GEMA Trojaner / sbcvvhost_win86

lmnk · 26.12.2011, 12:31

Hallo,

ich habe auf einem PC das gleiche Problem, was auch von anderen schon beschrieben wurde. Der Rechner startet; nach dem Start ist der Taskmanager gesperrt und es ist nur ein Hinweis mit einer Zahlungsaufforderung an die Gema zu sehen.

Es handelt sich um ein Windows Vista 32 Bit System.

Viele Grüße
\Lars

Larusso · 26.12.2011, 16:53

Mein Name ist Daniel und ich werde dir mit deinem Malware Relevanten Problemen helfen.

Bevor wir uns an die Arbeit machen, möchte ich dich bitten, folgende Punkte vollständig und aufmerksam zu lesen.

Lies dir meine Anleitungen erst einmal durch. Sollte irgendetwas unklar sein, Frage bevor du beginnst.
Solltest du bei einem Schritt Probleme haben, stoppe dort und beschreib mir das Problem so gut du kannst. Manchmal erfordert ein Schritt den vorhergehenden
Sollte ich innerhalb der nächsten 3 Tage keine Antwort von dir erhalten, werde ich das Thema aus meinen Abonnements löschen.
Nur Scanns durchführen zu denen Du von einem Helfer aufgefordert wirst und Installiere / Deinstalliere keine Software ohne Aufforderung.
Poste die Logfiles direkt in deinen Thread und nicht als Anhang, ausser du wurdest dazu aufgefordert. Erschwert mir das Auswerten.

Vista und Win7 User
Alle Tools mit Rechtsklick "als Administrator ausführen" starten.

Downloade dir bitte Farbar's Recovery Scan Tool und speichere diese auf einen USB Stick.

Schließe den USB Stick an das infizierte System an

Du musst das System nun in die System Reparatur Option booten.

Über den Boot Manager

Starte den Rechner neu auf.
Während dem Hochfahren drücke mehrmals die F8 Taste
Wähle nun Computer reparieren.
Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Mit Windows CD/DVD

Lege die Windows CD in dein Laufwerk.
Starte den Rechner neu auf und starte von der CD
Wähle die Spracheinstellungen und klicke "Weiter".
Klicke auf Computerreparaturoptionen !!
Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Wähle in den Reparaturoptionen Eingabeaufforderung

Gib nun bitte notepad ein und drücke Enter.
Im öffnenden Textdokument --> Datei --> Speichern unter und wähle Computer
Hier wird dir der Laufwerksbuchstabe deines USB Sticks angezeigt.
Schließe Notepad wieder
Gib nun bitte folgenden Befehl ein.
e:\frst.exe
Hinweis: e steht für den Laufwerksbuchstaben deines USB Sticks. Gegebenfalls anpassen.
Akzeptiere den Disclaimer mit Yes und klicke Scan

Das Tool erstellt eine FRST.txt auf deinem USB Stick. Poste den Inhalt bitte hier.

Bitte poste in deiner nächsten Antwort
FRST.txt

lmnk · 26.12.2011, 19:34

Hallo Daniel,

der Reparaturmodus war nach dem Drücken von F8 nicht verfügbar, ich habe dann im abgesicherten Modus mit Eingabeaufforderung gearbeitet. Hier die Ausgabe des FRST Scans:

Code:

ATTFilter

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.0
Ran by ***** at 2011-12-26 19:22:17
Running from E:\MBAM
  Service Pack 2 (X86) OS Language: German Standard 
Attention: Could not load system hive.FEHLER: Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird.

========================== Registry (Whitelisted) =============

HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKLM\...\Winlogon: [Userinit]  [x]
HKLM\...\Winlogon: [Shell] 

================================ Services (Whitelisted) ==================


========================== Drivers (Whitelisted) =============


========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-12-26 19:22 - 2011-12-26 19:22 - 0000000 ____D C:\FRST
2011-12-26 13:44 - 2011-12-26 13:44 - 0000906 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Users\*****\AppData\Roaming\Malwarebytes
2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2011-12-26 13:44 - 2011-08-31 17:00 - 0022216 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-12-24 19:54 - 2011-12-26 19:21 - 0423370 ____A C:\Windows\ntbtlog.txt
2011-12-22 17:15 - 2011-12-22 17:15 - 0095744 ____A (Kassl GmbH) C:\Users\*****\AppData\Roaming\dwlGina3.dll
2011-12-22 17:10 - 2011-12-26 14:57 - 0000000 ____D C:\Users\*****\AppData\Roaming\Ifsur
2011-12-22 17:10 - 2011-12-22 17:11 - 0000000 ____D C:\Users\*****\AppData\Roaming\Akky
2011-12-22 17:10 - 2011-12-22 17:10 - 0327680 ____A (vKJZdfXv) C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe
2011-12-16 03:02 - 2011-11-04 00:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-12-16 03:02 - 2011-11-03 23:47 - 1798144 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-12-16 03:02 - 2011-11-03 23:46 - 9705472 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-12-16 03:02 - 2011-11-03 23:40 - 1427456 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-12-16 03:02 - 2011-11-03 23:40 - 1103360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-12-16 03:02 - 2011-11-03 23:39 - 1127424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-12-16 03:02 - 2011-11-03 23:38 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-12-16 03:02 - 2011-11-03 23:37 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-12-16 03:02 - 2011-11-03 23:34 - 0716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-12-16 03:02 - 2011-11-03 23:32 - 1792000 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-12-16 03:02 - 2011-11-03 23:32 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-12-16 03:02 - 2011-11-03 23:31 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-12-16 03:02 - 2011-11-03 23:28 - 0176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-12-15 13:05 - 2011-10-27 09:01 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2011-12-15 13:05 - 2011-10-27 09:01 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2011-12-15 13:05 - 2011-10-14 17:02 - 0429056 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
2011-12-15 13:04 - 2011-11-23 14:37 - 2043904 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-12-15 13:04 - 2011-11-08 15:42 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-12-15 13:04 - 2011-10-25 16:56 - 0049152 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2011-12-08 19:56 - 2011-12-08 19:56 - 0000000 ____D C:\Users\*****\Documents\Neuer Ordner

============ 3 Months Modified Files and Folders ===============

2011-12-26 19:21 - 2011-12-24 19:54 - 0423370 ____A C:\Windows\ntbtlog.txt
2011-12-26 15:06 - 2006-11-02 11:33 - 1445116 ____A C:\Windows\System32\PerfStringBackup.INI
2011-12-26 14:59 - 2006-11-02 12:18 - 0000000 ____D C:\Windows\IME
2011-12-26 14:57 - 2011-12-22 17:10 - 0000000 ____D C:\Users\*****\AppData\Roaming\Ifsur
2011-12-26 13:44 - 2011-12-26 13:44 - 0000906 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Users\*****\AppData\Roaming\Malwarebytes
2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-12-26 13:44 - 2011-12-26 13:44 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2011-12-26 13:09 - 2006-11-02 13:52 - 1368360 ____A C:\Windows\WindowsUpdate.log
2011-12-24 19:46 - 2006-11-02 14:01 - 0032632 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-12-24 19:46 - 2006-11-02 14:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-12-24 19:46 - 2006-11-02 13:47 - 0004048 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-12-24 19:46 - 2006-11-02 13:47 - 0004048 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-12-24 19:42 - 2006-11-02 13:37 - 0000000 ___RD C:\Users\Public\Recorded TV
2011-12-24 19:40 - 2010-12-05 11:21 - 0001108 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-12-22 17:15 - 2011-12-22 17:15 - 0095744 ____A (Kassl GmbH) C:\Users\*****\AppData\Roaming\dwlGina3.dll
2011-12-22 17:12 - 2010-12-05 11:21 - 0001112 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-12-22 17:11 - 2011-12-22 17:10 - 0000000 ____D C:\Users\*****\AppData\Roaming\Akky
2011-12-22 17:10 - 2011-12-22 17:10 - 0327680 ____A (vKJZdfXv) C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe
2011-12-20 10:10 - 2010-10-13 09:11 - 0001887 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2011-12-18 11:17 - 2010-12-04 17:17 - 0014805 ____A C:\Users\*****\Documents\Hilfe f¸r die Tafeln.odt
2011-12-16 03:38 - 2006-11-02 12:18 - 0000000 ____D C:\Windows\rescache
2011-12-16 03:23 - 2006-11-02 13:47 - 0247328 ____A C:\Windows\System32\FNTCACHE.DAT
2011-12-16 03:03 - 2006-11-02 11:24 - 52988224 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-12-16 03:02 - 2006-11-02 12:18 - 0000000 ____D C:\Windows\System32\de-DE
2011-12-10 13:01 - 2008-09-10 09:46 - 0000000 ____D C:\Users\*****\AppData\Roaming\Canon
2011-12-08 19:56 - 2011-12-08 19:56 - 0000000 ____D C:\Users\*****\Documents\Neuer Ordner
2011-12-08 17:06 - 2008-08-14 19:53 - 0000000 ____D C:\Program Files\Mozilla Thunderbird
2011-11-30 17:16 - 2008-08-14 19:52 - 0000000 ____D C:\Program Files\Mozilla Firefox
2011-11-23 14:37 - 2011-12-15 13:04 - 2043904 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-11-13 11:43 - 2010-12-05 11:20 - 0000000 ____D C:\Program Files\Google
2011-11-10 03:01 - 2006-11-02 12:18 - 0000000 ____D C:\Program Files\Common Files\System
2011-11-08 15:42 - 2011-12-15 13:04 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-11-04 00:02 - 2011-12-16 03:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-11-03 23:47 - 2011-12-16 03:02 - 1798144 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-11-03 23:46 - 2011-12-16 03:02 - 9705472 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-11-03 23:40 - 2011-12-16 03:02 - 1427456 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-11-03 23:40 - 2011-12-16 03:02 - 1103360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-11-03 23:39 - 2011-12-16 03:02 - 1127424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-11-03 23:38 - 2011-12-16 03:02 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-11-03 23:37 - 2011-12-16 03:02 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-11-03 23:34 - 2011-12-16 03:02 - 0716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-11-03 23:32 - 2011-12-16 03:02 - 1792000 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-11-03 23:32 - 2011-12-16 03:02 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-11-03 23:31 - 2011-12-16 03:02 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-11-03 23:28 - 2011-12-16 03:02 - 0176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-10-27 09:01 - 2011-12-15 13:05 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2011-10-27 09:01 - 2011-12-15 13:05 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2011-10-25 16:56 - 2011-12-15 13:04 - 0049152 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2011-10-24 09:53 - 2011-10-24 09:53 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2011-10-14 17:02 - 2011-12-15 13:05 - 0429056 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
2011-10-14 02:43 - 2006-11-02 12:18 - 0000000 ____D C:\Windows\Microsoft.NET
2011-10-14 02:30 - 2009-03-29 15:26 - 0000000 ____D C:\Program Files\Microsoft Silverlight


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 30%
Total physical RAM: 1022.58 MB
Available physical RAM: 713.49 MB
Total Pagefile: 2303.75 MB
Available Pagefile: 2112.63 MB
Total Virtual: 2047.88 MB
Available Virtual: 1964.05 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:153.8 GB) NTFS ==>[Drive with boot components]
3 Drive e: () (Removable) (Total:15.25 GB) (Free:8.3 GB) FAT32

  Datentr ###  Status      Grî·e    Frei     Dyn  GPT
  --------  ----------  -------  -------  ---  ---
       0    Online       233 GB      0 B         
       1    Online        15 GB      0 B         

DatentrÑgerpartitionierung wird beendet...


==========================================================

Last Boot: 2011-12-26 13:07

======================= End Of Log ==========================

Viele Grüße
\Lars

lmnk · 26.12.2011, 22:02

Hallo Daniel,

ich habe jetzt nachträglich am Logfile gesehen, dass der "liebe PC Eigentümer" vorher schon mit Tools bei dem Rechner dabei war

. Daher bekommst du hier auch noch die daraus resultierenden Logs. Vielleicht hilft das auch noch weiter:

OTL.txt
[code]*****OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 26.12.2011 15:03:32 - Run 1
OTL by OldTimer - Version 3.2.31.0     Folder = E:\MBAM
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1022,58 Mb Total Physical Memory | 673,63 Mb Available Physical Memory | 65,88% Memory free
2,25 Gb Paging File | 2,03 Gb Available in Paging File | 90,18% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 153,80 Gb Free Space | 66,04% Space Free | Partition Type: NTFS
Drive E: | 15,25 Gb Total Space | 8,30 Gb Free Space | 54,44% Space Free | Partition Type: FAT32
 
Computer Name: **********-PC | User Name: ***** | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2011.12.26 12:25:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- E:\MBAM\OTL.exe
PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008.01.19 08:33:04 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011.07.07 19:31:08 | 000,195,336 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011.06.15 17:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
SRV - [2011.04.22 13:21:10 | 000,092,592 | ---- | M] (TomTom) [Auto | Stopped] -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2008.01.19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2011.08.31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010.05.27 19:37:09 | 000,223,440 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2007.12.04 18:55:50 | 000,554,240 | ---- | M] (DiBcom SA) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mod7700.sys -- (mod7700)
DRV - [2007.07.11 17:06:22 | 000,013,824 | ---- | M] (DiBcom S.A.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\modrc.sys -- (MODRC)
DRV - [2006.11.02 08:30:56 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm60x32.sys -- (NVENETFD)
DRV - [2006.10.14 04:04:33 | 004,422,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://de.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.live.com/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.live.com/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D A6 F3 CA C6 04 CC 01  [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://go.microsoft.com/fwlink/?LinkId=69157"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=3.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.11.30 17:16:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.12.08 17:06:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]
 
[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions
[2010.09.14 16:26:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\home2@tomtom.com
[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions
[2010.05.16 16:25:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010.01.28 16:38:22 | 000,002,163 | ---- | M] () -- C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\fpfic1w3.default\searchplugins\bing.xml
[2011.12.08 17:40:44 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2011.11.30 17:16:22 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011.05.04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011.10.23 15:22:24 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011.10.23 15:22:24 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011.10.23 15:22:24 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011.10.23 15:22:24 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2009.03.04 15:02:37 | 000,000,897 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.png
[2009.03.04 15:02:37 | 000,001,015 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.src
[2011.10.23 15:22:24 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011.10.23 15:22:24 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (oldieradio Toolbar) - {27AF7ECC-B892-4D54-BA3F-7DED7DD856B9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [IATSKY] C:\Programme\i@Sky WIC\iatsky.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found
O4 - HKCU..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks File not found
O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O4 - HKCU..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)
O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StarOffice 9.lnk = C:\Programme\Sun\StarOffice 9\program\quickstart.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} hxxp://download.microsoft.com/download/2/2/0/220618B3-3606-4E70-B625-231BF31E1085/VirtualEarth3D.cab (SentinelProxy Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{305DF18F-832F-408A-B8B0-5A4F3A4E9C51}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O31 - SafeBoot: UseAlternatShell - 1
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011.12.26 13:44:44 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Malwarebytes
[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011.12.26 13:44:05 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011.12.26 13:44:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011.12.22 17:15:50 | 000,095,744 | ---- | C] (Kassl GmbH) -- C:\Users\*****\AppData\Roaming\dwlGina3.dll
[2011.12.22 17:10:28 | 000,327,680 | ---- | C] (vKJZdfXv) -- C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe
[2011.12.22 17:10:13 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Ifsur
[2011.12.22 17:10:13 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Akky
[2011.12.16 03:02:28 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011.12.16 03:02:27 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011.12.16 03:02:27 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011.12.16 03:02:26 | 001,798,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011.12.16 03:02:26 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011.12.16 03:02:23 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011.12.15 13:05:04 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011.12.15 13:05:04 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011.12.15 13:05:03 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011.12.15 13:04:54 | 002,043,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011.12.15 13:04:51 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll
[2011.12.15 13:04:47 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2011.12.08 19:56:35 | 000,000,000 | ---D | C] -- C:\Users\*****\Documents\Neuer Ordner
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2011.12.26 15:00:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.12.26 13:44:09 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.12.26 13:42:15 | 000,627,756 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.12.26 13:42:15 | 000,595,386 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.12.26 13:42:15 | 000,125,676 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.12.26 13:42:15 | 000,103,460 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.12.24 19:46:39 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.12.24 19:46:38 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.12.24 19:40:08 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011.12.22 17:15:50 | 000,095,744 | ---- | M] (Kassl GmbH) -- C:\Users\*****\AppData\Roaming\dwlGina3.dll
[2011.12.22 17:12:29 | 000,001,112 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011.12.22 17:10:07 | 000,327,680 | ---- | M] (vKJZdfXv) -- C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe
[2011.12.20 10:10:03 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011.12.18 11:17:09 | 000,014,805 | ---- | M] () -- C:\Users\*****\Documents\Hilfe für die Tafeln.odt
[2011.12.16 03:23:03 | 000,247,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2011.12.26 13:44:09 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.12.08 17:06:50 | 000,001,895 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
[2010.01.11 10:53:33 | 000,023,689 | ---- | C] () -- C:\Windows\hpqins15.dat
[2009.12.09 15:57:15 | 000,078,213 | ---- | C] () -- C:\Windows\hpqins05.dat
[2009.10.19 10:25:05 | 000,166,714 | ---- | C] () -- C:\Windows\hphins28.dat
[2009.09.24 15:56:48 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009.09.24 15:56:46 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.01.04 22:30:34 | 000,000,939 | ---- | C] () -- C:\Windows\hphmdl28.dat
[2008.10.26 11:44:55 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008.08.14 19:53:24 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2008.08.07 09:38:45 | 000,040,960 | ---- | C] () -- C:\Users\*****\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007.04.27 09:43:58 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll
[2006.11.02 16:33:31 | 000,627,756 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2006.11.02 16:33:31 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2006.11.02 16:33:31 | 000,125,676 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2006.11.02 16:33:31 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 13:47:37 | 000,247,328 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 11:33:01 | 000,595,386 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 11:33:01 | 000,103,460 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

< End of report >

--- --- ---

Extras.txt
[code]*****OTL Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 26.12.2011 15:03:32 - Run 1
OTL by OldTimer - Version 3.2.31.0     Folder = E:\MBAM
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1022,58 Mb Total Physical Memory | 673,63 Mb Available Physical Memory | 65,88% Memory free
2,25 Gb Paging File | 2,03 Gb Available in Paging File | 90,18% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 153,80 Gb Free Space | 66,04% Space Free | Partition Type: NTFS
Drive E: | 15,25 Gb Total Space | 8,30 Gb Free Space | 54,44% Space Free | Partition Type: FAT32
 
Computer Name: **********-PC | User Name: ***** | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{17C14F61-0F2B-49EC-A322-074EF844F1B2}" = rport=445 | protocol=6 | dir=out | app=system | 
"{1C9D236D-8EC3-48FB-BC08-11F5EF56A01C}" = rport=137 | protocol=17 | dir=out | app=system | 
"{477CD86D-32EF-4AB4-8918-A1C5F474C4C9}" = lport=138 | protocol=17 | dir=in | app=system | 
"{924EF069-4563-48EF-8494-96040CC0B0CC}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{AFF5653B-116E-4E1A-99BB-3BB36E6E0D0B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{BC9596A3-ECB4-43FF-992F-F29DFB7CD235}" = lport=445 | protocol=6 | dir=in | app=system | 
"{C3C9ABB9-C12C-481E-AAFC-CBD40420C987}" = rport=138 | protocol=17 | dir=out | app=system | 
"{C5209DAB-A2C2-4AA2-8164-4CA4C842054C}" = rport=139 | protocol=6 | dir=out | app=system | 
"{C54ED09C-754A-4E45-BCDF-70EA461AB808}" = lport=137 | protocol=17 | dir=in | app=system | 
"{D4153DE5-5564-45BF-AEF3-AF525ED1D1C1}" = lport=139 | protocol=6 | dir=in | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1A8572B5-7404-4676-9890-B45F349CEAE6}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{1C9FBDB3-13B6-4288-B8E2-72AF685553E5}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{2BFC9ABA-5FF1-4897-9DD0-760864561709}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\videospin.exe | 
"{3A5F845A-98AB-41DF-8F7B-917F3551C51E}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgpc01.exe | 
"{4212881F-FAD3-47C5-A0B9-50DF4A5F4EBD}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgh.exe | 
"{4A010968-4CB3-435D-B683-FC987F8282F8}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\pmsregisterfile.exe | 
"{4CD67718-DBD4-4972-B812-A28C1046F4B4}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\rm.exe | 
"{516908AA-CAD2-45F2-87E2-C22BC1907B27}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\umi.exe | 
"{63233D3C-FE1E-4BAD-AD63-B04F35E403A9}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgm.exe | 
"{69CA36D7-B3D4-4E42-BDE4-5B9C20FF5CB6}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe | 
"{79CC9096-DA97-49C8-8FF2-355786A23224}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe | 
"{84EBA8D5-2F52-41A5-AEB6-74F119723051}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\videospin.exe | 
"{904DE6D0-E395-41D6-903F-DC28E213E4FE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe | 
"{963866C4-18C0-491E-B9FD-8EF867089093}" = protocol=6 | dir=in | app=c:\program files\pinnacle\videospin\programs\pmsregisterfile.exe | 
"{A4084200-BB83-4765-B5DB-2F18546E0892}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{A60D3F24-13AB-4681-B8DE-9B473A679004}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqsudi.exe | 
"{AD4329DC-BFE4-46FF-BC7C-EC406772ED67}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe | 
"{B1A5EBCE-9495-4BDF-AE18-6F2324BD3BE2}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpse.exe | 
"{BE5C8B59-9ABE-47E5-BF9B-8658C558F8E1}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgplgtupl.exe | 
"{C4489853-F862-48BB-847D-210B11775917}" = dir=in | app=c:\program files\common files\hp\digital imaging\bin\hpqphotocrm.exe | 
"{C6B8ED21-7450-47F4-B5C9-DB0CF3FE4805}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{D0745ECA-E966-43BF-A8CD-71056172E7A5}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe | 
"{D15FCDCB-1F1D-4F05-90AC-5268786624DA}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe | 
"{D75CF46D-8290-4047-A886-5BA13FE48195}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\umi.exe | 
"{EF7ACF3A-866F-4C8E-A431-7C801FCBD982}" = protocol=17 | dir=in | app=c:\program files\pinnacle\videospin\programs\rm.exe | 
"{F85C1478-9F0A-4F49-A515-B6DCFAA692C8}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqpsapp.exe | 
"TCP Query User{3B2BFD05-5ECF-4AC9-92FD-00045513F031}C:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe" = protocol=6 | dir=in | app=c:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe | 
"UDP Query User{4462429D-E8E2-4CF3-8640-CF72DAB35BB0}C:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe" = protocol=17 | dir=in | app=c:\program files\pinnacle\shared files\programs\strmserver\strmserver.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg
"{0E37765E-45AE-4830-A12C-E5DADD758472}" = HP Photosmart D5400 Printer Driver Software 12.0 Rel .3
"{16D0F2D2-242C-4885-BEF1-4B1655C141AE}" = Bing Bar
"{18613ADB-2125-4C71-BBD7-D56136683509}" = MAGIX Audio Cleaning Lab 17 deluxe
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{20EFC9AA-BBC1-4DFD-81FF-99654F71CBF8}" = HPPhotoSmartDiscLabel_PrintOnDisc
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 26
"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
"{2A329FB6-389D-4396-A974-29656D6864AE}" = MarketResearch
"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{304D416E-CCA6-A949-A728-19702A085FC1}" = simfy
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4D304678-738E-42a0-931A-2B022F49DEB8}" = TrayApp
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{54C7CFA4-9DDD-40c7-A58F-AF0E7916848C}" = HPPhotoGadget
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1
"{6EED4269-588D-45b8-A80C-26A9CA62EE4E}" = HPSSupply
"{70AA9B4F-64F7-4B0D-ADD8-05802D61AF72}" = Windows Live Toolbar
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{850C7BD3-9F3F-46AD-9396-E7985B38C55E}" = Windows Live Fotogalerie
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{915B97D7-585F-48DE-9E62-47F916514854}" = D5400
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A7496F46-78AE-4DB2-BCF5-95F210FA6F96}" = Windows Live Movie Maker
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox
"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.7 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B28635AB-1DF3-4F07-BFEA-975D911B549B}" = hpphotosmartdisclabelplugin
"{BCE46757-7674-4416-BEDB-68205A60409E}" = CanoScan Toolbox Ver4.1
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C4D738F7-996A-4C81-B8FA-C4E26D767E41}" = Windows Live Mail
"{C5E4D0D0-EACC-4013-B48D-C3F104F21DCD}" = StarOffice 9
"{CAFA57E8-8927-4912-AFCF-B0AA3837E989}" = Windows Live Essentials
"{CDC7F188-3A08-45C3-8C3C-99BE32911949}" = Photo Transport
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential
"{D9D8F2CF-FE2D-4644-9762-01F916FE90A9}" = HPPhotoSmartDiscLabel_PaperLabel
"{DD133F7D-E484-45B7-BBB9-828FCA45BBDB}" = i@Sky WIC
"{DDD5104F-1C44-49EB-9E6B-29EC5D27658B}" = HP Update
"{E0A4805D-280A-4DD7-9E74-3A5F85E302A1}" = Windows Live Writer
"{E192A201-E9B4-406A-82D5-7886F3BB63D5}" = PS_SF_03_D5400_Software_Min
"{EFCEF949-9821-4759-A573-3EB8C857DF46}" = Windows Live Family Safety
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}" = Pinnacle TVCenter Pro
"{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{F769B78E-FF0E-4db5-95E2-9F4C8D6352FE}" = DeviceDiscovery
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FF34AF1C-705B-424A-A850-1A1F61D6EB71}" = MAGIX Speed 2 (MSI)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AVIConverter" = AVIConverter 4.0.1
"HP Imaging Device Functions" = HP Imaging Device Functions 12.0
"HP Photosmart Essential" = HP Photosmart Essential 3.5
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 12.0
"i@Sky WIC" = i@Sky WIC
"MAGIX_MSI_mclab_17dlx" = MAGIX Audio Cleaning Lab 17 deluxe
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version 1.51.2.1300
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"Mozilla Firefox 8.0.1 (x86 de)" = Mozilla Firefox 8.0.1 (x86 de)
"Mozilla Thunderbird (8.0)" = Mozilla Thunderbird (8.0)
"oldieradio Toolbar" = oldieradio Toolbar
"Shop for HP Supplies" = Shop for HP Supplies
"Simfy" = simfy
"TomTom HOME" = TomTom HOME 2.8.2.2264
"TrueCrypt" = TrueCrypt
"WinLiveSuite_Wave3" = Windows Live Essentials
 
========== Last 10 Event Log Errors ==========
 
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
 
< End of report >

--- --- ---

Und auch noch eine mbam-log Datei:

Code:

ATTFilter

*****Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Datenbank Version: 7622

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 9.0.8112.16421

26.12.2011 14:57:30
mbam-log-2011-12-26 (14-57-17).txt

Art des Suchlaufs: Vollst‰ndiger Suchlauf (C:\|)
Durchsuchte Objekte: 381917
Laufzeit: 1 Stunde(n), 4 Minute(n), 17 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschl¸ssel: 0
Infizierte Registrierungswerte: 2
Infizierte Dateiobjekte der Registrierung: 4
Infizierte Verzeichnisse: 0
Infizierte Dateien: 4

Infizierte Speicherprozesse:
(Keine bˆsartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bˆsartigen Objekte gefunden)

Infizierte Registrierungsschl¸ssel:
(Keine bˆsartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0D1ECAC7-DF2C-9647-D654-AF583AD277D4} (Trojan.Zbot.CBCGen) -> Value: {0D1ECAC7-DF2C-9647-D654-AF583AD277D4} -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> No action taken.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad: (C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe) Good: (Explorer.exe) -> No action taken.

Infizierte Verzeichnisse:
(Keine bˆsartigen Objekte gefunden)

Infizierte Dateien:
c:\Users\*****\AppData\Roaming\Ifsur\kuba.exe (Trojan.Zbot.CBCGen) -> No action taken.
c:\Users\*****\AppData\LocalLow\Sun\Java\deployment\cache\6.0\27\5177e1db-58ec10ca (Trojan.Zbot.CBCGen) -> No action taken.
c:\Windows.old\Users\User\AppData\Local\Temp\c12iihle.exe (Rogue.Installer) -> No action taken.
c:\Users\*****\AppData\Local\Temp\0.11391611854232775.exe (Exploit.Drop.2) -> No action taken.

Ich hoffe, dass das evtl. Verwirrungen beseitigt.

Viele Grüße
\Lars

Larusso · 27.12.2011, 00:27

Zitat:

Solltest du bei einem Schritt Probleme haben, stoppe dort und beschreib mir das Problem so gut du kannst. Manchmal erfordert ein Schritt den vorhergehenden

Schön langsam verlier ich hier die Nerven. Niemand liest was man schreibt >.>

Zitat:

O4 - HKLM..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe

Ich kann mit zensierte Logfiles nichts anfangen.

Lass MBAM nochmal laufen und entferne alle Funde und poste das Logfile hier.

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Starte bitte die OTL.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Kopiere nun den Inhalt in die Textbox.

Code:

ATTFilter

activex
netsvcs
msconfig
%SYSTEMDRIVE%\*.
%PROGRAMFILES%\*.exe
%LOCALAPPDATA%\*.exe
%systemroot%\*. /mp /s
%systemroot%\system32\*.manifest /3
/md5start
explorer.exe
regedit.exe
winlogon.exe
wininit.exe
userinit.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
CREATERESTOREPOINT

Schliesse bitte nun alle Programme. (Wichtig)
Klicke nun bitte auf den Quick Scan Button.
Wenn der Scan beendet wurde, wird sich ein Textdokument öffnen.
Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread

lmnk · 27.12.2011, 00:54

Hallo Daniel,

das Problem mit dem Reparaturmodus ist folgendes, er wird im Windows Boot Menu nicht angezeigt, ergo kann er nicht aufgerufen werden.

Was die Zensur der Logs betrifft, da ist leider der Klarname als User drin, und das möchte ich dem Nutzer dann doch ersparen. Die fünf Sterne stehen also wie in der Anleitung angegeben, für den Klarnamen des Nutzers. Sorry.

Hier das Logfile von MBAM:

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Datenbank Version: 7622

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 9.0.8112.16421

26.12.2011 14:57:30
mbam-log-2011-12-26 (14-57-17).txt

Art des Suchlaufs: Vollst‰ndiger Suchlauf (C:\|)
Durchsuchte Objekte: 381917
Laufzeit: 1 Stunde(n), 4 Minute(n), 17 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschl¸ssel: 0
Infizierte Registrierungswerte: 2
Infizierte Dateiobjekte der Registrierung: 4
Infizierte Verzeichnisse: 0
Infizierte Dateien: 4

Infizierte Speicherprozesse:
(Keine bˆsartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bˆsartigen Objekte gefunden)

Infizierte Registrierungsschl¸ssel:
(Keine bˆsartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0D1ECAC7-DF2C-9647-D654-AF583AD277D4} (Trojan.Zbot.CBCGen) -> Value: {0D1ECAC7-DF2C-9647-D654-AF583AD277D4} -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> No action taken.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad: (C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe) Good: (Explorer.exe) -> No action taken.

Infizierte Verzeichnisse:
(Keine bˆsartigen Objekte gefunden)

Infizierte Dateien:
c:\Users\*****\AppData\Roaming\Ifsur\kuba.exe (Trojan.Zbot.CBCGen) -> No action taken.
c:\Users\*****\AppData\LocalLow\Sun\Java\deployment\cache\6.0\27\5177e1db-58ec10ca (Trojan.Zbot.CBCGen) -> No action taken.
c:\Windows.old\Users\User\AppData\Local\Temp\c12iihle.exe (Rogue.Installer) -> No action taken.
c:\Users\*****\AppData\Local\Temp\0.11391611854232775.exe (Exploit.Drop.2) -> No action taken.

Die infizierten Dateien sind von MBAM entfernt worden, bzw. die Funktion zum entfernen ist ausgewählt und ausgeführt worden. Vielen Dank schon mal vorab! :-)

Viele Grüße
\Lars

lmnk · 27.12.2011, 14:21

Hallo Daniel,

ich habe wie gewünscht den Quick Scan mit OTL durchgeführt. Leider ist als Ergebnis nur die OTL.Txt erzeugt worden, eine Extra.txt gab es nicht.

OTL.txt

Code:

ATTFilter

OTL logfile created on: 27.12.2011 12:41:22 - Run 2
OTL by OldTimer - Version 3.2.31.0     Folder = E:\MBAM
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1022,58 Mb Total Physical Memory | 660,75 Mb Available Physical Memory | 64,62% Memory free
2,25 Gb Paging File | 2,02 Gb Available in Paging File | 89,68% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 153,79 Gb Free Space | 66,04% Space Free | Partition Type: NTFS
Drive E: | 15,25 Gb Total Space | 8,30 Gb Free Space | 54,43% Space Free | Partition Type: FAT32
 
Computer Name: **********-PC | User Name: ***** | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2011.12.26 12:25:44 | 000,584,192 | ---- | M] (OldTimer Tools) -- E:\MBAM\OTL.exe
PRC - [2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008.01.19 08:33:11 | 000,498,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\HelpPane.exe
PRC - [2008.01.19 08:33:04 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2011.08.31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011.07.07 19:31:08 | 000,195,336 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011.06.15 17:33:20 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
SRV - [2011.04.22 13:21:10 | 000,092,592 | ---- | M] (TomTom) [Auto | Stopped] -- C:\Programme\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2008.01.19 08:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2011.08.31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010.05.27 19:37:09 | 000,223,440 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2007.12.04 18:55:50 | 000,554,240 | ---- | M] (DiBcom SA) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mod7700.sys -- (mod7700)
DRV - [2007.07.11 17:06:22 | 000,013,824 | ---- | M] (DiBcom S.A.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\modrc.sys -- (MODRC)
DRV - [2006.11.02 08:30:56 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm60x32.sys -- (NVENETFD)
DRV - [2006.10.14 04:04:33 | 004,422,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://de.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.live.com/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://search.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.live.com/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4D A6 F3 CA C6 04 CC 01  [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://go.microsoft.com/fwlink/?LinkId=69157"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=3.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files\Virtual Earth 3D\ [2009.07.03 13:54:26 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.11.30 17:16:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011.12.08 17:06:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011.06.16 14:26:35 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010.01.11 10:53:54 | 000,000,000 | ---D | M]
 
[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions
[2010.09.14 16:26:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010.11.09 16:15:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Extensions\home2@tomtom.com
[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions
[2010.05.16 16:25:27 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011.12.15 10:09:18 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\*****\AppData\Roaming\mozilla\Firefox\Profiles\fpfic1w3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010.01.28 16:38:22 | 000,002,163 | ---- | M] () -- C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\fpfic1w3.default\searchplugins\bing.xml
[2011.12.08 17:40:44 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2011.11.30 17:16:22 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011.05.04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011.10.23 15:22:24 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011.10.23 15:22:24 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011.10.23 15:22:24 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011.10.23 15:22:24 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2009.03.04 15:02:37 | 000,000,897 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.png
[2009.03.04 15:02:37 | 000,001,015 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\livecom.src
[2011.10.23 15:22:24 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011.10.23 15:22:24 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006.09.18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (oldieradio Toolbar) - {27af7ecc-b892-4d54-ba3f-7ded7dd856b9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (oldieradio Toolbar) - {27AF7ECC-B892-4D54-BA3F-7DED7DD856B9} - C:\Programme\oldieradio\prxtboldi.dll (Conduit Ltd.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [IATSKY] C:\Programme\i@Sky WIC\iatsky.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found
O4 - HKCU..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks File not found
O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O4 - HKCU..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)
O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StarOffice 9.lnk = C:\Programme\Sun\StarOffice 9\program\quickstart.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} hxxp://download.microsoft.com/download/2/2/0/220618B3-3606-4E70-B625-231BF31E1085/VirtualEarth3D.cab (SentinelProxy Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{305DF18F-832F-408A-B8B0-5A4F3A4E9C51}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O31 - SafeBoot: UseAlternatShell - 1
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - 
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0
ActiveX: {25FFAAD0-F4A3-4164-95FF-4461E9F35D51} - .NET Framework
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - 
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5CA109D3-A084-47E8-A9CB-D497322E3F50} - MSN Toolbar 3.0 & Silverlight 2.0
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {6ScJzIf0-kevt-RkjF-pr7R-UIAZ3ihJ5KXN} - 
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - 
ActiveX: >{b4db1911-e061-4cc6-aab1-6fe12ea65eac} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
 
CREATERESTOREPOINT

Error creating restore point.
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011.12.26 19:22:07 | 000,000,000 | ---D | C] -- C:\FRST
[2011.12.26 13:44:44 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Malwarebytes
[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011.12.26 13:44:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011.12.26 13:44:05 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011.12.26 13:44:05 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011.12.22 17:15:50 | 000,095,744 | ---- | C] (Kassl GmbH) -- C:\Users\*****\AppData\Roaming\dwlGina3.dll
[2011.12.22 17:10:28 | 000,327,680 | ---- | C] (vKJZdfXv) -- C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe
[2011.12.22 17:10:13 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Ifsur
[2011.12.22 17:10:13 | 000,000,000 | ---D | C] -- C:\Users\*****\AppData\Roaming\Akky
[2011.12.08 19:56:35 | 000,000,000 | ---D | C] -- C:\Users\*****\Documents\Neuer Ordner
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2011.12.27 12:40:52 | 000,627,756 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.12.27 12:40:52 | 000,595,386 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.12.27 12:40:52 | 000,125,676 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.12.27 12:40:52 | 000,103,460 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.12.27 12:36:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.12.26 13:44:09 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.12.24 19:46:39 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.12.24 19:46:38 | 000,004,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.12.24 19:40:08 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011.12.22 17:15:50 | 000,095,744 | ---- | M] (Kassl GmbH) -- C:\Users\*****\AppData\Roaming\dwlGina3.dll
[2011.12.22 17:12:29 | 000,001,112 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011.12.22 17:10:07 | 000,327,680 | ---- | M] (vKJZdfXv) -- C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe
[2011.12.20 10:10:03 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011.12.18 11:17:09 | 000,014,805 | ---- | M] () -- C:\Users\*****\Documents\Hilfe für die Tafeln.odt
[2011.12.16 03:23:03 | 000,247,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2011.12.26 13:44:09 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.12.08 17:06:50 | 000,001,895 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
[2010.01.11 10:53:33 | 000,023,689 | ---- | C] () -- C:\Windows\hpqins15.dat
[2009.12.09 15:57:15 | 000,078,213 | ---- | C] () -- C:\Windows\hpqins05.dat
[2009.10.19 10:25:05 | 000,166,714 | ---- | C] () -- C:\Windows\hphins28.dat
[2009.09.24 15:56:48 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009.09.24 15:56:46 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.01.04 22:30:34 | 000,000,939 | ---- | C] () -- C:\Windows\hphmdl28.dat
[2008.10.26 11:44:55 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008.08.14 19:53:24 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2008.08.07 09:38:45 | 000,040,960 | ---- | C] () -- C:\Users\*****\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007.04.27 09:43:58 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll
[2006.11.02 16:33:31 | 000,627,756 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2006.11.02 16:33:31 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2006.11.02 16:33:31 | 000,125,676 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2006.11.02 16:33:31 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2006.11.02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 13:47:37 | 000,247,328 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 11:33:01 | 000,595,386 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 11:33:01 | 000,103,460 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
 
========== LOP Check ==========
 
[2011.12.22 17:11:54 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Akky
[2011.12.10 13:01:29 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Canon
[2011.12.26 14:57:37 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Ifsur
[2011.07.21 14:39:31 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\MAGIX
[2011.06.23 14:18:26 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Simfy
[2008.11.10 13:40:01 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\StarOffice
[2010.09.14 16:26:43 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\Thunderbird
[2010.11.09 16:15:02 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\TomTom
[2010.05.27 19:38:16 | 000,000,000 | ---D | M] -- C:\Users\*****\AppData\Roaming\TrueCrypt
[2011.12.24 19:46:35 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.

 >
[2008.08.07 09:09:32 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin
[2009.10.01 10:55:56 | 000,000,000 | -HSD | M] -- C:\Boot
[2008.04.13 12:59:15 | 000,000,000 | -H-D | M] -- C:\CanoScan
[2006.11.02 14:02:03 | 000,000,000 | -HSD | M] -- C:\Documents and Settings
[2007.02.22 13:53:42 | 000,000,000 | -HSD | M] -- C:\Dokumente und Einstellungen
[2011.12.26 19:22:38 | 000,000,000 | ---D | M] -- C:\FRST
[2008.10.24 14:52:12 | 000,000,000 | ---D | M] -- C:\PerfLogs
[2011.12.26 13:44:05 | 000,000,000 | R--D | M] -- C:\Program Files
[2011.12.26 13:44:08 | 000,000,000 | -H-D | M] -- C:\ProgramData
[2007.02.22 13:53:42 | 000,000,000 | -HSD | M] -- C:\Programme
[2007.03.03 13:40:18 | 000,000,000 | ---D | M] -- C:\Software
[2011.12.24 19:45:37 | 000,000,000 | -HSD | M] -- C:\System Volume Information
[2008.08.07 09:08:52 | 000,000,000 | R--D | M] -- C:\Users
[2011.12.24 19:54:51 | 000,000,000 | ---D | M] -- C:\Windows
[2008.08.07 09:22:00 | 000,000,000 | ---D | M] -- C:\Windows.old
 
< %PROGRAMFILES%\*.exe

 >
 
< %LOCALAPPDATA%\*.exe
 >
 
< %systemroot%\*. /mp /s
 >
 
< %systemroot%\system32\*.manifest /3

 >
 
 
< MD5 for: EXPLORER.EXE  >
[2008.10.29 07:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008.10.29 07:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008.10.30 04:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2007.11.15 16:26:44 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows.old\Windows\explorer.exe
[2007.11.15 16:26:44 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[2008.08.07 11:19:33 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[2007.11.15 16:26:44 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[2008.08.07 11:19:33 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
[2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009.04.11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008.10.28 03:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2006.11.02 10:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
[2006.11.02 10:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
[2008.01.19 08:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[2008.01.19 08:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
 
< MD5 for: REGEDIT.EXE  >
[2008.01.19 08:33:24 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedit.exe
[2008.01.19 08:33:24 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\regedit.exe
[2008.01.19 08:33:24 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=467A3B03E924B7B7EDD16D34740574B0 -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedit.exe
[2006.11.02 10:45:35 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=F13123E76FDA33E55F11E0EB832E832A -- C:\Windows.old\Windows\regedit.exe
[2006.11.02 10:45:35 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=F13123E76FDA33E55F11E0EB832E832A -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6000.16386_none_f1f7f368deed95c3\regedit.exe
[2006.11.02 10:45:35 | 000,134,656 | ---- | M] (Microsoft Corporation) MD5=F13123E76FDA33E55F11E0EB832E832A -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6000.16386_none_f1f7f368deed95c3\regedit.exe
 
< MD5 for: USERINIT.EXE  >
[2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008.01.19 08:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2006.11.02 10:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows.old\Windows\System32\userinit.exe
[2006.11.02 10:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe
[2006.11.02 10:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe
 
< MD5 for: WININIT.EXE  >
[2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\System32\wininit.exe
[2008.01.19 08:33:37 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows.old\Windows\System32\wininit.exe
[2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
[2006.11.02 10:45:57 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=D4385B03E8CCCEE6F0EE249F827C1F3E -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe
 
< MD5 for: WINLOGON.EXE  >
[2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009.04.11 07:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows.old\Windows\System32\winlogon.exe
[2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
[2006.11.02 10:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
[2008.01.19 08:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows.old\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe
[2008.01.19 08:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe
 
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs

 >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Required: DebugWindows [binary data]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Windows: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
 >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

 >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-12-24 18:46:10

< End of report >

Ich hoffe, das Ergebnis führt trotz der fehlenden Extra.txt weiter.

Viele Grüße
\Lars

Larusso · 27.12.2011, 14:52

Zitat:

O4 - HKLM..\Run: [WBhXTAWuFpmNyON] C:\Users\*****\AppData\Roaming\sbcvvhost_win86.exe (vKJZdfXv)

Wie gesagt, ich kann mit zensierten Logfiles keine fixes schreiben. Enthält das wirklich deinen vollständigen Namen, dann mach ich mir die Arbeit

lmnk · 27.12.2011, 15:16

Hallo Daniel,

ja, der Username ist identisch mit dem Namen des Eigentümers. Schlimmer noch, da das nicht ich selber bin, würde ich das gerne schon deshalb vermeiden.

Bei irgendeinem Rechnernamen hätte ich das so gelassen. Sonst bliebe nur die Möglichkeit das per PM zu machen, aber das soll ja eigentlich nicht so sein. Ich kann die Stellen auch gerne anders markieren, aber das ist m.E. auch nicht hilfreich.

Vielen Dank für deine Mühe!

Viele Grüße
\Lars

Larusso · 27.12.2011, 20:32

Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Downloade dir bitte Combofix von einem dieser Downloadspiegel

Link 1
Link 2

WICHTIG - Speichere Combofix auf deinem Desktop

Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

Bitte poste in deiner nächsten Antwort
Combofix.txt

lmnk · 28.12.2011, 12:05

Hallo Daniel,

hier nun der Output vom Combofix:

Combofix.txt

Code:

ATTFilter

ComboFix 11-12-22.04 - ***** 28.12.2011   8:47.1.1 - x86 MINIMAL
MicrosoftÆ Windows Vistaô Home Premium   6.0.6002.2.1252.49.1031.18.1023.635 [GMT 1:00]
ausgef¸hrt von:: c:\users\*****\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUZIERTER FUNKTIONALITƒTSMODUS -
.
.
((((((((((((((((((((((((((((((((((((   Weitere Lˆschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\*****\AppData\Roaming\dwlGina3.dll
c:\users\*****\AppData\Roaming\sbcvvhost_win86.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2011-11-28 bis 2011-12-28  ))))))))))))))))))))))))))))))
.
.
2011-12-28 07:50 . 2011-12-28 07:50	--------	d-----w-	c:\users\*****\AppData\Local\temp
2011-12-28 07:50 . 2011-12-28 07:50	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-12-28 07:40 . 2011-12-28 07:40	56200	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD648DD5-67E9-4EA1-A7DB-2BE89EA8B416}\offreg.dll
2011-12-26 18:22 . 2011-12-26 18:22	--------	d-----w-	C:\FRST
2011-12-26 12:44 . 2011-12-26 12:44	--------	d-----w-	c:\users\*****\AppData\Roaming\Malwarebytes
2011-12-26 12:44 . 2011-12-26 12:44	--------	d-----w-	c:\programdata\Malwarebytes
2011-12-26 12:44 . 2011-12-26 12:44	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-12-26 12:44 . 2011-08-31 16:00	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-12-24 18:45 . 2011-11-21 10:47	6823496	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD648DD5-67E9-4EA1-A7DB-2BE89EA8B416}\mpengine.dll
2011-12-22 16:10 . 2011-12-26 13:57	--------	d-----w-	c:\users\*****\AppData\Roaming\Ifsur
2011-12-22 16:10 . 2011-12-22 16:11	--------	d-----w-	c:\users\*****\AppData\Roaming\Akky
2011-12-20 09:07 . 2011-12-20 09:07	1207568	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-15 12:05 . 2011-10-27 08:01	3602816	----a-w-	c:\windows\system32\ntkrnlpa.exe
2011-12-15 12:05 . 2011-10-27 08:01	3550080	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-12-15 12:05 . 2011-10-14 16:02	429056	----a-w-	c:\windows\system32\EncDec.dll
2011-12-15 12:04 . 2011-11-23 13:37	2043904	----a-w-	c:\windows\system32\win32k.sys
2011-12-15 12:04 . 2011-11-08 12:10	2409784	----a-w-	c:\program files\Windows Mail\OESpamFilter.dat
2011-12-15 12:04 . 2011-10-25 15:56	49152	----a-w-	c:\windows\system32\csrsrv.dll
2011-12-15 12:04 . 2011-11-08 14:42	2048	----a-w-	c:\windows\system32\tzres.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 08:53 . 2011-10-24 08:53	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-30 16:16 . 2011-05-28 11:04	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintr‰ge & legitime Standardeintr‰ge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]
2011-05-09 09:49	176936	----a-w-	c:\program files\oldieradio\prxtboldi.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{27AF7ECC-B892-4D54-BA3F-7DED7DD856B9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"IATSKY"="c:\program files\i@Sky WIC\iatsky.exe" [2011-07-25 335872]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
StarOffice 9.lnk - c:\program files\Sun\StarOffice 9\program\quickstart.exe [2008-9-12 113152]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 136176]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\DRIVERS\modrc.sys [2007-07-11 13824]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 10:20]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 10:20]
.
.
------- Zus‰tzlicher Suchlauf -------
.
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\fpfic1w3.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - Entfernte verwaiste Registrierungseintr‰ge - - - -
.
HKCU-Run-PMCLoader - c:\program files\Pinnacle\TVCenter Pro\PMCLoader.exe
HKCU-Run-WBhXTAWuFpmNyON - c:\users\*****\AppData\Roaming\sbcvvhost_win86.exe
HKLM-Run-WBhXTAWuFpmNyON - c:\users\*****\AppData\Roaming\sbcvvhost_win86.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2011-12-28 08:50
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse... 
.
Scanne versteckte Autostarteintr‰ge... 
.
Scanne versteckte Dateien... 
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-12-28  08:53:03
ComboFix-quarantined-files.txt  2011-12-28 07:52
.
Vor Suchlauf: 8 Verzeichnis(se), 165.150.273.536 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 167.733.764.096 Bytes frei
.
- - End Of File - - FA5DCFA113C2ABC07BEA63EFF011FE29

Die Ausgabe am Bildschirm sah recht vielversprechend aus. :-)

Viele Grüße
\Lars

Larusso · 28.12.2011, 19:11

Hy

Du musst die **** im Skript ersetzen

Hinweis für Mitleser:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, dass kann andere Systeme nachhaltig schädigen!

Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von einem der folgenden Download-Spiegel neu herunter:

BleepingComputer.com - ForoSpyware.com

und speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!

Drücke die

+ R Taste --> Notepad (hinein schreiben) --> OK

Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.

Code:

ATTFilter

Folder::
c:\users\*****\AppData\Roaming\Ifsur
c:\users\*****\AppData\Roaming\Akky

ClearJavaCache::

Speichere dies als CFScript.txt auf deinem Desktop.
Wichtig:

Stelle deine Anti Viren Software temporär ab. Dies kann ComboFix nämlich bei der Arbeit behindern. Danach wieder anstellen nicht vergessen!
Bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein. Dies kann dazu führen, dass ComboFix sich aufhängt.
Schließe alle laufenden Programme. Gehe sicher, dass ComboFix ungehindert arbeiten kann.
Mache nichts am PC solange ComboFix läuft.

In Bezug auf obiges Bild, ziehe CFScript.txt in die ComboFix.exe
Wenn ComboFix fertig ist, wird es ein Log erstellen, C:\ComboFix.txt. Bitte füge es hier als Antwort ein.

Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen.

Bitte poste in deiner nächsten Antwort
Combofix.txt
Berichte, wie der Rechner läuft

lmnk · 28.12.2011, 21:59

Hallo Daniel,

hier die Ausgabe des Combofix Tools:

Code:

ATTFilter

ComboFix 11-12-27.01 - ***** 28.12.2011  21:41:19.1.1 - x86
MicrosoftÆ Windows Vistaô Home Premium   6.0.6002.2.1252.49.1031.18.1023.485 [GMT 1:00]
ausgef¸hrt von:: c:\users\*****\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\*****\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Lˆschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\*****\AppData\Roaming\Akky
c:\users\*****\AppData\Roaming\Ifsur
c:\users\Public\1031.MST
.
.
(((((((((((((((((((((((   Dateien erstellt von 2011-11-28 bis 2011-12-28  ))))))))))))))))))))))))))))))
.
.
2011-12-28 20:48 . 2011-12-28 20:48	--------	d-----w-	c:\users\*****\AppData\Local\temp
2011-12-28 20:48 . 2011-12-28 20:48	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-12-28 08:06 . 2011-12-28 08:06	56200	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{83E23BEA-E3FD-4C36-A965-E3FAFAF3C471}\offreg.dll
2011-12-28 08:06 . 2011-11-21 10:47	6823496	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{83E23BEA-E3FD-4C36-A965-E3FAFAF3C471}\mpengine.dll
2011-12-28 08:01 . 2011-12-28 08:01	--------	d-----w-	c:\program files\ESET
2011-12-26 18:22 . 2011-12-26 18:22	--------	d-----w-	C:\FRST
2011-12-26 12:44 . 2011-12-26 12:44	--------	d-----w-	c:\users\*****\AppData\Roaming\Malwarebytes
2011-12-26 12:44 . 2011-12-26 12:44	--------	d-----w-	c:\programdata\Malwarebytes
2011-12-26 12:44 . 2011-12-26 12:44	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-12-26 12:44 . 2011-08-31 16:00	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-12-20 09:07 . 2011-12-20 09:07	1207568	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-15 12:05 . 2011-10-27 08:01	3602816	----a-w-	c:\windows\system32\ntkrnlpa.exe
2011-12-15 12:05 . 2011-10-27 08:01	3550080	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-12-15 12:05 . 2011-10-14 16:02	429056	----a-w-	c:\windows\system32\EncDec.dll
2011-12-15 12:04 . 2011-11-23 13:37	2043904	----a-w-	c:\windows\system32\win32k.sys
2011-12-15 12:04 . 2011-11-08 12:10	2409784	----a-w-	c:\program files\Windows Mail\OESpamFilter.dat
2011-12-15 12:04 . 2011-10-25 15:56	49152	----a-w-	c:\windows\system32\csrsrv.dll
2011-12-15 12:04 . 2011-11-08 14:42	2048	----a-w-	c:\windows\system32\tzres.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 08:53 . 2011-10-24 08:53	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-30 16:16 . 2011-05-28 11:04	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintr‰ge & legitime Standardeintr‰ge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]
2011-05-09 09:49	176936	----a-w-	c:\program files\oldieradio\prxtboldi.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{27AF7ECC-B892-4D54-BA3F-7DED7DD856B9}"= "c:\program files\oldieradio\prxtboldi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{27af7ecc-b892-4d54-ba3f-7ded7dd856b9}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"IATSKY"="c:\program files\i@Sky WIC\iatsky.exe" [2011-07-25 335872]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
StarOffice 9.lnk - c:\program files\Sun\StarOffice 9\program\quickstart.exe [2008-9-12 113152]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 136176]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 136176]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\DRIVERS\modrc.sys [2007-07-11 13824]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - MBAMPROTECTOR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 10:20]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 10:20]
.
.
------- Zus‰tzlicher Suchlauf -------
.
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\fpfic1w3.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2011-12-28 21:48
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse... 
.
Scanne versteckte Autostarteintr‰ge... 
.
Scanne versteckte Dateien... 
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-12-28  21:51:56
ComboFix-quarantined-files.txt  2011-12-28 20:51
ComboFix2.txt  2011-12-28 07:53
.
Vor Suchlauf: 11 Verzeichnis(se), 165.835.059.200 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 165.856.579.584 Bytes frei
.
- - End Of File - - 8827A8D8834880E88CAEDDFC3562F974

Ich habe das System danach neu gestartet und bisher läuft der Rechner gut. Jetzt werde ich die Virenscanner wieder aktivieren, aber da bin ich ganz optimistisch.

Nochmals ganz vielen Dank bis hierhin! :-)

Viele Grüße
\Lars

Larusso · 28.12.2011, 22:30

Update bitte Malwarebytes und lass einen Quick Scan laufen.

ESET Online Scanner

Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
Lade und starte Eset Online Scanner
Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
Klicke auf Starten.
Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
Klicke am Ende des Suchlaufs auf Fertig stellen.
Schließe das Fenster von ESET.
Explorer öffnen.
C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
Logfile hier posten.
Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

Starte bitte DDS und poste die dds.txt und attach.txt

Bitte poste in deiner nächsten Antwort
MBAM Log
log.txt
dds.txt
attach.txt

lmnk · 28.12.2011, 22:42

Hallo Daniel,

eine Frage zu deinem letzten Post: was ist DDS? Mir sagt das Programm leider nichts... :-)

Viele Grüße
\Lars

GEMA Trojaner / sbcvvhost_win86

Plagegeister aller Art und deren Bekämpfung: GEMA Trojaner / sbcvvhost_win86