End If

Else 'len 1-2

If Not flagTLW Then
SkipLine
WriteOut "WINSTART.BAT contents:" : WriteOut String(22,"-") : SkipLine
flagTLW = True
End If
WriteOut strLine

End If 'len < 3?

End If 'carriage return?

Loop 'WINSTART.BAT lines

If flagTLW Then SkipLine
oSCF.Close
Set oSCF=Nothing

End If 'WINSTART.BAT exists?

End If 'strOS = W98/WME

'reset title line flags
flagTLW = False
flagSTLW = False

'XI. AUTORUN.INF in root directory of local fixed disks for which
' autorun is enabled

'WXP SP2 does not launch AUTORUN.INF on local fixed disks
If strOSLong <> "Windows XP SP2" Then

'fixed disk, DWORD value, binary value array, AutoRun.Inf file, integer work variable
Dim oDisk, hVal, arBVal, oARI

'array of fixed disks
Public arFixedDisks()

'Disk Letter dictionary (needed to calculate power of 2)
'dictDL.Item(6) returns "G:"
Public dictDL : Set dictDL = CreateObject("Scripting.Dictionary")
dictDL.Add 0, "A:" : dictDL.Add 1, "B:" : dictDL.Add 2, "C:"
dictDL.Add 3, "D:" : dictDL.Add 4, "E:" : dictDL.Add 5, "F:"
dictDL.Add 6, "G:" : dictDL.Add 7, "H:" : dictDL.Add 8, "I:"
dictDL.Add 9, "J:" : dictDL.Add 10, "K:" : dictDL.Add 11, "L:"
dictDL.Add 12, "M:" : dictDL.Add 13, "N:" : dictDL.Add 14, "O:"
dictDL.Add 15, "P:" : dictDL.Add 16, "Q:" : dictDL.Add 17, "R:"
dictDL.Add 18, "S:" : dictDL.Add 19, "T:" : dictDL.Add 20, "U:"
dictDL.Add 21, "V:" : dictDL.Add 22, "W:" : dictDL.Add 23, "X:"
dictDL.Add 24, "Y:" : dictDL.Add 25, "Z:"

'HKLM NoDriveTypeAutoRun Fixed Disks Enabled
Public flagHKLM_NDTAR_FDE : flagHKLM_NDTAR_FDE = True
'HKCU NoDriveTypeAutoRun Fixed Disks Enabled
Public flagHKCU_NDTAR_FDE : flagHKCU_NDTAR_FDE = True

'HKLM NoDriveTypeAutoRun value exists
Public flagHKLM_NDTAR : flagHKLM_NDTAR = False
'HKCU NoDriveTypeAutoRun value exists (unused, passed for consistency)
Public flagHKCU_NDTAR : flagHKCU_NDTAR = False

'HKLM NoDriveAutoRun value exists
Public flagHKLM_NDAR : flagHKLM_NDAR = False
'HKCU NoDriveAutoRun value exists (unused, passed for consistency)
Public flagHKCU_NDAR : flagHKCU_NDAR = False

strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"

NDTAR HKLM, flagHKLM_NDTAR, flagHKLM_NDTAR_FDE
If Not flagHKLM_NDTAR Then NDTAR HKCU, flagHKCU_NDTAR, flagHKCU_NDTAR_FDE

'if NoDriveTypeAutoRun permits autorun on fixed disks, look at
'individual disks
If flagHKLM_NDTAR_FDE And flagHKCU_NDTAR_FDE Then

'enumerate fixed disks
Dim colDisks : Set colDisks = GetObject("winmgmts:\root\cimv2")._
ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3")

j = 0

'fmt of DeviceID & Name is "A:"
For Each oDisk in colDisks

'for every dict entry
For i = 0 To 25

'find dictionary element number for drive letter
If dictDL.Item(i) = oDisk.DeviceID Then

'store disk letter, power of two for that letter,
'set autorun flag to True, increment counter
ReDim Preserve arFixedDisks(2,j)
arFixedDisks(0,j) = oDisk.DeviceID
arFixedDisks(1,j) = 2^i
arFixedDisks(2,j) = True
j = j + 1

End If 'dict drive letter located?

Next 'dict entry

Next 'disk in colDisks

NDAR HKLM, flagHKLM_NDAR
If Not flagHKLM_NDAR Then NDAR HKCU, flagHKCU_NDAR

'for every fixed disk
For i = 0 To UBound(arFixedDisks,2)

'if autorun enabled
If arFixedDisks(2,i) Then

'get the drive
Set oDisk = Fso.GetDrive(arFixedDisks(0,i))

'look for AUTORUN.INF in the root
If Fso.FileExists(arFixedDisks(0,i) & "\autorun.inf") Then

'open AUTORUN.INF if found
Set oARI = Fso.OpenTextFile (arFixedDisks(0,i) & "\autorun.inf",1)

'for each line of AUTORUN.INF
Do While Not oARI.AtEndOfStream

'read a line
strLine = oARI.ReadLine

'look for "open" or "shellexecute" statements
IniInfParse strLine, "open", "", "autorun.inf", arFixedDisks(0,i)
IniInfParse strLine, "shellexecute", "", "autorun.inf", arFixedDisks(0,i)

Loop 'next AUTORUN.INF line

oARI.Close 'close AUTORUN.INF

End If 'AUTORUN.INF exists in root?

End If 'autorun enabled on drive?

Next 'fixed disk

End If 'NoDriveTypeAutoRun enables autorun on fixed disks?

If flagTLW Then SkipLine

End If 'not WXP SP2?

'reset title line flags
flagTLW = False
flagSTLW = False




'XII. Enumerate contents of startup directories

'All Users StartUp Folder title string (empty by default)
Dim flagAUSUF : flagAUSUF = False
Dim flagFE : flagFE = True 'folder exists flag

'in W98/WME, see if local-language-specific All Users startup folder location
'appears in registry and form title string if it does
If strOS = "W98" Or strOS = "WME" Then

'look for Common Startup value
strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
oReg.GetStringValue HKLM,strKey,"Common Startup",strValue

'if Common Startup value exists, extract title string
If Not IsNull(strValue) And strValue <> "" Then flagAUSUF = True

End If

'startup folder short names
If strOS = "W98" Or strOS = "WME" Then
arSUFN = Array("Startup")
Else
arSUFN = Array("Startup","AllUsersStartup")
End If

'form output file section title string
strLine = "Startup items in "

'in W98/WME, omit username & "All Users" folder if absent from registry
If strOS = "W98" Or strOS = "WME" Then
strLine = strLine & Chr(34) & "Startup" & Chr(34)
If flagAUSUF Then
strLine = strLine & " & " & Chr(34) & "All Users...Startup" &_
Chr(34) & " folders:"
Else
strLine = strLine & " folder:"
End If
Else 'all other O/S's
strLine = strLine & Chr(34) & Wshso.ExpandEnvironmentStrings("%USERNAME%") &_
Chr(34)
If flagFW = "SO" Then
strLine = strLine & " & " & Chr(34) & "All Users" & Chr(34) & " startup folders:"
Else 'Echo output -- escape ampersand
strLine = strLine & " ^& " & Chr(34) & "All Users" & Chr(34) & " startup folders:"
End If 'flagFW
End If 'strOS

strTitleLine1 = strLine
strTitleLine2 = String(Len(strLine),"-")

'for each startup folder name
For i = 0 To 1 '0 = user folder, 1 = All Users folder

flagSTLW = False

'get the startup folder
'in W98/WME, set flagFE to False if "All Users" folder doesn't exist
If i = 1 And (strOS = "W98" Or strOS = "WME") Then
If flagAUSUF Then
If Fso.FolderExists(strValue) Then
Set oSUF = Fso.GetFolder(strValue)
Else
flagFE = False 'folder doesn't exist
End If
Else
flagFE = False 'registry key doesn't exist
End If
Else 'all other O/S's at all times
Set oSUF = Fso.GetFolder(Wshso.SpecialFolders(arSUFN(i)))
End If

'if startup folder exists
If flagFE Then

'for each file in the startup folder
For Each oSUFi in oSUF.Files

strLine = "" 'empty the line

'treat file as a shortcut
On Error Resume Next
Set oSUSC = Wshso.CreateShortcut(oSUFi)
intErrNum = Err.Number : Err.Clear
On Error Goto 0

'if file is a shortcut
If intErrNum = 0 Then

If LCase(Fso.GetExtensionName(oSUFi)) = "url" Then 'shortcut is URL

'prepare the shortcut file base name and the target path & arguments
strLine = Chr(34) & Fso.GetBaseName (oSUFi.Path) & Chr(34) & strGT & "URL shortcut to: " &_
Chr(34) & oSUSC.TargetPath

Else

'prepare the shortcut file base name and the target path & arguments
strLine = Chr(34) & Fso.GetBaseName (oSUFi.Path) & Chr(34) & strGT & "shortcut to: " &_
Chr(34) & oSUSC.TargetPath

If oSUSC.Arguments <> "" Then
strLine = strLine & " " & oSUSC.Arguments & Chr(34)
Else
strLine = strLine & Chr(34)
End If

'add co-name
strLine = strLine & CoName(oSUSC.TargetPath)

End If 'URL or shortcut?

'if file is a PIF
ElseIf LCase(Fso.GetExtensionName(oSUFi)) = "pif" Then

'write out pif file target
strPIFTgt = ""
Dim oFi : Set oFi = Fso.OpenTextFile(oSUFi, 1)
oFi.Skip(36) 'target starts after 36 bytes

'target size is up to 63 bytes
For ii = 1 To 63
bin1C = oFi.Read(1)
'end of target is single "00" byte
If AscB(bin1C) = 0 Then Exit For
'otherwise convert binary to ASCII and append to string
strPIFTgt = strPIFTgt & Chr(AscB(bin1C))
Next

oFi.Close
Set oFi=Nothing

strLine = Chr(34) & Fso.GetBaseName(oSUFi.Path) & Chr(34) & strGT & "PIF to: " &_
Chr(34) & strPIFTgt & Chr(34) & CoName(strPIFTgt)

'file is neither shortcut nor PIF
Else

'file is probably an executable so write out the file name
If LCase(Fso.GetFileName(oSUFi)) <> "desktop.ini" Then _
strLine = Chr(34) & oSUFi.Name & Chr(34) & CoName(IDExe(oSUFi.Name))

End If 'file is shortcut

Set oSUSC=Nothing

'if there's something to output
If strLine <> "" Then

'output the section title line if not already done
If Not flagTLW Then
SkipLine : WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine
flagTLW = True
End If

'output the folder title line if not already done
If Not flagSTLW Then
'write the path to the file
WriteOut oSUF.Path
flagSTLW = True
End If
'output the line
WriteOut strLine

End If

Next 'file in startup folder

End If 'flagFE?

If flagSTLW Then SkipLine

Next 'startup folder name

'reset title line flags
flagTLW = False
flagSTLW = False

'recover array memory
ReDim arSUFN(0)




'XIII. Enumerate enabled Scheduled Tasks

' Byte Disabled Enabled
'00000030: #####1## #####0## <--

'file in Tasks directory
Dim oFi2

'prepare section title lines
strTitleLine1 = "Enabled Scheduled Tasks:"
strTitleLine2 = String(Len(strTitleLine1),"-")

'if the tasks directory exists in the Windows directory
If Fso.FolderExists(Fso.GetSpecialFolder(WinFolder) & "\Tasks") Then

'get the tasks folder
Dim oJobF : Set oJobF = Fso.GetFolder(Fso.GetSpecialFolder(WinFolder) & "\Tasks")

'for each file
For Each oFi2 in oJobF.Files

'if file in Tasks directory is a task (has a .JOB extension)
If LCase(Fso.GetExtensionName(oFi2)) = "job" Then

'try to open the task file
On Error Resume Next
Dim oJobFi : Set oJobFi = Fso.OpenTextFile(oFi2,1,False,-1)
intErrNum = Err.Number : Err.Clear
On Error Goto 0

'if file could be opened
If intErrNum = 0 Then

'read the file, determine enabled status, extract the executable name
JobFileRead oFi2, oJobFi

'close the .JOB file
oJobFi.Close
Set oJobFi=Nothing

Else 'file couldn't be opened

'write titles if not already done
If Not flagTLW Then
SkipLine : WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine
flagTLW = True
End If

'write error message
WriteOut Chr(34) & oFi2.Name & Chr(34) &_
" -- insufficient permission to read this file!"

End If '.JOB file opened successfully?

End If '.JOB file extension selected?

Next 'file in TASKS directory

Else 'Tasks directory can't be found

'write titles and error message
SkipLine : WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine
WriteOut "** The " & Chr(34) & Wshso.ExpandEnvironmentStrings("%WINDIR%") &_
"\Tasks" & Chr(34) & " directory does not exist. **"
flagTLW = True

End If 'Tasks directory exists?

Set oJobF=Nothing

If flagTLW Then SkipLine
flagTLW = False




'XIV. Enumerate Started or Non-disabled Services

'for NT-type O/S's
If strOS <> "W98" And strOS <> "WME" Then

'Services collection, Service object,
Dim colSvce, oSvce
'counter, lowest-sort subscript, lowest-sort name holder, temp variables x 3
Dim intCnt, intLSS, str1stName, strT0, strT1, strT2
Dim flagSM : flagSM = False 'Safe Mode flag

'for W2K/WXP, determine if running in Safe Mode
If strOS <> "NT4" Then

strKey = "SYSTEM\CurrentControlSet\Control"
oReg.GetStringValue HKLM,strKey,"SystemStartOptions",strValue
If InStr(LCase(strValue),"safeboot") <> 0 Then flagSM = True

End If

'write title lines
strLine = "Running Services (Display Name, Service Name, Path {Service DLL}):"
If flagSM Then strLine = "All Non-Disabled Services (Display Name, " &_
"Service Name, Path {Service DLL}):"
SkipLine : WriteOut strLine : WriteOut String(Len(strLine),"-") : SkipLine

'if in Safe Mode
If flagSM Then

'get collection of services with Auto or Manual "Startup type"
Set colSvce = GetObject("winmgmts:root\cimv2").ExecQuery("SELECT DisplayName, " &_
"Name, PathName FROM Win32_Service WHERE StartMode = ""Manual"" " &_
"Or StartMode = ""Auto""")

'not in Safe Mode
Else

'get collection of started services
Set colSvce = GetObject("winmgmts:root\cimv2").ExecQuery("SELECT DisplayName, " &_
"Name, PathName FROM Win32_Service WHERE Started = True")

End If 'safe mode?

'sort services by display name

'get the count
intCnt = colSvce.Count

'set up two arrays: work array & sorted array
Dim arSvces()
ReDim arSvces(intCnt-1, 2) 'services array

i = 0

'transfer data from collection to array
For Each oSvce in colSvce

arSvces(i,0) = oSvce.DisplayName : arSvces(i,1) = oSvce.Name : arSvces(i,2) = oSvce.PathName
i = i + 1

Next 'service in collection

'for every service in array up to the next to last one
For i = 0 To UBound(arSvces,1) - 1

'store array row in temp variables
strT0 = arSvces(i,0)
strT1 = arSvces(i,1)
strT2 = arSvces(i,2)

'initialize the sorted name & lowest-sort subscript
str1stName = arSvces(i,0)
intLSS = i

'for every subsequent service in array up to the last one
For j = i + 1 To UBound(arSvces,1)

'if current array name < saved lowest-sort name,
'reset sorted array data and
'set lowest-sort subscript = current array subscript
If LCase(arSvces(j,0)) < LCase(str1stName) Then
str1stName = arSvces(j,0)
intLSS = j
End If

Next 'array element

'set current array position = lowest-sort subscript element
arSvces(i,0) = arSvces(intLSS,0)
arSvces(i,1) = arSvces(intLSS,1)
arSvces(i,2) = arSvces(intLSS,2)
'save data formerly in current array position to array position just vacated
arSvces(intLSS,0) = strT0
arSvces(intLSS,1) = strT1
arSvces(intLSS,2) = strT2

Next 'sorted name array element

'for every service sorted by display name
For i = 0 To UBound(arSvces,1)

'for services with unique file names
If InStr(LCase(arSvces(i,2)),"services.exe") = 0 And _
InStr(LCase(arSvces(i,2)),"svchost") = 0 Then

'output display name, service name, path
WriteOut arSvces(i,0) & ", " & arSvces(i,1) & ", " & Chr(34) &_
arSvces(i,2) & Chr(34) & CoName(IDExe(arSvces(i,2)))

'shared process -- look for ServiceDLL value in Parameter subkey
ElseIf InStr(LCase(arSvces(i,2)),"svchost") > 0 And _
InStr(LCase(arSvces(i,2))," -k") > 0 Then

strKey = "System\CurrentControlSet\Services\"
oReg.GetExpandedStringValue HKLM,strKey & arSvces(i,1) &_
"\Parameters","ServiceDll",strValue

'prepare output for missing Parameters key or ServiceDLL value
strLine = " {(missing data)}"
If strValue <> "" Then strLine = " {" & Chr(34) & strValue &_
Chr(34) & CoName(IDExe(strValue)) & "}"

'output display name, service name, path
WriteOut arSvces(i,0) & ", " & arSvces(i,1) & ", " & Chr(34) &_
arSvces(i,2) & Chr(34) & strLine

'if ServicesDll value not returned, output error line
If strValue <> "" Then
CoName strValue
Else
WriteOut " ** Corrupt registry entry! **"
End If

'services.exe
Else

'output display name, service name, path
WriteOut arSvces(i,0) & ", " & arSvces(i,1) & ", " & Chr(34) &_
arSvces(i,2) & Chr(34) & CoName(arSvces(i,2))

End If 'independent file, svchost, or services?

Next 'service file

SkipLine

'recover array memory
ReDim arSvces(0,0)

End If 'NT4-type O/S?

'rename report file if using Echo under W98
If flagFW = "EO" And (strOS = "W98" Or strOS = "WME") Then _
Wshso.Run "%COMSPEC% /c MOVE /y " & strFNS & " " & Chr(34) & strFN & Chr(34),0,TRUE


'inform user that script is complete
If flagOut = "W" Then

Wshso.PopUp "All Done! The results are in the file:" &_
vbCRLF & vbCRLF & strFN,2,"Silent Runners R" & strRevNo & " Complete",64

Else

WScript.Echo "Silent Runners R" & strRevNo & " is done! The results " &_
"are in the file:" & vbCRLF & vbCRLF & strFN

End If


'clean up
Set oSUF=Nothing
If IsObject(oFN) Then
On Error Resume Next
oFN.Close
On Error Goto 0
End If
Set oFN=Nothing
Set oReg=Nothing
Set Fso=Nothing
Set Wshso=Nothing




'YYYY-MM-DD
Function FmtDate

FmtDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" & Day(Now),2)

End Function



'hh:mm:ss
Function FmtTime

FmtTime = Right("0" & Hour(Now),2) & ":" & Right("0" & Minute(Now),2)

End Function




'enumerate key's entries
Function EnumKeyData (hexHive, strHive, strKey, strWarn)

Dim arNames, arType, strValue, i, j
Dim strMsg : strMsg = strWarn

Const REG_SZ = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY = 3
Const REG_DWORD = 4
Const REG_MULTI_SZ = 7

'find all the names in the key
oReg.EnumValues hexHive, strKey, arNames, arType

'enumerate names if present
If IsArray(arNames) Then

'in W98, if key has no name/value pairs, arNames is array with UBound of -1
'in W2K, not an array
If UBound(arNames) >= 0 Then

'write the full key name
WriteOut strHive & "\" & strKey & "\"

'for each data type in the values array
For i = LBound(arType) To UBound(arType)

'find the value that corresponds to its type
Select Case arType(i)

'string value
Case REG_SZ

'return the string-type value
oReg.GetStringValue hexHive,strKey,arNames(i),strValue
WriteValueData arNames(i), strValue, "REG_SZ", strWarn

'expandable-string value
Case REG_EXPAND_SZ

'return the expandable string-type value
oReg.GetExpandedStringValue hexHive,strKey,arNames(i),strValue
WriteValueData arNames(i), strValue, "REG_EXPAND_SZ", strWarn

'binary value
Case REG_BINARY

'return the binary-type value as array
oReg.GetBinaryValue hexHive,strKey,arNames(i),strValue

'set name = default if name is empty string
If arNames(i) = "" Then
strMsg = strMsg & Chr(34) & "Default" & Chr(34) & " = "
Else
strMsg = strMsg & Chr(34) & arNames(i) & Chr(34) & " = "
End If

'delimit every two-bytes by space
For j = LBound(strValue) To UBound(strValue)
strMsg = strMsg & strValue(j) & Space(1)
Next

strMsg = Left(strMsg,Len(strMsg)-1) 'lop off trailing space
WriteOut strMsg & " (REG_BINARY)"

'4-byte value
Case REG_DWORD

'return the DWORD-type value
oReg.GetDWORDValue hexHive,strKey,arNames(i),strValue
WriteValueData arNames(i), Hex(strValue), "REG_DWORD", strWarn

'multiple-string value
Case REG_MULTI_SZ

'return the multiple-string-type value
oReg.GetMultiStringValue hexHive,strKey,arNames(i),strValue

'set name = default if name is empty string
If arNames(i) = "" Then
strMsg = strMsg & Chr(34) & "Default" & Chr(34) & " = "
Else
strMsg = strMsg & Chr(34) & arNames(i) & Chr(34) & " = "
End If

'delimit every quote-enclosed string by "|"
For j = LBound(strValue) To UBound(strValue)
strMsg = strMsg & Chr(34) & strValue(j) & Chr(34) & "|"
Next

strMsg = Left(strMsg,Len(strMsg)-1) 'lop off trailing "|"
WriteOut strMsg & " (REG_MULTI_SZ)"

'any other type
Case Else

'admit we don't know what it is
WriteOut Chr(34) & arNames(i) & Chr(34) & " = (data in unrecognized format!)"

End Select 'data type

Next 'arType member

SkipLine

End If 'UBound > 0

End If 'arNames array exists

ReDim arType(0)

End Function

'write name/value pair to file
Function WriteValueData (strName, strValue, strType, strWarn)

Dim strOQEC 'Optionally Quote-Enclosed Comment"

If strType = "REG_DWORD" Then
strOQEC = strValue & CoName(IDExe(strValue))
Else
strOQEC = Chr(34) & strValue & Chr(34) & CoName(IDExe(strValue))
End If

'if name is empty string then output "Default"
If strName = "" Then
On Error Resume Next
'write the quote-delimited name and value to a file
WriteOut strWarn & Chr(34) & "Default" & Chr(34) & " = " & strOQEC
If Err.Number <> 0 Then WriteOut strWarn & Chr(34) & "Default" &_
Chr(34) & " = ** WARNING! empty or invalid data **"
On Error GoTo 0
Else 'name is non-empty string
On Error Resume Next
'write the quote-delimited name and value to a file
WriteOut strWarn & Chr(34) & strName & Chr(34) & " = " & strOQEC
If Err.Number <> 0 Then WriteOut strWarn & Chr(34) & strName &_
Chr(34) & " = ** WARNING! empty or invalid data **"
On Error GoTo 0
End If

Err.Clear

End Function




'output registry name/value if value <> ref
Function RegDataChk (cHive, strKey, strName, strValue, strRef)

Dim strHive, strCoName, strValWrk

If cHive = HKCU Then strHive = "HKCU"
If cHive = HKLM Then strHive = "HKLM"

'if value exists
If oReg.GetStringValue (cHive,strKey,strName,strValue) = 0 Then

strValWrk = Trim(LCase(strValue))

'alert if value <> reference and not empty string
If strValWrk <> LCase(strRef) And strValWrk <> "" Then

If Not flagTLW Then
WriteOut strHive & "\" & strKey & "\"
flagTLW = True
End If

If LCase(strName) = "load" Or LCase(strName) = "run" Then
strCoName = LRParse(strValue)
Else
strCoName = CoName(IDExe(strValue))
End If

'write name and value to file
On Error Resume Next
WriteOut "INFECTION WARNING! " & Chr(34) & strName & Chr(34) &_
" = " & Chr(34) & strValue & Chr(34) & strCoName
If Err.Number <> 0 Then WriteOut Chr(34) & strName & Chr(34) &_
" = ** WARNING -- empty or invalid data! **"
Err.Clear
On Error GoTo 0

End If 'value <> reference

End If 'value exists

End Function




'set NoDriveTypeAutoRun flag
Function NDTAR (cHive, strValueFlag, strFDFlag )

'DWORD or BINARY value, binary value array
Dim hVal, arBVal

strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"

'if cHive NoDriveTypeAutoRun DWORD value exists
If oReg.GetDWORDValue(cHive,strKey,"NoDriveTypeAutoRun",hVal) = 0 Then

strValueFlag = True

'if autorun for fixed drives is disabled, set flag
If (hVal And 8) = 8 Then strFDFlag = False

'if cHive NoDriveTypeAutoRun BINARY value exists
ElseIf oReg.GetBinaryValue(cHive,strKey,"NoDriveTypeAutoRun",arBVal) = 0 Then

'UBound = -1 if value not set (zero-length binary value)
If UBound(arBVal) = -1 Then

'if O/S = W2K/WXP SP0/1, "value not set" interpreted as 0 instead of null!
If strOS = "W2K" Or strOS = "WXP" Then
strValueFlag = True
End If 'W2K/WXP?

Else 'UBound <> -1, so value set

strValueFlag = True : hVal = 0

'binary value retrieved as array in increments of 16^2
For i = 0 To UBound(arBVal)
hVal = hVal + arBVal(i) * 256^i
Next

'if autorun for fixed drives is disabled, set flag
If (hVal And 8) = 8 Then strFDFlag = False

End If 'UBound = -1?

End If 'NoDriveTypeAutoRun value exists?

End Function




'detect if autorun disabled for individual drives
Function NDAR (cHive, strValueFlag)

'DWORD or BINARY value, binary value array
Dim hVal, arBVal

strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"

'if cHive NoDriveAutoRun DWORD value exists
If oReg.GetDWORDValue(cHive,strKey,"NoDriveAutoRun",hVal) = 0 Then

strValueFlag = True

'for every fixed disk
For i = 0 To UBound(arFixedDisks,2)

'if autorun for fixed drive is disabled, set flag
If (hVal And arFixedDisks(1,i)) = arFixedDisks(1,i) Then

arFixedDisks(2,i) = False

End If 'autorun disabled for this drive?

Next 'fixed disk

'if cHive NoDriveAutoRun BINARY value exists
ElseIf oReg.GetBinaryValue(cHive,strKey,"NoDriveAutoRun",arBVal) = 0 Then

'UBound = -1 if value not set (zero-length binary value)
If UBound(arBVal) = -1 Then

'if O/S = W2K/WXP SP0/1, "value not set" interpreted as 0 instead of null!
If strOS = "W2K" Or strOS = "WXP" Then

strValueFlag = True

'set all NDAR flags to True
For i = 0 To UBound(arFixedDisks,2)
arFixedDisks(2,i) = True
Next

End If 'W2K/WXP?

Else 'UBound <> -1, so value set

strValueFlag = True

hVal = 0

'binary value retrieved as array in increments of 16^2
For i = 0 To UBound(arBVal)
hVal = hVal + arBVal(i) * 256^i
Next

'for every fixed disk
For i = 0 To UBound(arFixedDisks,2)

'if autorun for the fixed disk is disabled, set flag
If (hVal And arFixedDisks(1,i)) = arFixedDisks(1,i) Then

arFixedDisks(2,i) = False

End If 'autorun disabled for fixed disk?

Next 'fixed disk

End If 'hive NoDriveAutoRun value set?

End If 'hive NoDriveAutoRun value exists?

End Function




'INI-file Load/Run/Shell parser
Function IniInfParse (strLine, strVerb, strEquiv, strINIFile, strDisk)

Dim strExe : strExe = "" 'executable after "="

'if verb is first non-space chars (if line is populated)
If Left(LCase(LTrim(strLine)),Len(strVerb)) = strVerb Then

'find pos'n of equals sign
Dim intEqu : intEqu = InStr(strLine,"=")

'find executable statement after equals sign
strExe = Trim(Mid(strLine,intEqu+1))

'if non-space chars to right of equals sign different from argument
If LCase(strExe) <> strEquiv Then

'output titles
IniInfTitles strINIFile

'write warning & verb line
If LCase(strVerb) = "load" Or LCase(strVerb) = "run" Then
strLine = "INFECTION WARNING! " & Chr(34) & strLine & Chr(34) & LRParse(strExe)
ElseIf LCase(strVerb) = "open" Or LCase(strVerb) = "shellexecute" Then
strLine = "INFECTION WARNING! " & strDisk & "\AUTORUN.INF" & strGT &_
Chr(34) & strLine & Chr(34) & CoName(IDExe(strDisk & "\" & strExe))
Else
strLine = "INFECTION WARNING! " & Chr(34) & strLine & Chr(34) & CoName(IDExe(strExe))
End If
flagTLW = True
WriteOut strLine

End If 'verb populated?

End If 'line populated

End Function




'output WIN.INI/SYSTEM.INI/AUTORUN.INF titles
Function IniInfTitles (strINIFile)

Dim strLine

'write section title line if not already done
If Not flagTLW Then

SkipLine
If LCase(strINIFile) = "autorun.inf" Then
strLine = "Autostart via AUTORUN.INF on local fixed drives:"
Else
strLine = "WIN.INI & SYSTEM.INI launch points:"
End If

WriteOut strLine : WriteOut String(Len(strLine),"-") : SkipLine

End If 'section title line already written?

'write subtitle lines for WIN.INI & SYSTEM.INI
If LCase(strINIFile) = "win.ini" And Not flagSTLW Then
WriteOut "WIN.INI" : Writeout "[windows]"
flagSTLW = True
ElseIf LCase(strINIFile) = "system.ini" Then
If flagTLW Then SkipLine : WriteOut "SYSTEM.INI" : WriteOut "[boot]"
End If

End Function




'default executable title lines
Function DefExeTitles

Dim strLine : strLine = "Default executables:"
SkipLine : WriteOut strLine : WriteOut String(Len(strLine),"-") : SkipLine

End Function




'trim the parameters from a path to find the executable
Function IDExe (strPath)

'work path string
'location of ".exe", location of last backslash,
'location of first space after backslash,
'location of second quote,
'executable id'd from location of ".exe",
'executable id'd btwn final backslash & first space following backslash
Dim strPWk, intExeL, intBSL, intSpL, int2Q, strID1, strID2, intErrNum

strPWk = LTrim(strPath)

'look for leading double quote
If Left(strPWk,1) = Chr(34) Then
'if find it, then look for second quote
int2Q = InStr(2, strPWk, """")
'if find it, reset the path string to what was between the quotes
If int2Q > 0 Then strPWk = Mid(strPWk, 2, int2Q - 2)
End If

'locate .exe
intExeL = InStr(LCase(strPWk), ".exe")
'if not an .exe, maybe a .cmd?
If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".cmd")
'.bat?
If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".bat")
'.pif?
If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".pif")
'.dll?
If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".dll")
'.com?
If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".com")
'.ocx?
If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".ocx")
'.vbs?
If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".vbs")

'extract exectable through .ext
strID1 = Left(strPWk,intExeL + 3)

'locate final backslash
intBSL = InStrRev(strPWk, "\")
'locate first space after final backslash
intSpL = InStr(intBSL + 1, strPWk, " ")
'extract executable up to space
On Error Resume Next
strID2 = Left(strPWk, intSpL -1)
intErrNum = Err.Number
On Error Goto 0
Err.Clear

If intErrNum <> 0 Then strID2 = ""

'compare lengths of extracted strings and return longest string
If Len(strID1) > Len(strID2) Then

IDExe = strID1
Exit Function

Else

IDExe = strID2
Exit Function

End If

End Function




'SCRipts.Ini-file Parser
'file name to open, action for which scripts must be parsed
Function ScrIP (strValue, strAction)

'form scripts.ini path\FileName
Dim strFN : strFN = strValue & "\scripts.ini"
'default path
Dim strDefPath : strDefPath = ""

'error number, line read from file, pos'n of CmdLine & equals sign,
'parameter string, line intro ("arrow") string
Dim intErrNum, strLine, intCS, intEq, strParam, strArrow
Dim strSC : strSC = "" 'script command
Dim intSN : intSN = 0 'script number
Dim strCmd : strCmd = "" 'command string
Dim flagSection : flagSection = False 'True if in strAction section
Dim intActL : intActL = Len(strAction) 'action length (used for spacing of output)

'assume not in right action section
flagTLW = False

'open the SCRIPTS.INI file For Reading
On Error Resume Next
Dim oSI : Set oSI = Fso.OpenTextFile(strFN, 1, False,-1)
intErrNum = Err.Number
On Error Goto 0

Err.Clear

'if couldn't open file, output a warning & quit
If intErrNum <> 0 Then
If Not flagTLW Then WriteOut arHives(i,0) & "\" & strKey
WriteOut " ** WARNING! Insufficient permission to read " &_
Chr(34) & strFN & Chr(34) & " **"
flagTLW = True
Exit Function
End If

'for every line of file
Do Until oSI.AtEndOfStream

strLine = oSI.ReadLine

'if know already in right section
If flagSection Then

'exit if find beginning of next section
If InStr(strLine, "[") Then Exit Do

'[Logon]
'0CmdLine=path\filename.ext
'0Parameters=

'find pos'n of equals sign
intEq = InStr(strLine,"=")

'if equals sign found in the line
If intEq > 0 Then

'output saved info if the script number has changed
If intSN <> FLN(strLine) Then

'write titles if necessary
If Not flagTLW Then
'write a title
WriteOut arHives(i,0) & "\" & strKey
strArrow = strAction & strGT & "launches: "
flagTLW = True
Else
strArrow = Space(intActL) & strGT & "launches: "
End If

'output script command, reset script command & saved script number
WriteOut strArrow & Chr(34) & strSC & Chr(34) & CoName(IDExe(strCmd))
strSC = "" : strCmd = ""
intSN = FLN(strLine)

End If 'new script number?

'current line is cmdline
If InStr(LCase(strLine), "cmdline") > 0 Then

'if cmdline doesn't contain backslash, form script path from
'function parameters
If InStr(strLine,"\") = 0 Then strDefPath = strValue & "\" & strAction & "\"

'add script command to command string
strSC = strDefPath & Mid(strLine, intEQ + 1) & strSC
strCmd = strDefPath & Mid(strLine, intEQ + 1) 'store cmdline field for co-name id

'if parameters line
ElseIf InStr(LCase(strLine), "parameters") > 0 Then

'extract parameters string
strParam = Mid(strLine, intEq + 1)

'add non-empty parameters command to command string
If Trim(strParam) <> "" Then strSC = strSC & " " & strParam

End If 'line is cmdline or parameter

End If '"=" in this line

End If 'inside action section

'if action found in current line, set flag to True
If InStr(LCase(strLine), LCase(strAction)) > 0 Then flagSection = True

Loop 'next line in SCRIPTS.INI

'if a script was located, output last script command found
If strSC <> "" Then

If Not flagTLW Then
'write a title
WriteOut arHives(i,0) & "\" & strKey
strArrow = strAction & strGT & "launches: "
flagTLW = True
Else
strArrow = Space(intActL) & strGT & "launches: "
End If

WriteOut strArrow & Chr(34) & strSC & Chr(34) & CoName(strCmd)

End If 'script located?

End Function




'Find Leading Number
Function FLN (strLine)

'save the input in a trimmed work variable
Dim strWork : strWork = LTrim(strLine)
'initialize the output number
Dim intNumber : intNumber = 0

'counter, single character
Dim i, str1C
'find length of work variable
Dim intLen : intLen = Len(strWork)

'for the length of the work variable
For i = 1 To intLen

'take the left-most chr
str1C = Left(strWork,1)
'if it's numeric
If IsNumeric(str1C) Then
'concatenate the digit
intNumber = intNumber + CInt(str1C)
'remove 1st chr from the work variable
strWork = Right(strWork,Len(strWork)-1)
Else 'left-most chr isn't numeric
FLN = intNumber 'output the leading number & exit
Exit For
End IF

Next 'work variable chr

End Function

'find company name in existing file
Function CoName (strFN)

If IsNull(strFN) Or strFN = "" Then
CoName = " [(file not found)]"
Exit Function
End If

'does the file exists?
If Fso.FileExists(strFN) Then

CoName = CNCall(strFN)

ElseIf Fso.FileExists(strFPWF & "\" & strFN) Then

'use prefixed windows folder
CoName = CNCall(strFPWF & "\" & strFN)

ElseIf Fso.FileExists(strFPSF & "\" & strFN) Then

'use prefixed system folder
CoName = CNCall(strFPSF & "\" & strFN)

ElseIf Fso.FileExists(AppPath(strFN)) Then

'trace executable via App Paths key
CoName = CNCall(AppPath(strFN))

Else

'say file can't be found
CoName = " [file not found]"

End If 'file exists?

End Function



'find company name in existing file
Function CNCall (strFN)

'WMI file object, co-name, error number
Dim oFile, strMftr, intErrNum

'if there are already escaped backslashes, unescape them
If InStr(strFN,"\\") <> 0 Then strFN = Replace(strFN,"\\","\")
'now reescape all of them
strFN = Replace(strFN,"\","\\")

'get the file object with filename delimited by double quotes
'(couldn't get single quotes to work with single quote embedded in path)
On Error Resume Next
Set oFile = GetObject("winmgmts:root\cimv2").Get _
("CIM_DataFile.Name=""" & strFN & """")
intErrNum = Err.Number
On Error Goto 0
Err.Clear
If intErrNum <> 0 Then
CNCall = " [(path error)]"
Exit Function
End If

'find the co-name
strMftr = oFile.Manufacturer

Set oFile=Nothing

'if null, say so
If IsNull(strMftr) Then

CNCall = " [null data]"

'if empty, say so
ElseIf strMftr = "" Then

CNCall = " [empty string]"

'if some company, say it
Else

'if MS, say it with 2 letters
If strMftr = "Microsoft Corporation" Then

CNCall = " [MS]"

'if some other company, provide all the data, which may take up several lines
Else

CNCall = " [" & Chr(34) & Replace(strMftr,Chr(13) & Chr(10),Space(1)) & Chr(34) & "]"

End If 'MS or not?

End If 'null, mt, MS or not?

End Function




'look for the App Path default value for an executable
Function AppPath (strFN)

Dim strKey, strValue

strKey = "Software\Microsoft\Windows\CurrentVersion\App Paths"

oReg.GetStringValue HKLM,strKey & "\" & strFN,"",strValue

'return the value or an empty string
If IsNull(strValue) Then strValue = ""

AppPath = strValue

End Function




'parse HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run for executables
'and return co-name for each executable
'executables are delimited by spaces and/or commas
Function LRParse (strLine)

Dim i, strLRSeg 'counter, line segment
Dim strIn : strIn = Trim(strLine) 'input string
Dim intSLLI : intSLLI = Len(strIn) 'Input String Line Length
Dim strOut : strOut = "" 'output string
Dim arOut() 'dynamic executable output array
Dim cntAr : cntAr = -1 'output array UBound
Dim cntChr : cntChr = 0 'number of chrs in executable string
Dim intStartChr : intStartChr = 1 'start of executable string in input string

'for every chr in input string
For i = 1 To intSLLI

'if the chr is a delimiter
If Mid(strIn,i,1) = " " Or Mid(strIn,i,1) = "," Then

'if at least one non-delimiter chr has been encountered
If cntChr > 0 Then

'extract the executable from the input string
strLRSeg = Mid(strIn,intStartChr,cntChr)
cntChr = 0 'reset the executable counter
cntAr = cntAr + 1 'increment the output array UBound
ReDim Preserve arOut(cntAr) 'redim the output array
arOut(cntAr) = strLRseg 'add the executable to the output array

End If 'non-delimiter chr encountered?

intStartChr = i + 1 'reset the executable string start to next chr

Else 'chr not a delimiter

cntChr = cntChr + 1 'increment the exec string counter

End If 'chr a delimiter?

Next 'line chr

'check the end-string
If cntChr > 0 Then

'extract the executable
strLRSeg = Mid(strIn,intStartChr,cntChr)
cntAr = cntAr + 1 'increment the output array UBound
ReDim Preserve arOut(cntAr) 'redim the output array
arOut(cntAr) = strLRSeg 'add the executable to the output array

End If 'exec string found at end of line?

'if exec strings found
If cntAr >= 0 Then

'for every string
For i = 0 To UBound(arOut)

'concatenate a comma & co-name (with leading space)
strOut = strOut & "," & CoName(arOut(i))

Next

'trim obligatory leading comma
strOut = Right(strOut,Len(strOut)-1)

End If

'return delimited string
LRParse = strOut

End Function




'read JOB file & output error if file corrupt
Function JobFileRead (oFile, oJobFi)

'# Unicode chrs in Run field executable statements, decimal value of enabled byte,
'command string, error number
Dim intUChrCtr, int1C, strCmd, intErrNum
Dim strJobExe : strJobExe = "" 'concatenated executable string
Dim flagEnStatus : flagEnStatus = False 'task enabled status

'prepare output file title lines
Dim strLine
Dim strTitleLine1 : strTitleLine1 = "Enabled Scheduled Tasks:"
Dim strTitleLine2 : strTitleLine2 = String(Len(strTitleLine1),"-")

'check for minimum length
If oFile.Size <= 80 Then
JobFileReadError oFile, strTitleLine1, strTitleLine2, " (too small)" : Exit Function
End If

On Error Resume Next

'determine enabled/disabled status by reading one Unicode chr
oJobFi.Skip(24)

int1C = AscB(oJobFi.Read(1))

'for a DISabled task: byte 48 (30h), 0-based-bit 2 (4-bit) = 1
If (int1C And 4) = 0 Then flagEnStatus = True

'if an enabled task
If flagEnStatus Then

'write titles if not already done
If Not flagTLW Then
SkipLine : WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine
flagTLW = True
End If

'skip to the counter for the number of chrs in the first executable statement
oJobFi.Skip(10) '# bytes at unicode chr 35 (byte 70)

'# chrs includes final zero chr so subtract one chr
intUChrCtr = AscW(oJobFi.Read(1))-1

'check for 0 or negative executable length
If intUChrCtr <= 0 Then
JobFileReadError oFile, strTitleLine1, strTitleLine2, " (no executable)"
Exit Function
End If

'read the chrs and convert to ASCII
strJobExe = MidB(oJobFi.Read(intUChrCtr),1)
intErrNum = Err.Number : Err.Clear

'check for truncated executable
If intErrNum <> 0 Then
JobFileReadError oFile, strTitleLine1, strTitleLine2, " (truncated executable)"
Exit Function
End If

strCmd = strJobExe 'store executable for co-name ID
'add ".exe" extension to bare executables
If Fso.GetExtensionName(strCmd) = "" Then strCmd = strCmd & ".exe"

'skip to parameters counter
oJobFi.Skip(1)
intErrNum = Err.Number : Err.Clear

'check for truncated file
If intErrNum <> 0 Then
JobFileReadError oFile, strTitleLine1, strTitleLine2, " (too small)"
Exit Function
End If

'read the parameters counter
intUChrCtr = AscW(oJobFi.Read(1))
intErrNum = Err.Number : Err.Clear

'check for absence of parameters counter
If intErrNum <> 0 Then
JobFileReadError oFile, strTitleLine1, strTitleLine2, " (parameter string size missing)"
Exit Function
End If

'if parameters exist, concatenate the executable
If intUChrCtr <> 0 Then _
strJobExe = strJobExe & Space(1) & MidB(oJobFi.Read(intUChrCtr-1),1)
intErrNum = Err.Number : Err.Clear

'check for truncated parameter string
If intErrNum <> 0 Then
JobFileReadError oFile, strTitleLine1, strTitleLine2," (truncated parameter string)"
Exit Function
End If

'write out the .JOB file name & executable string
WriteOut Chr(34) & Fso.GetBaseName(oFile.Path) & Chr(34) &_
strGT & "launches: " & Chr(34) & strJobExe & Chr(34) & CoName(strCmd)

End If 'enabled task?

On Error Goto 0

End Function




'output reason for JOB file corruption
Function JobFileReadError (oFile, strTitleLine1, strTitleLine2, strReason)

'write titles if not already done
If Not flagTLW Then
WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine
flagTLW = True
End If

'write out the .JOB file name & executable string
WriteOut Chr(34) & Fso.GetBaseName(oFile.Path) & Chr(34) &_
strGT & "WARNING -- The file " & Chr(34) & oFile.Name & Chr(34) &_
" is corrupt!" & strReason

End Function




'write strOut to the report file
Function WriteOut (strOut)

'needed for W98/WME
Dim intQ1, intQ2, strOut1, strOutWk
Dim strOut2 : strOut2 = ""

'if output via Script Object
If flagFW = "SO" Then

oFN.WriteLine strOut 'write the line to the file

'in W98/WME, echo to SFN
ElseIf strOS = "W98" Or strOS = "WME" Then

Wshso.Run "%COMSPEC% /c echo " & strOut & ">> " & strFNS,0,TRUE

'in NT4/W2K/WXP, echo to LFN
Else

'use LFN
Wshso.Run "%COMSPEC% /c echo " & strOut & ">> " & Chr(34) & strFN & Chr(34),0,TRUE

End If 'Script Object or Echo?

End Function




'skip a line in the report file
Function SkipLine

'if output via Script Object
If flagFW = "SO" Then

oFN.WriteBlankLines (1)

'if output via Echo in W98/WME
ElseIf strOS = "W98" Or strOS = "WME" Then

Wshso.Run "%COMSPEC% /c echo.>> " & strFNS,0,TRUE

'if output via Echo in NT4/WS2/WXP
Else

Wshso.Run "%COMSPEC% /c echo.>> " & Chr(34) & strFN & Chr(34),0,TRUE

End If 'Script Object or Echo?

End Function




'R00
'initial rev. 2004-04-20

'R01
'avoided trailing backslash for ScrPath if path is drive root; added
'detection of W98 and HKLM... RunOnceEx, RunServices, RunServicesOnce;
'enumeration of RunOnceEx keys; error if WMI not installed with launch
'of browser to download site & message in text file

'R02
'minor report enhancements

'R03
'added computer name to report file name

'R04
'added:
'HKCU-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load & run
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell & Userinit
'HKLM\SOFTWARE\Classes\[exe-type]file\shell\open\command
'WIN.INI [windows] load= & run=
'SYSTEM.INI [boot] shell=

'R05
'added:
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
'HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
' value of name is CLSID whose InProcServer32 default name's value = executable
'omitted output if keys empty

'R06
'omitted all output if anomalies absent; added W98Titles & DefExeTitles
'functions

'R07
'added RegDataChk sub
'added:
'HKLM\Software\Microsoft\Active Setup\Installed Components\
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
'HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
'HKCU & HKLM\SOFTWARE\Microsoft\Command Processor\AutoRun
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute

'R08
'removed:
'HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
'manages restricted/trusted sites, but not an executable launch point
'added MsgBox at script completion

'R09
'added identification of PIF target, converted script completion
'MsgBox to PopUp

'R10
'added VIII. shortcut parameters

'R11
'added length check for CLSID data, error handling for bad values
' & missing BHO InprocServer32 key
'added:
'WINSTART.BAT contents listing
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

'R12
'added 10-line "unalterable" comments header
'added detected O/S to output file (incl. WME & WS2K3)
'changed terminology from "value/data" to "name/value"
'added to section I:
' arRegFlag array (for each O/S: hive,key,execution applicability & warning flags)
' W98,WME,NT4,W2K,WXP arRegFlag data
' EnumKeyData function for parsing of all value data types & display
' in output file
' subkey recursion (for handling of W2K bug & HKCU/HKLM... RunOnce\Setup)
'removed from Section I:
' HKCU...RunServices & RunServicesOnce for W98
' HKCU... / HKLM... Explorer\Run for NT4

'R13
'added MsgBox to quit if WS2K3 detected
'added HKLM... Winlogon\Notify
'encoded MsgBox e-mail address in hex

'R14
'added INFECTION WARNING! for non-default Winlogon\Notify entry

'R15
'added default value as program's title to HKLM...Active
'Setup\Installed Components section

'R16
'corrected R07 comments concerning HKLM...BootExecute

'R17
'added detection of URL shortcuts in Start Menu folders

'R18
'changed attribution header to accommodate SE results
'added Echo output for CScript host
'added revision number to output file
'modified section II:
' list HKLM\Software\Microsoft\Active Setup\Installed Components\ if
' StubPath value exists and HKCU... Active Setup\Installed Components
' key does not exist, or if HKLM comma-delimited version number > HKCU
' version number
'added to section VI:
' HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell
' HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
'modified section X: suppressed startup folder title in output file if folder empty
'added section XI - enabled Scheduled Tasks
'redimmed arrays to 0 to recover memory at end of every section

'R19
'added to section X:
' %WINDIR%\All Users... Startup for W98
'in section XI:
' fixed executable statement parsing bug due to use of Asc instead of AscW
' changed enabled criterion to single byte (44)
'added revision number to MsgBox/Echo at EOJ

'R20
'added output file directory via argument
'added two sections & renumbered existing sections
'added tests for WME in sections VI, VII, X, XI
'in section III:
' obtained BHO names from CLSID key if unavailable from BHO key
'added section VIII for W2K/WXP:
' HKCU/HKLM\Software\Policies\Microsoft\Windows\System\Scripts
'in section XI:
' excluded DESKTOP.INI files when present in startup directories,
' revised startup folder name title output to only occur if shortcut,
' PIF or executable found in folder
'in section XII:
' changed enabled criteria to single byte: 30h (48),
' bit 2 (0-based) = 0
'added section XIII: started service name, display name, path,
' CompanyName != Microsoft
'added functions: IDExe - extract service executable from path
' FLN - find leading script executable number
' ScrIP - SCRIPTS.INI parser
' CoName - find CompanyName in file

'R21
'added trap for VBScript version for W98/NT4
'added detection of W95 (interpreted as W98)
'added Err.Clear statement after every invocation of On Error Resume Next
'added script name to report header
'added namespace to WMI connection statement
'revised CoName function to concatenate several path strings and call
' 2nd function that uses WMI to retrieve co-name
'added functions: LRParse - parse load/run lines for executables
' CNCall - locate file in initial string, windows,
' system, app paths; retrieve co-name via WMI
'added co-name ID to all pgm sections
'removed output of value type from section I
'fixed bug in section VI - HKLM\...Winlogon\Userinit, infection alert
' was being issued when no comma in string
'changed BootExecute output in VI from output line for every
' multistring entry to single line

'R22
'fixed CNCall malformed path (leading backslash) bug, improved CNCall
'error handling; protected CoName from null or empty ImagePath strings
'due to deleted service left running

'R23
'changed strAUSUF to flagAUSUF in section XI
'added error handling for corrupt JOB file in section XII
'added function: JobFileRead
'changed "empty data" to "empty string" in CNCall
'added ".exe" to extension-less executable in JobFileRead

'R24
'revised R23 changes
'added back strTitleLine assignment in section XII

'R25
'added test for arHKCUKeys array in HKCU... Active Setup\Installed
' Components (section II)
'DIMed local variables in AppPath to avoid conflict with strValue used
' in Section VI; fixed same bug in IniLRS
'suppressed section title if both startup folders empty in section XI

'R26
'changed endpoint in services sort in section XIII so that sort
' included last service in initial array

'R27
'declared strFPSF & strFPWF Public (used in CoName sub)
'script host bug workaround: in some script versions,
' CreateTextFile/OpenTextFile with Create parameter=True overwrites
' file contents line by line instead of overwriting file, so now delete
' output file if it exists before writing to it
'added trap for CreateTextFile error
'added colons to all section titles
'added comments to better explain array in section I
'added to section V: HKCU...ShellServiceObjectDelayLoad
'added to section VI: GinaDLL
'added to section VII: Notify values for W2K (termsrv) & WS2K3 (=WXP)
'new section XI: AUTORUN.INF in root of fixed disks, renumbered XII-XIV
'added functions: NDTAR, NDAR, FmtTime
'changed function titles: W98Titles -> IniInfTitles; IniLRS -> IniInfParse
'modified function RegDataChk to handle no value or empty+expected value
'added script launch time to output file header

'R28
'added functions WriteOut, SkipLine to enable output via Echo when
'Fso generates error, debugged output under W98: Echo output not
'possible from network drive, interference from double quote & >,
'limited to 62-63 chrs/line
'changed output file name

'** Updated Revision Number on line #15 **

so, alle logs müßten oben sein (mehr habe ich jedenfalls nicht im angebot ;) )- trotz der 25000 zeichen begrenzung.

Hi,
ich schau mir die logs noch genauer an, editier, solang es noch möglich ist, bitte, die Links in deinem Log.

EDIT: Bei silentrunners ist was schiefgelaufen. :D Das was du da gepostet hast, ist das Skript, nicht das Ergebnis von dem Skript :D

lg myrtille

LACH NICH!!!!

:headbang: ich hab mich schon gewundert, weil die datei so groß war ;)

jedenfalls lief das skript über die zip.datei nicht wg. vista. stattdessen wurde ich hierher geleitet:

http://www.silentrunners.org/Silent%20Runners%20RED.vbs

ich hab gedacht, die webseite führt das skript selbst aus. war wohl nicht.

und jetzt habe ich den vorführeffekt: heute läuft auch die zip.datei. vista auf einmal kein problem mehr.

glg sunamo

"Silent Runners.vbs", revision 58, Silent Runners - Adware? Disinfect, don't reformat!
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Acer Tour Reminder" = "(empty string)" [file not found]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"eDataSecurity Loader" = "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" ["HiTRUST"]
"Acer Tour" = "(empty string)" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"PLFSetL" = "C:\Windows\PLFSetL.exe" ["sonix"]
"PlayMovie" = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"" ["CyberLink Corp."]
"IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"]
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"eRecoveryService" = "(empty string)" [file not found]
"Acer Tour Reminder" = "C:\Acer\AcerTour\Reminder.exe" ["Acer Inc."]
"WarReg_PopUp" = "C:\Acer\WR_PopUp\WarReg_PopUp.exe" [null data]
"SetPanel" = "C:\Acer\APanel\APanel.cmd" [file not found]
"eAudio" = ""C:\Acer\Empowering Technology\eAudio\eAudio.exe"" ["CyberLink"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""C:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll" ["Symantec Corporation"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
\InProcServer32\(Default) = "D:\Programme\FlashGet\jccatch.dll" ["webseite.flashget.com"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
\InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ShowBarObj Class"
\InProcServer32\(Default) = "C:\Windows\system32\ActiveToolBand.dll__BHODemonDisabled" [file not found]
{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FDMIECookiesBHO Class"
\InProcServer32\(Default) = "D:\Programme\Free Download Manager\iefdm2.dll" [null data]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
\InProcServer32\(Default) = "D:\Programme\FlashGet\getflash.dll" ["webseite.flashget.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension"
-> {HKLM...CLSID} = "EPM-PO Shell Extensions"
\InProcServer32\(Default) = "epm-po.dll" [file not found]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Programme\Microsoft Office XP\Office10\msohev.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}


Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg"


Enabled Screen Saver:

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\Aurora.scr" [MS]


Windows Portable Device AutoPlay Handlers

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

LightScribeOnArrivalAP\
"Provider" = "LightScribe Direct Disc Labeling"
"InvokeProgID" = "LightScribe.AutoPlayHandler"
"InvokeVerb" = "LabelLightScribeDisc"
HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"]

MDCBlankCDArrival\
"Provider" = "DVDivine"
"InvokeProgID" = "BlankCD"
"InvokeVerb" = "OpenWithMakeDisc"
HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"]

MDCDVDBurningOnArrival\
"Provider" = "DVDivine"
"InvokeProgID" = "BlankDVD"
"InvokeVerb" = "OpenWithMakeDisc"
HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"]

MMJBAutoplayBURNERPLUS\
"Provider" = "MUSICMATCH Burner Plus"
"InvokeProgID" = "MMJB.BURN"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" [file not found]

NTIBurner\
"Provider" = "NTI CD-Maker"
"InvokeProgID" = "NTIBurnerOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\NTIBurnerOpen\shell\open\command\(Default) = ""C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\Cdmkr32.exe"" ["NewTech Infosystems, Inc."]

PlayMoviePlayDVDMovieOnArrival\
"Provider" = "Play Movie"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPlayMovie"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPlayMovie\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe" "%L"" ["CyberLink Corp."]

PPCDBurningOnArrival\
"Provider" = "PowerProducer"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerProducer"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]

PPDCameraArrival\
"Provider" = "PowerProducer"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerProducer"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]

PPDVArrival\
"Provider" = "PowerProducer"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

SilentRunners Teil 2

Startup items in "benutzername" & "All Users" startup folders:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "D:\Programme\Microsoft Office XP\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 22


Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}"
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" = (no title provided)
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll" ["Symantec Corporation"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "D:\Programme\FlashGet\FlashGet.exe" ["FlashGet.com"]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


Miscellaneous IE Hijack Points

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):

a-squared Free Service, a2free, ""C:\Program Files\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]
ALaunch Service, ALaunchService, "C:\Acer\ALaunch\ALaunchSvc.exe" [null data]
Automatische WLAN-Konfiguration, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
Automatisches LiveUpdate - Scheduler, Automatisches LiveUpdate - Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal – Free Antivirus Planer, AntiVirScheduler, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
CNG-Schlüsselisolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]
eDSService.exe, eDataSecurity Service, ""C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe"" ["HiTRSUT"]
eLock Service, eLockService, "C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe" [null data]
eNet Service, eNet Service, "C:\Acer\Empowering Technology\eNet\eNet Service.exe" ["Acer Inc."]
ePower Service, WMIService, "C:\Acer\Empowering Technology\ePower\ePowerSvc.exe" ["acer"]
eRecovery Service, eRecoveryService, "C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe" [null data]
eSettings Service, eSettingsService, "C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe" [null data]
Extensible Authentication-Protokoll, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
Intel(R) Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
MobilityService, MobilityService, "C:\Acer\Mobility Center\MobilityService.exe -p" [null data]
SBSD Security Center Service, SBSDWSCService, "C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe" ["Safer Networking Ltd."]
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Windows Driver Foundation - Benutzermodus-Treiberframework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows-Bilderfassung, stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
XAudioService, XAudioService, "C:\Windows\system32\DRIVERS\xaudio.exe" ["Conexant Systems, Inc."]
Zugriff auf Eingabegeräte, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}

Print Monitors:

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

(launch time: 2008-05-20 10:33:44)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
(total run time: 69 seconds, including 10 seconds for message boxes)

hallo zusammen,

ich hoffe, ich habe silentrunners jetzt richtig ausgeführt. das file und das von dss sind jetzt online. könnt ihr mal schauen, ob euch noch was auffällt.

schönen rest-feiertag

Hi,
sry hab gar nicht mitgekriegt, dass du Silentrunners nachgereicht hast. :)
Ich lach ja gar nicht. Wer behauptet denn sowas :p Sowas würde ich niemals wagen. ;)


Die beiden Logs sind sauber. :) Wenn du die beiden autorun.inf gelöscht hast und sie nicht wieder neuerstellt wurden, würde ich denken, dass die Infektion bei dir nicht aktiv ist.

lg myrtille

:aplaus::aplaus::aplaus:

juhu, noch mal glück gehabt. bisher ist keine neue datei dieses namens auf meinen festplatten aufgetaucht.

wenn's sauber ist, darfst du auch ruhig lachen :)

ich hab aber noch zwei fragen, wenns nicht unverschämt ist:

1. zu dem silentrunner:

am ende steht doch, das <<!>> wenn es angezeigt wird, bedeutet, das da eine verdächtige datei kurz vor dem start steht.

und in dem log wird folgendes angezeigt:

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.D LL" [MS]

hat das nichts zu bedeuten bzw. was bedeutet es?

2. zu meiner funktionsunfähigen systemwiederherstellung.

kennst du jemand bzw. ein forum, wo ich das noch mal posten kann und wo ich ne andere antwort kriegen kann als format c: oder schmeiß vista weg ?

lg
sunamo

Die Einträge mit <<!>> werden als verdächtig eingstuft, wie genau diese ausgewählt werden, weiß ich nicht.
Der Eintrag [MS] am Ende bedeutet jedoch, dass die Datei von Microsoft signiert ist und eine Überprüfung zeigte, dass der ganze Eintrag von Microsoft stammt und damit unbedenklich ist. :)


Mit der Systemwiederherstellung kannst du es hier im Windowsunterforum mal probieren. :)

lg myrtille

Neuer Fund: TR/Hijacker.GEN, AW: TR/VB.aqt.58
 

jetzt wollte ich dich gerade heilig sprechen, wg. der guten nachrichten und nun geht es in die zweite runde.

diesmal hat antivir gemeldet, eine update.exe, die in einem verzeichnis von flashget steckt, sei Hijacker.Gen. laut virus total stimmt das zu 15 prozenzt. die datei ist in quarantäne und beim neustart auch nicht wieder aufgetaucht. trotzdem poste ich noch mal die ganzen logs mit der bitte, noch einmal nachzuschauen. ich werde dann flashget deinstallieren. habe gelesen, dass das nicht ohne ist.

die datei befand sich unter D:\Programme\FlashGet\FGUpdate

soll ich auch deren inhalt wieder posten?

anbei das hijack-log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:32, on 22.05.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Users\Corinna\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! Deutschland
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo! Deutschland
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! Deutschland
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! Deutschland
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Programme\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll (disabled by BHODemon)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programme\Free Download Manager\iefdm2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Programme\FlashGet\getflash.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - .DEFAULT User Startup: DSL-Manager.lnk = C:\Program Files\T-Online\DSL-Manager\DslMgr.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Alles mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://D:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Videos mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlfvideo.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12522 bytes

DSS Teil 1

Deckard's System Scanner v20071014.68
Run by benutzername on 2008-05-22 11:09:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.39 GiB (less than 15%) free.


-- HijackThis (run as benutzername.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:18, on 22.05.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Users\benutzername\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\benutzername\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\benutzername.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = webseite://de.rd.yahoo.com/customize/ycomp/defaults/sp/*webseite://de.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = webseite://de.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = webseite://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = webseite://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = webseite://de.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = webseite://de.rd.yahoo.com/customize/ycomp/defaults/su/*webseite://de.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Programme\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll (disabled by BHODemon)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programme\Free Download Manager\iefdm2.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Programme\FlashGet\getflash.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - .DEFAULT User Startup: DSL-Manager.lnk = C:\Program Files\T-Online\DSL-Manager\DslMgr.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: &Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Alles mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://D:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Videos mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlfvideo.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12529 bytes

DSS Teil 2

-- Files created between 2008-04-22 and 2008-05-22 -----------------------------

2008-05-18 12:05:15 0 d-------- C:\Program Files\Trend Micro
2008-05-18 06:19:59 0 d-------- C:\Users\All Users\Avira
2008-05-18 06:19:59 0 d-------- C:\Program Files\Avira


-- Find3M Report ---------------------------------------------------------------

2008-05-22 11:00:18 641344 --a------ C:\Windows\system32\perfh007.dat
2008-05-22 11:00:18 116706 --a------ C:\Windows\system32\perfc007.dat
2008-05-22 10:56:04 27525 --a------ C:\Users\benutzername\AppData\Roaming\nvModes.001
2008-05-22 10:36:00 0 d-------- C:\Users\benutzername\AppData\Roaming\Free Download Manager
2008-05-21 12:20:57 0 d-------- C:\Program Files\a-squared Free
2008-05-18 02:11:32 0 d-------- C:\Program Files\Acer GameZone
2008-05-17 12:53:20 0 d-------- C:\Users\benutzername\AppData\Roaming\Power Sound Editor Free
2008-05-17 12:47:16 0 d-------- C:\Users\benutzername\AppData\Roaming\foobar2000
2008-05-08 11:45:55 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-04-17 14:52:32 0 d-------- C:\Users\benutzername\AppData\Roaming\DivX
2008-04-14 12:35:40 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-14 12:35:39 0 d-------- C:\Program Files\Common Files
2008-04-12 19:09:06 0 d-------- C:\Program Files\Apple Software Update
2008-04-12 13:24:14 0 d-------- C:\Users\benutzername\AppData\Roaming\Real
2008-04-12 13:20:56 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-12 13:20:53 0 d-------- C:\Program Files\Common Files\Real
2008-04-06 10:49:54 0 d-------- C:\Program Files\Common Files\Sandlot Shared
2008-04-04 14:54:09 0 d-------- C:\Program Files\CCleaner
2008-04-04 14:37:27 0 d-------- C:\Program Files\Ss-Tools
2008-04-01 16:55:18 0 d-------- C:\Users\benutzername\AppData\Roaming\vlc
2008-04-01 15:48:55 0 d-------- C:\Program Files\CamStudio
2008-03-31 14:25:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:48 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 14:25:46 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 14:25:46 831488 --a------ C:\Windows\system32\divx_xx0a.dll
2008-03-31 14:25:46 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-22 08:03:22 0 d-------- C:\Program Files\Power Sound Editor Free
2008-03-21 13:30:08 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-03-21 13:28:54 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 13:28:54 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 13:28:20 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-03-17 13:25:07 46 --a------ C:\Windows\system32\DonationCoder_rokusnooper_InstallInfo.dat
2008-03-10 15:56:35 0 -rahs---- C:\MSDOS.SYS
2008-03-10 15:56:35 0 -rahs---- C:\IO.SYS
2008-03-08 11:39:32 138 --a------ C:\Users\benutzername\AppData\Roaming\wklnhst.dat
2008-02-29 13:43:39 0 --a------ C:\Windows\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [14.08.2007 06:54]
"RtHDVCpl"="RtHDVCpl.exe" [05.07.2007 20:06 C:\Windows\RtHDVCpl.exe]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [25.04.2007 07:33]
"Acer Tour"="" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [25.07.2007 08:39]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [25.07.2007 08:39]
"PLFSetL"="C:\Windows\PLFSetL.exe" [05.07.2007 03:35]
"PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [24.05.2007 04:38]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21.03.2007 04:00]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [06.06.2007 01:06]
"eRecoveryService"="" []
"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [22.05.2007 06:49]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [05.11.2006 13:48]
"SetPanel"="C:\Acer\APanel\APanel.cmd" []
"eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [11.06.2007 06:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [21.02.2008 20:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 14:16]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12.04.2008 13:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [20.11.2006 21:39]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [20.11.2006 21:36]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [29.01.2008 18:38]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [12.02.2008 10:06]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [27.06.2007 02:15]
"QuickTime Task"="D:\Programme\QuickTime\QTTask.exe" [28.03.2008 14:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02.11.2006 05:35]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28.01.2008 03:43]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Programme\Microsoft Office XP\Office10\OSA.EXE [13.02.2001 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9d7b93b-8357-11dc-9afd-806e6f6e6963}]
AutoRun\command- F:\setup.exe /AUTORUN
configure\command- F:\setup.exe
install\command- F:\setup.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-22 11:09:45 ------------

Silentrunners Teil 1

"Silent Runners.vbs", revision 58, http://Webseite.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------b

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Acer Tour Reminder" = "(empty string)" [file not found]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"eDataSecurity Loader" = "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" ["HiTRUST"]
"Acer Tour" = "(empty string)" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"PLFSetL" = "C:\Windows\PLFSetL.exe" ["sonix"]
"PlayMovie" = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"" ["CyberLink Corp."]
"IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"]
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"eRecoveryService" = "(empty string)" [file not found]
"Acer Tour Reminder" = "C:\Acer\AcerTour\Reminder.exe" ["Acer Inc."]
"WarReg_PopUp" = "C:\Acer\WR_PopUp\WarReg_PopUp.exe" [null data]
"SetPanel" = "C:\Acer\APanel\APanel.cmd" [file not found]
"eAudio" = ""C:\Acer\Empowering Technology\eAudio\eAudio.exe"" ["CyberLink"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""C:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"LManager" = "C:\PROGRA~1\LAUNCH~1\LManager.exe" ["Dritek System Inc."]
"QuickTime Task" = ""D:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll" ["Symantec Corporation"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
\InProcServer32\(Default) = "D:\Programme\FlashGet\jccatch.dll" ["Webseite.flashget.com"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
\InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ShowBarObj Class"
\InProcServer32\(Default) = "C:\Windows\system32\ActiveToolBand.dll__BHODemonDisabled" [file not found]
{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FDMIECookiesBHO Class"
\InProcServer32\(Default) = "D:\Programme\Free Download Manager\iefdm2.dll" [null data]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
\InProcServer32\(Default) = "D:\Programme\FlashGet\getflash.dll" ["Webseite.flashget.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension"
-> {HKLM...CLSID} = "EPM-PO Shell Extensions"
\InProcServer32\(Default) = "epm-po.dll" [file not found]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Programme\Microsoft Office XP\Office10\msohev.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

Silentrunners Teil 2

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\Aurora.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

LightScribeOnArrivalAP\
"Provider" = "LightScribe Direct Disc Labeling"
"InvokeProgID" = "LightScribe.AutoPlayHandler"
"InvokeVerb" = "LabelLightScribeDisc"
HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"]

MDCBlankCDArrival\
"Provider" = "DVDivine"
"InvokeProgID" = "BlankCD"
"InvokeVerb" = "OpenWithMakeDisc"
HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"]

MDCDVDBurningOnArrival\
"Provider" = "DVDivine"
"InvokeProgID" = "BlankDVD"
"InvokeVerb" = "OpenWithMakeDisc"
HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"]

MMJBAutoplayBURNERPLUS\
"Provider" = "MUSICMATCH Burner Plus"
"InvokeProgID" = "MMJB.BURN"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" [file not found]

NTIBurner\
"Provider" = "NTI CD-Maker"
"InvokeProgID" = "NTIBurnerOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\NTIBurnerOpen\shell\open\command\(Default) = ""C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\Cdmkr32.exe"" ["NewTech Infosystems, Inc."]

PlayMoviePlayDVDMovieOnArrival\
"Provider" = "Play Movie"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPlayMovie"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPlayMovie\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe" "%L"" ["CyberLink Corp."]

PPCDBurningOnArrival\
"Provider" = "PowerProducer"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerProducer"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]

PPDCameraArrival\
"Provider" = "PowerProducer"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerProducer"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]

PPDVArrival\
"Provider" = "PowerProducer"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]


Startup items in "benutzername" & "All Users" startup folders:
---------------------------------------------------------

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "D:\Programme\Microsoft Office XP\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 22


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}"
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" = (no title provided)
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll" ["Symantec Corporation"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "D:\Programme\FlashGet\FlashGet.exe" ["FlashGet.com"]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

a-squared Free Service, a2free, ""C:\Program Files\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]
ALaunch Service, ALaunchService, "C:\Acer\ALaunch\ALaunchSvc.exe" [null data]
Automatische WLAN-Konfiguration, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
Automatisches LiveUpdate - Scheduler, Automatisches LiveUpdate - Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal – Free Antivirus Planer, AntiVirScheduler, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
CNG-Schlüsselisolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]
eDSService.exe, eDataSecurity Service, ""C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe"" ["HiTRSUT"]
eLock Service, eLockService, "C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe" [null data]
eNet Service, eNet Service, "C:\Acer\Empowering Technology\eNet\eNet Service.exe" ["Acer Inc."]
ePower Service, WMIService, "C:\Acer\Empowering Technology\ePower\ePowerSvc.exe" ["acer"]
eRecovery Service, eRecoveryService, "C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe" [null data]
eSettings Service, eSettingsService, "C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe" [null data]
Extensible Authentication-Protokoll, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
Intel(R) Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
MobilityService, MobilityService, "C:\Acer\Mobility Center\MobilityService.exe -p" [null data]
SBSD Security Center Service, SBSDWSCService, "C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe" ["Safer Networking Ltd."]
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Windows Driver Foundation - Benutzermodus-Treiberframework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows-Bilderfassung, stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
XAudioService, XAudioService, "C:\Windows\system32\DRIVERS\xaudio.exe" ["Conexant Systems, Inc."]
Zugriff auf Eingabegeräte, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2008-05-22 11:02:17)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 70 seconds, including 5 seconds for message boxes)

Hi,
die Logs sind meines Erachtens sauber.

Flashget hat in letzter Zeit leider viele Negativschlagzeilen gehabt und auch schonmal Malware per update verteilt.
Ich würde die Datei daher vorerst in Quarantäne lassen und evtl Flashget gleich komplett deinstallieren. :D

Wenn du sichergehen willst, kannst du die Datei noch als "Verdacht auf Fehlalarm" bei Avira einschicken: Link und schauen was deren Analytiker meinen.

lg myrtille

super,:party:

danke. mache alles gleich weg und habe hoffentlich für ne längere zeit endlich ruhe. bei avira war ich mit der datei schon. ist definitiv maleware.

schönes wochenende und bis zum nächsten mal :)

sunamo

Hi,
na ich hoffe für dich, dass wir uns nicht allzu schnell wiedersehen (müssen). ;)

Wünsche auch noch ein schönes Wochenende. :)

lg myrtille