Trojaner-Board
Seite 1 von 3 1 23
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Google Suche und Windows Auto-update defekt, popups, trojaner (https://www.trojaner-board.de/60538-google-suche-windows-auto-update-defekt-popups-trojaner.html)

Nik1385 23.09.2008 21:31
Google Suche und Windows Auto-update defekt, popups, trojaner
 
Hallo zusammen,
ich habe folgende Probleme, und hoffe, dass ihr mir weiterhelfen könnt:
Seit ein paar Tagen funktioniert die Google Suche nicht mehr, Google selbst kann ich normal aufrufen. Außerdem kommen immer wieder mal Popups, die ich vorher nie hatte (ich nutze Mozilla Firefox). Außerdem ist das Windows Auto-update deaktivert, beim Versuch es zu aktivieren kriege ich den Fehler:
"Der Dienst "Automatische Updates" auf "Lokaler Computer" konnte nicht gestartet werden.
Fehler 1058: Der angegebene Dienst kann nicht gestartet werden. Er ist deaktiviert oder nicht mit aktivierten Geräten verbunden."
Ich habe mir in den letzten Tagen einige Trojaner eingefangen(u.a. TR/Vundo.LA ), die Avira AntiVir entdeckt und gelöscht hat. Habe noch Ad-Aware durchlaufen lassen, aber die oben beschriebenen Probleme bleiben bestehen.
Vielleicht könnt ihr mir anhand der highjackthis logfile helfen.
Vielen Dank im Voraus für Eure Hilfe!


Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:28:40, on 23.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Power Manager\PM.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Microsoft IntelliType Pro\itype.exe
C:\Programme\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe
C:\Programme\ObjectDock\ObjectDock.exe
C:\Programme\Microsoft IntelliType Pro\dpupdchk.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\iTunes\iTunes.exe
C:\Programme\Foxie Suite\Firewall.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\N***s\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com//0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: (no name) - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Programme\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [PowerManager] C:\Programme\Power Manager\PM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [b8db8f8d] rundll32.exe "C:\WINDOWS\system32\dtnjcknq.dll",b
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BMbbe8bc11] Rundll32.exe "C:\WINDOWS\system32\rmkrvkog.dll",s
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [Foxie Firewall] C:\Programme\Foxie Suite\Firewall.exe
O4 - HKLM\..\Policies\Explorer\Run: [isamonitor.exe] C:\Programme\Video ActiveX Object\isamonitor.exe
O4 - HKLM\..\Policies\Explorer\Run: [pmsngr.exe] C:\Programme\Video ActiveX Object\pmsngr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\ObjectDock\ObjectDock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222185975655
O17 - HKLM\System\CCS\Services\Tcpip\..\{92C38147-D8F4-492B-B488-6557BA790FFC}: NameServer = 89.246.64.8 62.220.18.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: deazux.dll
O22 - SharedTaskScheduler: boob - {01b55afa-f451-474b-9e91-c35b24d02641} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--

cosinus 24.09.2008 18:28
Hallo und :hallo:

Acker diese Punkte für weitere Analysen ab:

1.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:
Code:
C:\WINDOWS\system32\dtnjcknq.dll
C:\WINDOWS\system32\rmkrvkog.dll
C:\Programme\Video ActiveX Object\isamonitor.exe
C:\Programme\Video ActiveX Object\pmsngr.exe
2.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des System durch einen Wiederherstellungspunkt das System wahrscheinlich wieder infizieren würde.

3.) Führe dieses MBR-Tool aus und poste die Ausgabe

4.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten

5.) Führe Silentrunners nach dieser Anleitung aus und poste das Logfile (mit Codetags umschlossen), falls es zu groß sein sollte kannst Du es (gezippt) bei file-upload.net hochladen und hier verlinken.

6.) ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir das Tool hier herunter auf den Desktop -> KLICK
Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
  • Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
    Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.
  • Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so:

HTML-Code:
[code] Hier das Logfile rein! [/code]
7.) Mach auch ein Filelisting mit diesem script:
  • Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
  • Doppelklick auf listing8.cmd auf dem Desktop
  • nach kurzer Zeit erscheint eine listing.txt auf dem Desktop

Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.

8.) Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!

Nik1385 25.09.2008 09:58
Vielen Dank zunächst für die Hilfe!

zu Punkt 1: Drei der Dateien existieren nicht, auch nicht, wenn ich alle Dateien anzeigen lasse.
nicht existent:
C:\WINDOWS\system32\dtnjcknq.dll
C:\Programme\Video ActiveX Object\isamonitor.exe (hier existiert nichtmal der Ordner Video Active X)
C:\Programme\Video ActiveX Object\pmsngr.exe
Von der einzigen verbliebenen Datei (C:\WINDOWS\system32\rmkrvkog.dll) hier der Virustotal Eintrag:

Code:
Antivirus          Version          letzte aktualisierung          Ergebnis
AhnLab-V3        2008.9.25.0        2008.09.25        -
AntiVir        7.8.1.34        2008.09.25        TR/Inject.icc
Authentium        5.1.0.4        2008.09.24        -
Avast        4.8.1195.0        2008.09.24        -
AVG        8.0.0.161        2008.09.24        Generic11.AFKC
BitDefender        7.2        2008.09.25        Trojan.Vundo.FNU
CAT-QuickHeal        9.50        2008.09.25        -
ClamAV        0.93.1        2008.09.25        -
DrWeb        4.44.0.09170        2008.09.25        Trojan.Virtumod.450
eSafe        7.0.17.0        2008.09.24        Suspicious File
eTrust-Vet        31.6.6105        2008.09.24        Win32/VundoCryptorT!generic
Ewido        4.0        2008.09.24        -
F-Prot        4.4.4.56        2008.09.25        -
F-Secure        8.0.14332.0        2008.09.25        Trojan.Win32.Inject.icc
Fortinet        3.113.0.0        2008.09.25        W32/Inject.ICC!tr
GData        19        2008.09.25        Trojan.Vundo.FNU
Ikarus        T3.1.1.34.0        2008.09.25        Trojan.Win32.Vundo.AY
K7AntiVirus        7.10.470        2008.09.24        -
Kaspersky        7.0.0.125        2008.09.25        Trojan.Win32.Inject.icc
McAfee        5391        2008.09.24        Vundo.gen.k
Microsoft        1.3903        2008.09.25        Trojan:Win32/Vundo.gen!G
NOD32        3469        2008.09.24        -
Norman        5.80.02        2008.09.24        -
Panda        9.0.0.4        2008.09.24        -
PCTools        4.4.2.0        2008.09.24        -
Prevx1        V2        2008.09.25        Fraudulent Security Program
Rising        20.63.32.00        2008.09.25        Packer.Win32.Agent.v
Sophos        4.33.0        2008.09.25        Troj/Virtum-Gen
Sunbelt        3.1.1668.1        2008.09.24        Trojan.Win32.Inject.icc
Symantec        10        2008.09.25        -
TheHacker        6.3.0.9.093        2008.09.25        -
TrendMicro        8.700.0.1004        2008.09.25        TROJ_INJECT.XC
VBA32        3.12.8.6        2008.09.25        -
ViRobot        2008.9.25.1391        2008.09.25        -
VirusBuster        4.5.11.0        2008.09.24        -
Webwasher-Gateway        6.6.2        2008.09.25        Trojan.Inject.icc
weitere Informationen
File size: 97280 bytes
MD5...: 5d959e9284e7a0f8d931c74b70cbfb6f
SHA1..: 76aa0ae1c757ac803bda5d560ab3778237b8f0fb
SHA256: 30ac3b104859d7347e73c406f72dd2380b3a4ab08b022d50e7a9f841e4a8d48a
SHA512: 8a792068915a79fca820b04d10067a64517f83231cb8bd3410b01397143d63ca
8e2caf0e37c5f31a54a9d185d3178cb2110270f84f09addd7bf36aa1a6095606
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001000
timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd000 0xc600 7.98 bac3d84c744d18a599012304bc56a65f
.data 0xe000 0x1000 0x400 4.64 71a7303083e4a377f1a3ea0d0e886f9c
.rdata 0xf000 0x21000 0xae00 7.95 20e4ee11948c7c86743faffe7e90ce13

( 3 imports )
> USER32.dll: OemToCharBuffA, MessageBoxA, MessageBeep, LoadCursorFromFileA, LoadCursorA, EndPaint, EndDialog, EmptyClipboard, DrawTextA, DestroyCursor, CreateIconFromResourceEx, CreateDesktopA, CopyRect, CharToOemBuffA, CharNextA, ActivateKeyboardLayout
> KERNEL32.dll: lstrcmpiA, ReadFile, MapViewOfFile, InitializeCriticalSection, GetVersionExA, GetSystemTimeAsFileTime, GetStartupInfoA, GetModuleHandleA, ExitProcess, EnumResourceTypesA, EnumResourceLanguagesA, CloseHandle
> ADVAPI32.dll: RegQueryValueA, RegOpenKeyExA, RegCloseKey

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=6C0D2CAD006228D47C990194606E0700F6F105CB
Der Rest wird jetzt weiterabgearbeitet und gepostet

Nik1385 25.09.2008 10:27
MBR Tool:

Code:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Blacklight:

Code:
09/25/08 11:04:12 [Info]: BlackLight Engine 1.0.70 initialized
09/25/08 11:04:12 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/25/08 11:04:12 [Note]: 7019 4
09/25/08 11:04:12 [Note]: 7005 0
09/25/08 11:04:16 [Note]: 7006 0
09/25/08 11:04:16 [Note]: 7011 268
09/25/08 11:04:16 [Note]: 7035 0
09/25/08 11:04:16 [Note]: 7026 0
09/25/08 11:04:16 [Note]: 7026 0
09/25/08 11:04:18 [Note]: FSRAW library version 1.7.1024
09/25/08 11:09:04 [Note]: 2000 1012
09/25/08 11:09:04 [Note]: 2000 1012
09/25/08 11:09:52 [Note]: 7007 0
Das MalwareBytes Antimalware Tool hat sich bei 4 Sekunden Suchlauf und 13 infizierten Objekten aufgehängt. Nach dem Neustart des Rechners und erneutes Suchlaufs mit malwarebytes hat sich der Laptop komplett mit bluescreen aufgehängt. Daher mach ich jetzt erstmal ohne die Ergebnisse von dem Tool weiter

Nik1385 25.09.2008 10:34
SilentRunners Logfile:

Code:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Foxie Firewall" = "C:\Programme\Foxie Suite\Firewall.exe" ["Team Foxie"]
"TuneUp MemOptimizer" = ""C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"isamonitor.exe" = "C:\Programme\Video ActiveX Object\isamonitor.exe" [file not found]
"pmsngr.exe" = "C:\Programme\Video ActiveX Object\pmsngr.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\ipoint.exe"" [MS]
"itype" = ""C:\Programme\Microsoft IntelliType Pro\itype.exe"" [MS]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"Apoint" = "C:\Programme\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"PowerManager" = "C:\Programme\Power Manager\PM.exe" [empty string]
"b8db8f8d" = "rundll32.exe "C:\WINDOWS\system32\fknwluay.dll",b" [MS]
"BMbbe8bc11" = "Rundll32.exe "C:\WINDOWS\system32\irsypqon.dll",s" [MS]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
                                        \StubPath  = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{432CAE3B-690F-4C3B-BD97-070EBDA210D5}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "FoxieToolbar Class"
                  \InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxietoolbaru.dll" ["Team Foxie"]
{453fddb0-412c-489f-b3b4-81b40fdfcb40}\(Default) = "{04bcfdf0-4b18-4b3b-f984-c2140bddf354}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\xuldtt.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{C65185B1-D52B-44A9-861F-8201B50D1F37}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "FoxieSecurityModule Class"
                  \InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxiecoreu.dll" ["Team Foxie"]
{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\qoMdATjh.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                  \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                  \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
  -> {HKLM...CLSID} = "TuneUp Theme Extension"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
                  \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
                  \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
                  \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{1825D0FA-5B0C-4e20-A929-3EFD15B6DF71}" = "IntelliType Pro Touchpad Control Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Touchpad Control Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcpltp.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
  -> {HKLM...CLSID} = "Schnurlose Eigenschaften"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
  -> {HKLM...CLSID} = "Scrollrad-Eigenschaftenseite"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
  -> {HKLM...CLSID} = "Aktivitäten-Eigenschaftenseite"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
  -> {HKLM...CLSID} = "Tasten-Eigenschaftenseite"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{3BEABCC1-BF31-42df-88D9-A2955D6B8528}" = "IntelliPoint Sensitivity Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliPoint Sensitivity Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplsens.dll"" [MS]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
  -> {HKLM...CLSID} = "IE Microsoft AutoComplete"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\qoMdATjh"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> yayvTmmk\DLLName = "yayvTmmk.dll" [file not found]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                  \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                  \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoTrayItemsDisplay" = (REG_BINARY) hex:00 00 00 00
{Hide the notification area}

"NoDrives" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}

"NoSharedDocuments" = (REG_BINARY) hex:00 00 00 00
{Remove Shared Documents from My Computer}

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSaveSettings" = (REG_DWORD) dword:0x00000001
{Don't save settings at exit}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"No_LaunchMediaBar" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"DisableCAD" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Niklas\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

NeroAutoPlayEmptyCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Programme\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]

PixumEasyprint\
"Provider" = "Pixum Easyprint 1.2"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Pixum AG\Pixum EasyPrint\easyprint.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                  \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]


Startup items in "Niklas" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\Niklas\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Stardock ObjectDock" -> shortcut to: "C:\Programme\ObjectDock\ObjectDock.exe" ["Stardock"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Inc."]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
  -> {HKLM...CLSID} = "ICQ Toolbar"
                  \InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
  -> {HKLM...CLSID} = "ICQ Toolbar"
                  \InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]
"{09C02180-3B46-4CD8-83FF-34DAF442BDEF}" = "MultiTab Tool"
  -> {HKLM...CLSID} = "Foxie"
                  \InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxiecoreu.dll" ["Team Foxie"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{306BBB66-D9E4-4481-833E-C1D5FCA06774}\
"ButtonText" = "Desktop Search"
"MenuText" = "Desktop Search"
"Script" = "C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm" [null data]

{546E08AA-809F-4F1A-BE1A-6B122EBFCD5A}\
"ButtonText" = "Privacy Cleaner"
"MenuText" = "Privacy Cleaner"
"Exec" = "C:\Programme\Foxie Suite\Cleaner.exe" ["Team Foxie"]

{61039B22-563D-4922-B844-B076C318A66A}\
"ButtonText" = "Swift Sweeper"
"MenuText" = "Swift Sweeper"
"Exec" = "C:\Programme\Foxie Suite\Sweeper.exe" ["Team Foxie"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{E4143585-2688-4EBC-B264-27C774F600D5}\
"ButtonText" = "The Infinity Button"
"MenuText" = "The Infinity Button"
"Script" = "C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm" [null data]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
  -> {HKLM...CLSID} = "ICQ Toolbar"
                  \InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]
<<H>> "foxie" = "res://foxiecoreu.dll/options.html" [file not found]
<<H>> "desktopsearch" = "C:\Programme\Foxie Suite\Resources\HTML\Query.htm" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Bonjour-Dienst, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Programme\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."]
Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Logitech Process Monitor, LVPrcSrv, "c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe" ["Logitech Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
eDocPortMonitor\Driver = "C:\PROGRA~1\GEMEIN~1\MAYCOM~1\EDOCPR~1\eDocPort.dll" ["May Software"]
Lexmark Network Port\Driver = "LEXLMPM.DLL" [file not found]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-09-25 11:30:04)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 119 seconds.
---------- (total run time: 172 seconds)

Nik1385 25.09.2008 10:36
SilentRunners Logfile:

Code:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Foxie Firewall" = "C:\Programme\Foxie Suite\Firewall.exe" ["Team Foxie"]
"TuneUp MemOptimizer" = ""C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"isamonitor.exe" = "C:\Programme\Video ActiveX Object\isamonitor.exe" [file not found]
"pmsngr.exe" = "C:\Programme\Video ActiveX Object\pmsngr.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\ipoint.exe"" [MS]
"itype" = ""C:\Programme\Microsoft IntelliType Pro\itype.exe"" [MS]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"Apoint" = "C:\Programme\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"PowerManager" = "C:\Programme\Power Manager\PM.exe" [empty string]
"b8db8f8d" = "rundll32.exe "C:\WINDOWS\system32\fknwluay.dll",b" [MS]
"BMbbe8bc11" = "Rundll32.exe "C:\WINDOWS\system32\irsypqon.dll",s" [MS]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
                                        \StubPath  = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{432CAE3B-690F-4C3B-BD97-070EBDA210D5}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "FoxieToolbar Class"
                  \InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxietoolbaru.dll" ["Team Foxie"]
{453fddb0-412c-489f-b3b4-81b40fdfcb40}\(Default) = "{04bcfdf0-4b18-4b3b-f984-c2140bddf354}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\xuldtt.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{C65185B1-D52B-44A9-861F-8201B50D1F37}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "FoxieSecurityModule Class"
                  \InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxiecoreu.dll" ["Team Foxie"]
{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\qoMdATjh.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                  \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                  \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
  -> {HKLM...CLSID} = "TuneUp Theme Extension"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
                  \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
                  \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
                  \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{1825D0FA-5B0C-4e20-A929-3EFD15B6DF71}" = "IntelliType Pro Touchpad Control Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Touchpad Control Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcpltp.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
  -> {HKLM...CLSID} = "Schnurlose Eigenschaften"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
  -> {HKLM...CLSID} = "Scrollrad-Eigenschaftenseite"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
  -> {HKLM...CLSID} = "Aktivitäten-Eigenschaftenseite"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
  -> {HKLM...CLSID} = "Tasten-Eigenschaftenseite"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{3BEABCC1-BF31-42df-88D9-A2955D6B8528}" = "IntelliPoint Sensitivity Control Panel Property Page"
  -> {HKLM...CLSID} = "IntelliPoint Sensitivity Property Page"
                  \InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplsens.dll"" [MS]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
  -> {HKLM...CLSID} = "IE Microsoft AutoComplete"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\qoMdATjh"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> yayvTmmk\DLLName = "yayvTmmk.dll" [file not found]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                  \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                  \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
                  \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoTrayItemsDisplay" = (REG_BINARY) hex:00 00 00 00
{Hide the notification area}

"NoDrives" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}

"NoSharedDocuments" = (REG_BINARY) hex:00 00 00 00
{Remove Shared Documents from My Computer}

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSaveSettings" = (REG_DWORD) dword:0x00000001
{Don't save settings at exit}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"No_LaunchMediaBar" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"DisableCAD" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Niklas\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

NeroAutoPlayEmptyCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Programme\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]

PixumEasyprint\
"Provider" = "Pixum Easyprint 1.2"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Pixum AG\Pixum EasyPrint\easyprint.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                  \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]


Startup items in "Niklas" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\Niklas\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Stardock ObjectDock" -> shortcut to: "C:\Programme\ObjectDock\ObjectDock.exe" ["Stardock"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Inc."]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
  -> {HKLM...CLSID} = "ICQ Toolbar"
                  \InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
  -> {HKLM...CLSID} = "ICQ Toolbar"
                  \InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]
"{09C02180-3B46-4CD8-83FF-34DAF442BDEF}" = "MultiTab Tool"
  -> {HKLM...CLSID} = "Foxie"
                  \InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxiecoreu.dll" ["Team Foxie"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{306BBB66-D9E4-4481-833E-C1D5FCA06774}\
"ButtonText" = "Desktop Search"
"MenuText" = "Desktop Search"
"Script" = "C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm" [null data]

{546E08AA-809F-4F1A-BE1A-6B122EBFCD5A}\
"ButtonText" = "Privacy Cleaner"
"MenuText" = "Privacy Cleaner"
"Exec" = "C:\Programme\Foxie Suite\Cleaner.exe" ["Team Foxie"]

{61039B22-563D-4922-B844-B076C318A66A}\
"ButtonText" = "Swift Sweeper"
"MenuText" = "Swift Sweeper"
"Exec" = "C:\Programme\Foxie Suite\Sweeper.exe" ["Team Foxie"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{E4143585-2688-4EBC-B264-27C774F600D5}\
"ButtonText" = "The Infinity Button"
"MenuText" = "The Infinity Button"
"Script" = "C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm" [null data]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
  -> {HKLM...CLSID} = "ICQ Toolbar"
                  \InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]
<<H>> "foxie" = "res://foxiecoreu.dll/options.html" [file not found]
<<H>> "desktopsearch" = "C:\Programme\Foxie Suite\Resources\HTML\Query.htm" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Bonjour-Dienst, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Programme\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."]
Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Logitech Process Monitor, LVPrcSrv, "c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe" ["Logitech Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
eDocPortMonitor\Driver = "C:\PROGRA~1\GEMEIN~1\MAYCOM~1\EDOCPR~1\eDocPort.dll" ["May Software"]
Lexmark Network Port\Driver = "LEXLMPM.DLL" [file not found]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-09-25 11:30:04)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

---------- (total run time: 172 seconds)

Nik1385 25.09.2008 11:15
Hier Logfile von ComboFix:

Code:
ComboFix 08-09-24.09 - N****s 2008-09-25 12:03:33.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1031.18.1607 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\N***s\Desktop\ComboFix.exe

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbbe8bc11.txt
C:\WINDOWS\pskt.ini

.
(((((((((((((((((((((((  Dateien erstellt von 2008-08-25 bis 2008-09-25  ))))))))))))))))))))))))))))))
.

2008-09-25 11:58 . 2008-09-25 11:58        <DIR>        d--------        C:\Programme\CCleaner
2008-09-25 11:55 . 2008-09-25 11:55        <DIR>        d--------        C:\WINDOWS\LastGood.Tmp
2008-09-25 11:54 . 2008-09-25 11:54        0        --a------        C:\WINDOWS\BMbbe8bc11.xml
2008-09-25 11:06 . 2008-09-25 11:06        <DIR>        d--------        C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\Malwarebytes
2008-09-25 11:05 . 2008-09-25 11:08        <DIR>        d--------        C:\Programme\Malwarebytes' Anti-Malware
2008-09-25 11:05 . 2008-09-25 11:05        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-09-25 11:05 . 2008-09-10 00:04        38,528        --a------        C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-25 11:05 . 2008-09-10 00:03        17,200        --a------        C:\WINDOWS\system32\drivers\mbam.sys
2008-09-24 12:27 . 2008-09-24 12:27        112,128        --a------        C:\WINDOWS\system32\xuldtt.dll
2008-09-24 12:27 . 2008-09-24 12:27        112,128        --a------        C:\WINDOWS\system32\okitviim.dll
2008-09-24 12:24 . 2008-09-25 12:06        1,836,345        ---hs----        C:\WINDOWS\system32\yaulwnkf.ini
2008-09-24 12:24 . 2008-09-24 12:24        89,600        --a------        C:\WINDOWS\system32\fknwluay.dll
2008-09-24 12:21 . 2008-09-24 12:21        97,280        --a------        C:\WINDOWS\system32\irsypqon.dll
2008-09-23 18:29 . 2008-09-23 18:38        <DIR>        d--------        C:\WINDOWS\OEMDRV
2008-09-23 17:12 . 2005-02-08 04:37        167,936        --a------        C:\WINDOWS\system32\igfxres.dll
2008-09-23 17:12 . 2008-09-23 17:12        2,422        --a------        C:\WINDOWS\system32\wpa.bak
2008-09-23 16:53 . 2006-02-28 14:00        1,875,968        --a--c---        C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-09-23 16:52 . 2006-02-28 14:00        13,463,552        --a--c---        C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-09-23 16:51 . 2004-05-13 00:39        876,653        --a--c---        C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-09-23 16:49 . 2008-09-23 16:49        749        -rah-----        C:\WINDOWS\WindowsShell.Manifest
2008-09-23 16:49 . 2008-09-23 16:49        749        -rah-----        C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-09-23 16:49 . 2008-09-23 16:49        749        -rah-----        C:\WINDOWS\system32\sapi.cpl.manifest
2008-09-23 16:49 . 2008-09-23 16:49        749        -rah-----        C:\WINDOWS\system32\ncpa.cpl.manifest
2008-09-23 16:49 . 2008-09-23 16:49        488        -rah-----        C:\WINDOWS\system32\logonui.exe.manifest
2008-09-23 16:42 . 2006-02-28 14:00        24,661        --a------        C:\WINDOWS\system32\spxcoins.dll
2008-09-23 16:42 . 2006-02-28 14:00        24,661        --a--c---        C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-09-23 16:42 . 2006-02-28 14:00        13,824        --a------        C:\WINDOWS\system32\irclass.dll
2008-09-23 16:42 . 2006-02-28 14:00        13,824        --a--c---        C:\WINDOWS\system32\dllcache\irclass.dll
2008-09-23 12:23 . 2008-09-24 10:57        1,083,355        ---hs----        C:\WINDOWS\system32\qnkcjntd.ini
2008-09-23 12:20 . 2008-09-23 15:52        <DIR>        d--------        C:\Dokumente und Einstellungen\Al***s\Anwendungsdaten\Lavasoft
2008-09-23 12:20 . 2008-09-23 12:20        112,128        --a------        C:\WINDOWS\system32\shjwdfje.dll
2008-09-23 12:20 . 2008-09-23 12:20        112,128        --a------        C:\WINDOWS\system32\deazux.dll
2008-09-23 12:20 . 2008-09-23 12:20        97,280        --a------        C:\WINDOWS\system32\rmkrvkog.dll
2008-09-22 23:03 . 2007-08-21 10:12        21,760        --a------        C:\WINDOWS\system32\drivers\point32.sys
2008-09-22 23:02 . 2008-09-22 23:03        <DIR>        d--------        C:\Programme\Microsoft IntelliPoint
2008-09-22 23:02 . 2008-09-22 23:02        0        --ah-----        C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-22 23:02 . 2008-09-22 23:02        0        --ah-----        C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-09-22 23:01 . 2007-08-31 21:13        1,421,736        --a------        C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-09-22 23:01 . 2004-08-04 00:57        21,504        --a------        C:\WINDOWS\system32\drivers\hidserv.dll
2008-09-22 23:01 . 2007-08-31 21:15        18,856        --a------        C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-09-22 23:00 . 2008-09-22 23:00        <DIR>        d--------        C:\Programme\MSXML 6.0
2008-09-22 23:00 . 2008-09-22 23:01        <DIR>        d--------        C:\Programme\Microsoft IntelliType Pro
2008-09-22 22:44 . 2008-09-23 12:08        1,024,403        --ahs----        C:\WINDOWS\system32\mpxxaiiv.ini
2008-09-22 22:41 . 2008-09-22 22:41        112,128        --a------        C:\WINDOWS\system32\thxfhokn.dll
2008-09-22 22:41 . 2008-09-22 22:41        112,128        --a------        C:\WINDOWS\system32\frwvqx.dll
2008-09-22 22:38 . 2008-09-22 22:38        97,280        --a------        C:\WINDOWS\system32\ksbewsio.dll
2008-09-21 11:42 . 2008-09-22 22:38        1,024,223        --ahs----        C:\WINDOWS\system32\otkmtoad.ini
2008-09-21 11:42 . 2008-09-21 11:42        112,128        --a------        C:\WINDOWS\system32\vmugathq.dll
2008-09-21 11:42 . 2008-09-21 11:42        112,128        --a------        C:\WINDOWS\system32\udtkmg.dll
2008-09-21 11:39 . 2008-09-21 11:39        97,280        --a------        C:\WINDOWS\system32\htwxdndw.dll
2008-09-19 17:52 . 2008-09-19 17:52        112,128        --a------        C:\WINDOWS\system32\ttoznz.dll
2008-09-19 17:51 . 2008-09-19 17:52        112,128        --a------        C:\WINDOWS\system32\fypavvsq.dll
2008-09-19 17:50 . 2008-09-21 11:39        1,024,163        --ahs----        C:\WINDOWS\system32\udqrfxwb.ini
2008-09-19 17:46 . 2008-09-19 17:46        97,280        --a------        C:\WINDOWS\system32\kxyhtoah.dll
2008-09-18 23:23 . 2008-09-18 23:23        112,128        --a------        C:\WINDOWS\system32\iohydi.dll
2008-09-18 23:23 . 2008-09-18 23:23        112,128        --a------        C:\WINDOWS\system32\frokdlkh.dll
2008-09-18 23:06 . 2008-09-19 17:43        1,024,103        --ahs----        C:\WINDOWS\system32\knwlrian.ini
2008-09-18 23:05 . 2008-09-25 12:03        522,637        --ahs----        C:\WINDOWS\system32\hjTAdMoq.ini2
2008-09-18 23:05 . 2008-09-25 12:03        522,637        --ahs----        C:\WINDOWS\system32\hjTAdMoq.ini
2008-09-18 23:05 . 2008-09-18 23:05        257,024        --a------        C:\WINDOWS\system32\qoMdATjh.dll
2008-09-18 21:54 . 2008-09-23 17:39        <DIR>        d--------        C:\Programme\River PastVideo Cleaner Pro
2008-09-18 21:54 . 2008-09-23 17:39        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\River Past
2008-09-18 21:54 . 2008-09-18 21:54        <DIR>        d--------        C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\River Past G5
2008-09-18 21:54 . 2008-09-23 17:39        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\River Past G5
2008-09-14 16:21 . 2008-09-14 16:21        <DIR>        d--------        C:\Programme\iPod
2008-09-14 16:21 . 2008-09-14 16:22        <DIR>        d--------        C:\Dokumente und Einstellungen\A***rs\Anwendungsdaten\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-14 16:19 . 2008-09-14 16:19        <DIR>        d--------        C:\Programme\Bonjour
2008-09-14 15:53 . 2008-07-23 18:50        9,464        --a------        C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-09-14 15:53 . 2008-07-23 18:50        9,336        --a------        C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-09-14 15:52 . 2008-07-23 18:50        129,784        --a------        C:\WINDOWS\system32\pxafs.dll
2008-09-06 15:09 . 2008-09-06 15:09        90,112        --a------        C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09        57,344        --a------        C:\WINDOWS\system32\QuickTime.qts
2008-08-30 14:28 . 2008-09-23 16:00        138,067        --a------        C:\WINDOWS\setupapi.old
2008-08-29 23:55 . 2008-08-29 23:57        <DIR>        d--------        C:\Programme\MP3Gain
2008-08-29 23:02 . 2008-08-29 23:02        <DIR>        d--------        C:\Dokumente und Einstellungen\N***s\Anwendungsdaten\FoxieSpywareSwiftSweeper
2008-08-29 23:01 . 2008-08-29 23:01        <DIR>        d--------        C:\Programme\Foxie Suite
2008-08-29 19:55 . 2008-08-29 19:55        <DIR>        d--------        C:\Programme\Realtek AC97
2008-08-29 19:54 . 2008-08-29 19:54        <DIR>        d--------        C:\Programme\CHIP System-Check-Tool
2008-08-29 19:54 . 2006-09-29 22:21        77,824        --a------        C:\WINDOWS\system32\DriveInfo.dll
2008-08-29 19:54 . 2006-02-03 17:46        32,768        --a------        C:\WINDOWS\system32\chipxum.dll
2008-08-29 19:15 . 2008-09-25 11:54        <DIR>        d--------        C:\WINDOWS\system32\CatRoot2
2008-08-29 15:00 . 2006-07-11 13:20        33,879        --a------        C:\WINDOWS\system32\drivers\Capt905c.sys
2008-08-29 15:00 . 2005-04-13 15:21        24,605        --a------        C:\WINDOWS\system32\drivers\Camd905c.sys
2008-08-29 14:56 . 2008-08-29 14:56        <DIR>        d--------        C:\Programme\YouTube to Mp3 Converter
2008-08-29 14:56 . 2008-09-23 17:44        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\DVDVideoSoft
2008-08-29 10:18 . 2008-08-29 10:18        87,336        --a------        C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53        61,440        --a------        C:\WINDOWS\system32\dnssd.dll

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-25 10:00        ---------        d-----w        C:\Dokumente und Einstellungen\Al***s\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-09-25 08:47        ---------        d-----w        C:\Programme\Mozilla Thunderbird
2008-09-23 18:04        ---------        d-----w        C:\Programme\Opera
2008-09-23 10:20        ---------        d-----w        C:\Programme\Lavasoft
2008-09-23 10:20        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-09-23 10:17        ---------        d-----w        C:\Programme\ICQToolbar
2008-09-18 21:06        ---------        d-----w        C:\Programme\no23Recorder
2008-09-14 14:21        ---------        d-----w        C:\Programme\iTunes
2008-09-14 14:19        ---------        d-----w        C:\Programme\QuickTime
2008-09-14 14:18        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Apple
2008-09-14 13:53        ---------        d-----w        C:\Programme\DivX
2008-08-29 12:59        ---------        d--h--w        C:\Programme\InstallShield Installation Information
2008-08-07 16:29        ---------        d-----w        C:\Programme\Zone Labs
2008-08-06 19:53        ---------        d-----w        C:\Programme\Apple Software Update
2008-08-06 13:45        4,122,112        ----a-r        C:\WINDOWS\system32\drivers\alcxwdm.sys
2008-08-04 17:13        ---------        d-----w        C:\Programme\ICQLite
2008-08-04 17:12        ---------        d-----w        C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\McLoad
2008-07-29 20:56        ---------        d-----w        C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\WinBatch
2008-07-28 20:19        ---------        d-----w        C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\Apple Computer
2008-07-28 06:14        ---------        d-----w        C:\Dokumente und Einstellungen\A***s\Anwendungsdaten\MailFrontier
2008-04-16 17:26        32        ----a-w        C:\Dokumente und Einstellungen\A***s\Anwendungsdaten\ezsid.dat
2006-09-23 16:25        2,068,792        ----a-w        C:\Programme\AVP.6.299_09.23_18.20_9dc.SRV.log
2006-09-23 16:24        50,394        ----a-w        C:\Programme\AVP.6.299_09.23_18.20_d18.ALL.log
2006-09-23 16:16        3,786,123        ----a-w        C:\Programme\AVP.6.299_09.23_18.08_5fc.SRV.log
2006-09-23 16:16        21,707        ----a-w        C:\Programme\AVP.6.299_09.23_18.08_32c.ALL.log
2004-08-04 12:00        60,416        --sha-w        C:\WINDOWS\FlyakiteOSX\Backup\msimn.exe
2006-05-10 00:14        62,976        --sha-w        C:\WINDOWS\FlyakiteOSX\Backup\wmplayer.exe
.

(((((((((((((((((((((((((((((  snapshot@2008-09-25_11.54.18.29  )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-30 17:19:46        203,096        ----a-w        C:\WINDOWS\LastGood.Tmp\system32\wuweb.dll
- 2007-07-30 17:19:46        203,096        -c--a-w        C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-18 20:09:44        205,000        -c--a-w        C:\WINDOWS\system32\dllcache\wuweb.dll
- 2007-07-30 17:19:46        203,096        ----a-w        C:\WINDOWS\system32\wuweb.dll
+ 2008-07-18 20:09:44        205,000        ----a-w        C:\WINDOWS\system32\wuweb.dll
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3426F6AF-A4D6-4CFB-AB0A-4E125389897A}]
2008-09-18 23:05        257024        --a------        C:\WINDOWS\system32\qoMdATjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}]
2008-09-24 12:27        112128        --a------        C:\WINDOWS\system32\xuldtt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Foxie Firewall"="C:\Programme\Foxie Suite\Firewall.exe" [2005-09-12 340227]
"TuneUp MemOptimizer"="C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" [2008-04-15 154880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Programme\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"itype"="C:\Programme\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-28 266497]
"Apoint"="C:\Programme\Apoint2K\Apoint.exe" [2003-12-05 159744]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 126976]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 155648]
"PowerManager"="C:\Programme\Power Manager\PM.exe" [2005-03-30 159744]
"b8db8f8d"="C:\WINDOWS\system32\fknwluay.dll" [2008-09-24 89600]
"BMbbe8bc11"="C:\WINDOWS\system32\irsypqon.dll" [2008-09-24 97280]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 15360]

C:\Dokumente und Einstellungen\N***s\Startmen\Programme\Autostart\
Adobe Gamma.lnk - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-25 110592]
Stardock ObjectDock.lnk - C:\Programme\ObjectDock\ObjectDock.exe [2005-07-15 1802309]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xuldtt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SunJavaUpdateSched"=C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe"
"AGRSMMSG"=AGRSMMSG.exe
"MP10_EnsureFileVer"=C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
"ICQ Lite"="C:\Programme\ICQLite\ICQLite.exe" -minimize
"LogitechVideo[inspector]"=C:\Programme\Logitech\Video\InstallHelper.exe /inspect
"LogitechCameraService(E)"=C:\WINDOWS\system32\ElkCtrl.exe /automation
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"LogitechCameraAssistant"=C:\Programme\Logitech\Video\CameraAssistant.exe
"System Files Updater"=C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\ICQLite\\ICQLite.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
"C:\\Programme\\Bonjour\\mDNSResponder.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=

R2 ACEDRV06;ACEDRV06;C:\WINDOWS\system32\drivers\ACEDRV06.sys [2007-01-17 99840]
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 5504]
R3 firewall;firewall;C:\Programme\Foxie Suite\firewall.sys [2005-08-07 3003]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768]
S2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2006-02-28 14336]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-10 38528]
S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-04 354560]

*Newly Created Service* - FIREWALL
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\N***s\Anwendungsdaten\Mozilla\Firefox\Profiles\cx17xq0l.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.yodl.de/href.php?hrefname=FF-splug_google&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.tagesschau.de/
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 12:06:04
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Gemeinsame Dateien\Logitech\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\iPod\bin\iPodService.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-09-25 12:09:58 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2008-09-25 10:09:52

Vor Suchlauf: 13 Verzeichnis(se), 20.797.071.360 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 20,785,299,456 Bytes frei

257        --- E O F ---        2008-09-11 14:09:08

Nik1385 25.09.2008 11:22
Hier der Link für das Listing8 script :
File-Upload.net - listing.txt

neues Hijackthis-Logfile:
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:53, on 25.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Microsoft IntelliPoint\ipoint.exe
C:\Programme\Microsoft IntelliType Pro\itype.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Programme\Power Manager\PM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programme\Foxie Suite\Firewall.exe
C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe
C:\Programme\ObjectDock\ObjectDock.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\N***s\Desktop\qlketzd.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: (no name) - {2D8E87C8-DC78-4451-B07C-8AE9B836A0EC} - C:\WINDOWS\system32\qoMdATjh.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Programme\Foxie Suite\foxietoolbaru.dll
O2 - BHO: {04bcfdf0-4b18-4b3b-f984-c2140bddf354} - {453fddb0-412c-489f-b3b4-81b40fdfcb40} - C:\WINDOWS\system32\xuldtt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Programme\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Programme\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PowerManager] C:\Programme\Power Manager\PM.exe
O4 - HKLM\..\Run: [b8db8f8d] rundll32.exe "C:\WINDOWS\system32\fknwluay.dll",b
O4 - HKLM\..\Run: [BMbbe8bc11] Rundll32.exe "C:\WINDOWS\system32\irsypqon.dll",s
O4 - HKCU\..\Run: [Foxie Firewall] C:\Programme\Foxie Suite\Firewall.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222185975655
O17 - HKLM\System\CCS\Services\Tcpip\..\{92C38147-D8F4-492B-B488-6557BA790FFC}: NameServer = 89.246.64.8 62.220.18.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: xuldtt.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8630 bytes

Nik1385 25.09.2008 11:33
So, das wars. Hat von der Durchführung alles gut geklappt, bis auf Malwarebytes Antimalware. Hab es gerade nocheinmal versucht, aber das Programm und mein Rechner hängen sich dabei auf. Das letzte was ich gesehen habe, war nach ca 5 Sekunden Suchlauf 15 infizierte Objekte.
Hoffe Du/Ihr könnt mir weiterhelfen!
Vielen Dank nochmal im Voraus!

Nik1385 25.09.2008 17:50
Die Probleme haben sich leider allesamt nicht lösen lassen. Ich hab die Liste oben jetzt abgearbeitet und hoffe, dass jemand noch eine Idee hat.
Der Ruhezustand funktioniert auch nicht mehr, der Rechner fährt sich automatisch binnen 30 Sekunden wieder hoch...

cosinus 25.09.2008 18:29
Da sind noch extrem viele schädliche Dateien, geh bitte so vor mit dem Avenger, mach danach bitte ein neues Filelisting und Hijackthis. Versuch auch danach den Check mit Malwarebytes.


(ACHTUNG: Das Script für den Avenger ist lang, stell sicher, dass Du es KOMPLETT kopierst!!)


Lade dir das Tool Avenger und speichere es auf dem Desktop:[/b]
  • Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"
Code:
files to delete:
C:\WINDOWS\system32\dtnjcknq.dll
C:\WINDOWS\system32\rmkrvkog.dll
C:\WINDOWS\system32\fknwluay.dll
C:\WINDOWS\system32\irsypqon.dll
C:\WINDOWS\system32\xuldtt.dll
C:\WINDOWS\system32\qoMdATjh.dll
C:\WINDOWS\system32\okitviim.dll
C:\WINDOWS\system32\yaulwnkf.ini
C:\WINDOWS\system32\fknwluay.dll
C:\WINDOWS\system32\irsypqon.dll
C:\WINDOWS\system32\qnkcjntd.ini
C:\WINDOWS\system32\shjwdfje.dll
C:\WINDOWS\system32\deazux.dll
C:\WINDOWS\system32\rmkrvkog.dll
C:\WINDOWS\system32\mpxxaiiv.ini
C:\WINDOWS\system32\thxfhokn.dll
C:\WINDOWS\system32\frwvqx.dll
C:\WINDOWS\system32\ksbewsio.dll
C:\WINDOWS\system32\otkmtoad.ini
C:\WINDOWS\system32\vmugathq.dll
C:\WINDOWS\system32\udtkmg.dll
C:\WINDOWS\system32\htwxdndw.dll
C:\WINDOWS\system32\ttoznz.dll
C:\WINDOWS\system32\fypavvsq.dll
C:\WINDOWS\system32\udqrfxwb.ini
C:\WINDOWS\system32\kxyhtoah.dll
C:\WINDOWS\system32\iohydi.dll
C:\WINDOWS\system32\frokdlkh.dll
C:\WINDOWS\system32\knwlrian.ini
C:\WINDOWS\system32\hjTAdMoq.ini2
C:\WINDOWS\system32\hjTAdMoq.ini
C:\WINDOWS\system32\qoMdATjh.dll

registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|isamonitor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|pmsngr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b8db8f8d
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BMbbe8bc11
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify|yayvTmmk

registry kes to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvTmmk

folders to delete:
C:\Programme\Video ActiveX Object
http://mitglied.lycos.de/efunction/tb/avenger.png
  • Schliesse nun alle Programme und Browser-Fenster
  • Um den Avenger zu starten klicke auf -> Execute
  • Dann bestätigen mit "Yes" das der Rechner neu startet
  • Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt
  • Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.
  • Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!

Nik1385 25.09.2008 19:28
Danke zunächst!

Also hier das Avenger-Log: da fehlte ein 'y' bei Keys, hab das geändert und dann gings auch.

Code:
//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Sep 25 20:12:33 2008

20:12:27: Error: Invalid syntax in command:
"registry kes to delete:"
Skipping line.  (Registry value deletion mode) 
20:12:31: Error: Invalid syntax in command:
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}"
Skipping line.  (Registry value deletion mode) 
20:12:33: Error: Execution aborted by user!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\WINDOWS\system32\dtnjcknq.dll" not found!
Deletion of file "C:\WINDOWS\system32\dtnjcknq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\rmkrvkog.dll" not found!
Deletion of file "C:\WINDOWS\system32\rmkrvkog.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\fknwluay.dll" not found!
Deletion of file "C:\WINDOWS\system32\fknwluay.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\irsypqon.dll" deleted successfully.
File "C:\WINDOWS\system32\xuldtt.dll" deleted successfully.
File "C:\WINDOWS\system32\qoMdATjh.dll" deleted successfully.
File "C:\WINDOWS\system32\okitviim.dll" deleted successfully.
File "C:\WINDOWS\system32\yaulwnkf.ini" deleted successfully.

Error:  file "C:\WINDOWS\system32\fknwluay.dll" not found!
Deletion of file "C:\WINDOWS\system32\fknwluay.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\irsypqon.dll" not found!
Deletion of file "C:\WINDOWS\system32\irsypqon.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\qnkcjntd.ini" deleted successfully.
File "C:\WINDOWS\system32\shjwdfje.dll" deleted successfully.
File "C:\WINDOWS\system32\deazux.dll" deleted successfully.

Error:  file "C:\WINDOWS\system32\rmkrvkog.dll" not found!
Deletion of file "C:\WINDOWS\system32\rmkrvkog.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\mpxxaiiv.ini" deleted successfully.
File "C:\WINDOWS\system32\thxfhokn.dll" deleted successfully.
File "C:\WINDOWS\system32\frwvqx.dll" deleted successfully.
File "C:\WINDOWS\system32\ksbewsio.dll" deleted successfully.
File "C:\WINDOWS\system32\otkmtoad.ini" deleted successfully.
File "C:\WINDOWS\system32\vmugathq.dll" deleted successfully.
File "C:\WINDOWS\system32\udtkmg.dll" deleted successfully.
File "C:\WINDOWS\system32\htwxdndw.dll" deleted successfully.
File "C:\WINDOWS\system32\ttoznz.dll" deleted successfully.
File "C:\WINDOWS\system32\fypavvsq.dll" deleted successfully.
File "C:\WINDOWS\system32\udqrfxwb.ini" deleted successfully.
File "C:\WINDOWS\system32\kxyhtoah.dll" deleted successfully.
File "C:\WINDOWS\system32\iohydi.dll" deleted successfully.
File "C:\WINDOWS\system32\frokdlkh.dll" deleted successfully.
File "C:\WINDOWS\system32\knwlrian.ini" deleted successfully.
File "C:\WINDOWS\system32\hjTAdMoq.ini2" deleted successfully.
File "C:\WINDOWS\system32\hjTAdMoq.ini" deleted successfully.

Error:  file "C:\WINDOWS\system32\qoMdATjh.dll" not found!
Deletion of file "C:\WINDOWS\system32\qoMdATjh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  folder "C:\Programme\Video ActiveX Object" not found!
Deletion of folder "C:\Programme\Video ActiveX Object" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not delete registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|isamonitor.exe"
Deletion of registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|isamonitor.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not delete registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|pmsngr.exe"
Deletion of registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|pmsngr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b8db8f8d" deleted successfully.
Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BMbbe8bc11" deleted successfully.

Error:  could not delete registry value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify|yayvTmmk"
Deletion of registry value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify|yayvTmmk" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}" deleted successfully.

Error:  registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvTmmk" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvTmmk" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

Nik1385 25.09.2008 19:30
Hier das Filelisting :
File-Upload.net - listing.txt

und hijackthis logfile:
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:20:39, on 25.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Microsoft IntelliPoint\ipoint.exe
C:\Programme\Microsoft IntelliType Pro\itype.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Programme\Power Manager\PM.exe
C:\Programme\Microsoft IntelliPoint\dpupdchk.exe
C:\Programme\Foxie Suite\Firewall.exe
C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe
C:\Programme\ObjectDock\ObjectDock.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\N***s\Desktop\qlketzd.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Programme\Foxie Suite\foxietoolbaru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {93DFC539-51A5-415C-930F-C62F571B008C} - C:\WINDOWS\system32\qoMdATjh.dll (file missing)
O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Programme\Foxie Suite\foxiecoreu.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Programme\Foxie Suite\foxiecoreu.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [PowerManager] C:\Programme\Power Manager\PM.exe
O4 - HKCU\..\Run: [Foxie Firewall] C:\Programme\Foxie Suite\Firewall.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222185975655
O17 - HKLM\System\CCS\Services\Tcpip\..\{92C38147-D8F4-492B-B488-6557BA790FFC}: NameServer = 89.246.64.8 62.220.18.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: xuldtt.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8376 bytes

cosinus 25.09.2008 19:57
Code:
O2 - BHO: (no name) - {93DFC539-51A5-415C-930F-C62F571B008C} - C:\WINDOWS\system32\qoMdATjh.dll (file missing)
O20 - AppInit_DLLs: xuldtt.dll
Diese Einträge mit Hijackthis fixen!

Danach den Avenger nochmal wie gewohnt ausführen (kein Neustart nach dem Fixen mit Hijackthis) aber dieses script diesmal benutzen:

Code:
registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvTmmk

files to delete:
C:\WINDOWS\system32\ouchljni.ini
C:\WINDOWS\system32\injlhcuo.dll
C:\WINDOWS\system32\ecarerid.dll
C:\WINDOWS\system32\b3f84bf3-.txt
C:\WINDOWS\BMbbe8bc11.txt
C:\WINDOWS\BMbbe8bc11.xml
C:\WINDOWS\MEMORY.DMP
C:\WINDOWS\SET12B.tmp
C:\WINDOWS\SETE9.tmp
C:\WINDOWS\SETEC.tmp
C:\WINDOWS\SETF8.tmp

folders to delete:
C:\DOKUME~1\Niklas\LOKALE~1\temp\Adobe
C:\DOKUME~1\Niklas\LOKALE~1\temp\is-DGDAM.tmp
C:\DOKUME~1\Niklas\LOKALE~1\temp\is-CCDIA.tmp

Nik1385 25.09.2008 20:08
mach ich gleich, malwarebytes läuft gerade durch... ;-)


Alle Zeitangaben in WEZ +1. Es ist jetzt 11:58 Uhr.
Seite 1 von 3 1 23
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131