Nach BKA/GEMA Trojaner entfernung keine Reiter mehr zu sehen !!

IBoZzI · 05.03.2012, 09:32

Guten Morgen Liebes Trojaner Team,

Folgendes Problem auf einem Laptop war ein BKA Trojaner infekt den ich per Eingabeforderung und suchen, gefunden und gelöscht habe.

Soweit so gut Rechner startet wieder normal jetzt wollte ich mich aber nochmal vergewissern das er auch wirklich weg ist und gebe msconfig ein um den Pfad nochmal zu checken falls noch was drauf ist.

Jetzt guckt euch aber das mal an :

Ich hab auch mal Systemwiederherstellung gestartet, ihr seht alle Reiter, Texte und Symbole sind weg ?

Ich muss dazu sagen noch hab ich kein Virenscanner drüber laufen lassen.
Weil ich erstmal alles per Hand entfernen wollte was ein Scanner nicht gemacht hätte... sprich BKA oder sontigen schrott.

Ist das jetzt mit paar mausklick erledigt oder muss ich jetzt was spezieles machen ?? ( Virenscanner starten ect.pp )

Danke im Vorraus für eure Hilfe.
Gruß IBo

Psychotic · 05.03.2012, 10:09

Um eine genauere Analyse zu ermöglichen, befolge bitte diesen Link:

An alle Hilfesuchenden! Was muss ich vor Eröffnung eines Themas beachten?

Hinweis: Poste die Logfiles bitte hier in deinen Thread - erstelle entgegen den anweisungen KEINEN neuen!

IBoZzI · 05.03.2012, 11:54

Vielen Dank für die Schnelle antwort, hab genau das gemacht was in der Anleitung stand !

Der Kunden Rechner ist ein Samsung R540 nochmal so nebenbei, hatte ich vergessen zu sagen

So und nun zu den Logs :

Zitat:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 10:33 on 05/03/2012 (Naturalista)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

[quote]
.DDS Logfile:
DDS Logfile:

Code:

ATTFilter

DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 1.6.0_29
Run by Naturalista at 10:33:54 on 2012-03-05
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.3946.3382 [GMT 1:00]
.
AV: McAfee VirusScan *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Personal Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\ctfmon.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.de/
uDefault_Page_URL = hxxp://samsung.msn.com
mStart Page = hxxp://samsung.msn.com
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Windows Live ID-Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [SkypeM] C:\Users\Naturalista\AppData\Local\Skype\Skype.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\NATURA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\050266~1.LNK - C:\Windows\System32\rundll32.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\FSCRC~1.LNK - C:\Program Files (x86)\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Free YouTube to MP3 Converter - C:\Users\Naturalista\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Nach Microsoft &Excel exportieren - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: Interfaces\{2E83D437-7FBE-4366-A384-649368F8DCC1} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{C640D719-D61C-4C01-A09C-660B669C2850} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{326E768D-4182-46FD-9C16-1449A49795F4}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{9FDDE16B-836F-4806-AB1F-1455CBEFF289}
{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Naturalista\AppData\Roaming\Mozilla\Firefox\Profiles\jpbtzu7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://de.wikipedia.org/wiki/Wikipedia:Hauptseite
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - 
.
============= SERVICES / DRIVERS ===============
.
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\Windows\system32\Drivers\SABI.sys --> C:\Windows\system32\Drivers\SABI.sys [?]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S2 AntiVirSchedulerService;Avira AntiVir Planer;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-6-19 136360]
S2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-6-19 269480]
S2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
S2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-11-24 311296]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-03-03 10:38:19	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{61DB0E6D-E322-497E-95BB-D415479F1F30}
2012-03-03 10:38:08	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{A026C26A-2F8A-4731-A3F5-5F15A81120CD}
2012-03-03 01:53:37	18432	----a-w-	C:\Windows\SysWow64\corpol.dll
2012-03-03 01:53:36	49480	----a-w-	C:\Windows\System32\drivers\mfesmfk.sys
2012-03-03 01:53:36	40904	----a-w-	C:\Windows\System32\drivers\mferkdk.sys
2012-03-03 01:53:36	176144	----a-w-	C:\Windows\System32\drivers\Mpfp.sys
2012-03-03 01:53:35	307400	----a-w-	C:\Windows\System32\drivers\mfehidk.sys
2012-03-03 01:53:35	102600	----a-w-	C:\Windows\System32\drivers\mfeavfk.sys
2012-03-03 01:53:29	22016	----a-w-	C:\Windows\System32\corpol.dll
2012-03-02 17:05:41	8643640	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9F8B3CD3-3A89-4546-8239-DC79BFEA057B}\mpengine.dll
2012-03-02 11:58:48	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{29AD618F-58DE-45CA-99C8-4790AC5FAC3A}
2012-03-02 11:58:37	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{C37F2678-1B09-499A-9904-3936CC5D9B8E}
2012-03-01 23:57:06	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{57CA8641-F3A7-41E3-8972-A281F55907E0}
2012-03-01 23:56:55	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{1B5BBA55-5145-4F72-8093-AF79624F7346}
2012-03-01 11:20:06	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{9C37AC97-FEE5-4E11-9715-D59EA9853D7A}
2012-03-01 11:19:54	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{5448BECB-F35B-4E41-8621-7D56E2CB7FB1}
2012-02-29 23:18:23	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{CF794756-C3B7-4EEB-B29C-7D02D734F6A4}
2012-02-29 23:18:12	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{27C3AF78-98FC-4816-80A3-0214241C71C3}
2012-02-29 10:09:52	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{F4901938-2B60-4EC9-812D-DD7801A29C48}
2012-02-29 10:09:28	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{3E13F1BF-FC1C-4934-8492-12E7B5964F27}
2012-02-28 19:42:52	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{590C8D28-30F9-4096-A5CE-3F42EA73F274}
2012-02-28 19:42:41	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{9D8A7F93-58CB-40D5-9909-DC19EE0DF553}
2012-02-28 07:40:54	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{92864006-7623-450E-AABA-D3CB9806F3CC}
2012-02-28 07:40:42	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{76DD5572-3D34-4EEB-A672-F7BAB3B10DA1}
2012-02-27 09:18:28	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{E79A3BC5-EFC3-4EB2-9A1F-510ED3AF6261}
2012-02-27 09:18:17	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{5BD0EB9B-2413-4813-9AE3-9B95FC6FB85D}
2012-02-26 20:43:30	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{809CE5F9-B400-489D-A38A-4F237CD9E405}
2012-02-26 20:43:19	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{172E0E4B-DA21-4D69-848D-778B0F31FA84}
2012-02-26 19:28:06	--------	d-----w-	C:\Users\Naturalista\AppData\Local\.elfohilfe
2012-02-26 08:41:44	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{3E04EA2B-C3C2-4D63-892F-53F6599383E2}
2012-02-26 08:41:33	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{53E0E332-D10C-4F04-8FA2-D940B8E5339D}
2012-02-25 18:32:35	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{8F3CEDCF-B0CC-45AD-8F87-7CD053972F7C}
2012-02-25 18:32:24	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{4B39AB4F-CBB5-4722-B200-770F76199915}
2012-02-24 19:23:50	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{B7207964-9D05-4A6A-A804-0A3E38813F76}
2012-02-24 19:23:39	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{8154B285-6908-4C48-86AE-19A7B5889847}
2012-02-24 02:44:52	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{60BD1B2F-F367-4FF1-B86B-27BC6BF57BF5}
2012-02-24 02:44:41	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{7668E3ED-7B41-47BE-9BAE-7093DBFF5A60}
2012-02-23 19:22:51	--------	d-----w-	C:\Users\Naturalista\AppData\Roaming\elsterformular
2012-02-23 19:22:36	--------	d-----w-	C:\ProgramData\elsterformular
2012-02-23 19:22:32	--------	d-----w-	C:\Program Files (x86)\ElsterFormular
2012-02-23 14:43:00	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{A20E3A44-D2F1-42D4-9EC8-AD8B4AD484F6}
2012-02-23 14:42:17	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{AD7662B0-9BC1-4718-827E-23E4FA097A5A}
2012-02-22 21:04:39	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{35650101-CCBB-44B3-B7DA-E19065B94E13}
2012-02-22 21:04:27	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{8FF1A729-4BE9-4C56-8EBD-E44027510226}
2012-02-22 08:26:54	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{539F5C44-B41D-4838-8C09-8D95F997A6B0}
2012-02-22 08:26:43	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{46E26E65-5417-437D-967B-1B4A9D14A249}
2012-02-21 12:21:20	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{182F7130-2600-4AB0-BB83-BC8B24BF4826}
2012-02-21 12:21:09	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{07625B89-6327-4AE5-AB61-7D6674AC6227}
2012-02-20 21:17:27	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{D6D0AE69-2487-4329-B685-C0E60C16A006}
2012-02-20 21:17:16	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{BDE21ECF-5C98-463C-97D1-2918988061AF}
2012-02-20 09:15:45	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{5A5576AC-B5C4-48FB-B3C1-4EBBAD24152C}
2012-02-19 10:19:12	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{1BEFC10C-47F9-466F-9463-BAD4852DE21C}
2012-02-19 10:19:01	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{784B9FE7-B85A-417B-95BE-00EB64143E5C}
2012-02-18 21:14:02	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{891BDE50-C57A-474F-BE74-41FFE7207D13}
2012-02-18 21:13:35	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{48FE15BB-24BE-44A6-863C-205BEC687047}
2012-02-17 22:05:18	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{1939CD1E-6593-4812-BA35-FD9008C6BED7}
2012-02-17 22:05:07	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{76B25DE6-BDF9-4A64-BFCA-43DE26C19E56}
2012-02-17 10:03:36	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{2C1CC39E-ACD9-457B-B83C-77B17EFC59AD}
2012-02-17 10:03:25	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{A9516660-3810-4675-9CC9-BB0C7678022F}
2012-02-16 10:49:25	509952	----a-w-	C:\Windows\System32\ntshrui.dll
2012-02-16 10:49:25	442880	----a-w-	C:\Windows\SysWow64\ntshrui.dll
2012-02-16 10:49:24	498688	----a-w-	C:\Windows\System32\drivers\afd.sys
2012-02-16 10:49:24	3145728	----a-w-	C:\Windows\System32\win32k.sys
2012-02-16 10:49:23	515584	----a-w-	C:\Windows\System32\timedate.cpl
2012-02-16 10:49:23	478720	----a-w-	C:\Windows\SysWow64\timedate.cpl
2012-02-16 10:49:21	690688	----a-w-	C:\Windows\SysWow64\msvcrt.dll
2012-02-16 10:49:21	634880	----a-w-	C:\Windows\System32\msvcrt.dll
2012-02-16 08:49:36	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{CF1A9584-4F7B-41AE-84CC-8102A3271B8D}
2012-02-16 08:49:25	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{D6755FEF-6758-49A5-8837-A838F1B2828E}
2012-02-15 10:00:19	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{62041295-4A5C-45E3-B335-B900DF916D21}
2012-02-15 10:00:07	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{D372CB0B-E795-4503-85EB-1127D7DFAE08}
2012-02-14 21:34:29	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{5A4D2F4F-38C5-4E68-911F-BBB351A40D7F}
2012-02-14 21:34:18	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{BBAD0914-53A1-433D-A7AC-373487DE0A3F}
2012-02-14 09:32:31	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{A2D328E6-F9E2-4E26-8068-944CCBCEEDDC}
2012-02-14 09:32:20	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{05FAAEEC-8090-4783-B817-FD5875583AD6}
2012-02-13 17:14:24	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{F723932B-54D1-4FDB-AB49-03E73F8AE863}
2012-02-13 17:14:13	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{CF4DE1BD-FE6F-44C2-B4CB-8D98FD0D2700}
2012-02-13 05:13:01	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{AE3F8698-44FE-44B5-AA1D-47BB13AE3466}
2012-02-13 05:12:50	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{D03B5D47-4DFA-49C7-85B7-1E1B347751AD}
2012-02-12 08:36:35	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{AE81E727-B2E2-489E-9EFF-CE74BA8B693D}
2012-02-12 08:36:24	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{2F35CB67-BD22-4B5A-81AD-A10F61DDB880}
2012-02-11 14:15:22	--------	d-----w-	C:\Program Files (x86)\DriverTuner
2012-02-11 08:24:00	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{E9847D9C-B548-426B-911D-1EFE8B579FFC}
2012-02-10 15:45:06	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{5BB8DEB4-3B3A-401C-BE3E-C8EEAC790F00}
2012-02-10 15:44:55	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{01F69F51-534B-4B8B-A9AC-0978A851FE37}
2012-02-10 00:01:07	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{9F59C13F-691D-41F0-86EE-01671E560340}
2012-02-10 00:00:56	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{BCAFF226-81A3-4725-9764-0A3E035E30D8}
2012-02-09 11:59:42	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{CB2D4404-F991-4244-B43D-0786B62E957B}
2012-02-09 11:59:29	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{09759BB7-6FAC-4CC8-81A2-DF0ED0BE92CC}
2012-02-08 22:12:49	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{BB8B00AE-2D0C-4C00-B6B1-834FAC94F469}
2012-02-08 22:12:38	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{9BFC1F49-63EF-4052-8778-CDE888C8EA48}
2012-02-08 10:10:47	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{F6C4E27F-CA33-4637-8D92-F1C7BF21F1C1}
2012-02-08 10:10:18	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{D833B336-177C-4494-98F1-B1E6821C3AAD}
2012-02-07 21:17:04	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{62992411-FD44-4B00-81A7-DBA24EEA7751}
2012-02-07 21:16:53	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{019DCA82-3889-4E61-B739-D19BFF6DFAD5}
2012-02-07 09:15:37	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{57625BA6-D35C-44C7-983A-02CBAF689F24}
2012-02-07 09:15:25	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{101866FD-FEB6-4D9F-BA0D-E04EFC532581}
2012-02-06 21:14:11	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{870CFE2D-3E3A-489F-AC19-24320D5C1CD7}
2012-02-06 21:14:00	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{E2382C9F-42B1-4ED7-B1F1-1D0D0165B974}
2012-02-06 09:12:19	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{4D973183-0FC3-4CCD-988A-61A05F4E1079}
2012-02-06 09:12:07	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{7AE6F64D-4EE3-4114-B11E-C0DCD89D527F}
2012-02-05 08:50:43	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{9E21C79B-D166-4178-BEBE-58E987E53D7D}
2012-02-05 08:50:32	--------	d-----w-	C:\Users\Naturalista\AppData\Local\{2BAFB48B-AECE-4845-BC3A-5BB1133F0C6C}
.
==================== Find3M  ====================
.
2012-02-22 18:35:39	414368	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-29 04:10:42	279656	------w-	C:\Windows\System32\MpSigStub.exe
2011-12-14 07:11:03	2308096	----a-w-	C:\Windows\System32\jscript9.dll
2011-12-14 07:04:30	1390080	----a-w-	C:\Windows\System32\wininet.dll
2011-12-14 07:03:38	1493504	----a-w-	C:\Windows\System32\inetcpl.cpl
2011-12-14 06:57:28	2382848	----a-w-	C:\Windows\System32\mshtml.tlb
2011-12-14 03:04:54	1798656	----a-w-	C:\Windows\SysWow64\jscript9.dll
2011-12-14 02:57:18	1127424	----a-w-	C:\Windows\SysWow64\wininet.dll
2011-12-14 02:56:58	1427456	----a-w-	C:\Windows\SysWow64\inetcpl.cpl
2011-12-14 02:50:04	2382848	----a-w-	C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 10:35:01,02 ===============

--- --- ---

--- --- ---

Attach :

Zitat:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 19.06.2011 20:35:19
System Uptime: 05.03.2012 09:13:49 (1 hours ago)
.
Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | R540/R580/R780/SA41/E452/E852
Processor: Intel(R) Core(TM) i3 CPU M 380 @ 2.53GHz | CPU 1 | 2527/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 68,487 GiB free.
D: is FIXED (NTFS) - 166 GiB total, 165,455 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
==== System Restore Points ===================
.
RP136: 21.02.2012 17:05:44 - Windows Update
RP137: 28.02.2012 08:42:32 - Windows Update
RP138: 02.03.2012 18:05:10 - Windows Update
.
==== Installed Programs ======================
.
???? ??? Windows Live
???? Windows Live
????? Messenger
????? Windows Live
?????? ??????? ?? Windows Live
???????? ?? Messenger
???????? ?????????? Windows Live
????????? Messenger
?????????? Windows Live
??????????? ?? Windows Live
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.0 - Deutsch
Adobe Shockwave Player 11.6
„Messenger“ pagalbine priemone
Atheros Client Installation Program
Avira AntiVir Personal - Free Antivirus
„Windows Live Essentials“
„Windows Live Mail“
„Windows Live Messenger“
„Windows Live“ fotogalerija
BatteryLifeExtender
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Complemento Messenger
Complément Messenger
CyberLink YouCam
D3DX10
DivX-Setup
Doplnok programu Messenger
DriverTuner 3.1.0.0
Easy Content Share
Easy Display Manager
Easy Network Manager
Easy SpeedUp Manager
EasyBatteryManager
EasyFileShare
ElsterFormular
Formant ActiveX programu Windows Live Mesh odpowiedzialny za obsluge polaczen zdalnych
Fotogalerija Windows Live
Free YouTube to MP3 Converter version 3.10.14.1206
FSCTV
Galeria de Fotografias do Windows Live
Galeria fotografii uslugi Windows Live
Galerie de photos Windows Live
Galerie foto Windows Live
Galería fotográfica de Windows Live
Intel(R) Rapid Storage Technology
Intel(R) Turbo Boost Technology Driver
Java Auto Updater
Java(TM) 6 Update 29
Junk Mail filter update
Marvell Miniport Driver
Mesh Runtime
Messenger-kumppani
Messenger ??? ??
Messenger ????
Messenger ?????
Messenger Assistent
Messenger Companion
Messenger kíséro
Messenger Pratilac
Messenger Suradnik
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 10.0.2 (x86 de)
MSVCRT
MSVCRT_amd64
Norton Online Backup
Poczta uslugi Windows Live
Podstawowe programy Windows Live
Pomocnik Messenger
Pošta Windows Live
Raccolta foto di Windows Live
Realtek High Definition Audio Driver
REALTEK Wireless LAN Software
S?????? f?t???af??? t?? Windows Live
Samsung Recovery Solution 4
Samsung Support Center
Samsung Update Plus
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Skype Toolbars
Skype™ 4.2
Slim Mobile USB DVB-T 1.0.64.29
Spremljevalec Messenger
swMSM
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
User Guide
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.1.11
Wecker 2.2 2.2
Windows Live
Windows Live ??
Windows Live ?? ???
Windows Live ???
Windows Live ????
Windows Live Communications Platform
Windows Live Essentials
Windows Live Fotótár
Windows Live Foto-galerija
Windows Live fotoattelu galerija
Windows Live Fotogalerie
Windows Live Fotogalleri
Windows Live Fotogaléria
Windows Live Fotograf Galerisi
Windows Live Galeria de Fotos
Windows Live Galerija fotografija
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Pošta
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Temel Parçalar
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Liven asennustyökalu
Windows Liven sähköposti
Windows Liven valokuvavalikoima
.
==== End Of File ===========================

[quote]

GMER Logfile:

Code:

ATTFilter

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-03-05 11:41:56
Windows 6.1.7601 Service Pack 1 
Running: jnj25h6c.exe


---- Registry - GMER 1.0.15 ----

Reg   HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb114b280                                                               
Reg   HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb115d388                                                               
Reg   HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb114b280 (not active ControlSet)                                           
Reg   HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb115d388 (not active ControlSet)                                           

---- Files - GMER 1.0.15 ----

File  C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7601.17514_none_6e88c3faa2049408\WmiPrvSD.dll        (size mismatch) 750080/754176 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7601.17514_none_6e88c3faa2049408\WmiPrvSE.exe        (size mismatch) 368640/372736 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-wbemcore-dll_31bf3856ad364e35_6.1.7601.17514_none_3fe5b852ed7138b6\wbemcore.dll        (size mismatch) 1220096/1225216 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-wmi-ds-provider_31bf3856ad364e35_6.1.7601.17514_none_e70f3fb2e8f114ba\dsprov.dll                (size mismatch) 160256/159232 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-wmi-ntevent-provider_31bf3856ad364e35_6.1.7601.17514_none_4e7fa5bfc379eecd\ntevt.dll            (size mismatch) 266240/265728 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-wmi-tools.resources_31bf3856ad364e35_6.1.7601.17514_de-de_fcac35d84c35c084\wbemtest.exe.mui     (size mismatch) 25600/26112 bytes executable
File  C:\Windows\winsxs\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b\RasMigPlugin.dll                (size mismatch) 116736/172544 bytes executable
File  C:\Windows\winsxs\wow64_microsoft-windows-wmi-core-fastprox-dll_31bf3856ad364e35_6.1.7601.17514_none_63c4031bc4bcf024\fastprox.dll        (size mismatch) 605696/606208 bytes executable
File  C:\Windows\winsxs\wow64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7601.17514_none_78dd6e4cd6655603\WmiPrvSE.exe        (size mismatch) 254976/257536 bytes executable
File  C:\Windows\winsxs\x86_microsoft-windows-rasapi_31bf3856ad364e35_6.1.7601.17514_none_6f3ee955adc74b87\pbkmigr.dll                          (size mismatch) 47104/67584 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-w..-installer-provider_31bf3856ad364e35_6.1.7601.17514_none_88af1cb8f0d0a95d\msiprov.dll        (size mismatch) 399872/399360 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-rasapi_31bf3856ad364e35_6.1.7601.17514_none_cb5d84d96624bcbd\pbkmigr.dll                        (size mismatch) 56320/57856 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-w..ovider-cimwin32-dll_31bf3856ad364e35_6.1.7601.17514_none_2dd0f6a01caf55c6\cimwin32.dll       (size mismatch) 2055168/2058240 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-aero_31bf3856ad364e35_6.1.7601.17514_none_0a0916fa3009208a\aero.msstyles                        (size mismatch) 1187984/1171088 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-o..achine-ui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_4f8bba2907875d3f\msoobeui.dll.mui  (size mismatch) 26624/27136 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\spprgrss.dll              (size mismatch) 57344/57856 bytes executable
File  C:\Windows\winsxs\wow64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_c1fead4e4bf85947\IMTCCFG.DLL        (size mismatch) 171520/172032 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50\RasMigPlugin.dll                (size mismatch) 155136/217088 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_fed8c13f0d90a8cf\WmiApRpl.dll                 (size mismatch) 137216/137728 bytes executable
File  C:\Windows\winsxs\amd64_microsoft-windows-oobe-machine-ui_31bf3856ad364e35_6.1.7601.17514_none_c081339cf850430b\msoobeui.dll              (size mismatch) 1156608/1161728 bytes executable

---- EOF - GMER 1.0.15 ----

--- --- ---

Also Formatieren kann ich den Rechner net, da müsste ich absprache mit dem Kunden halten.
Wäre Cool wenn man eine andere lösung finden könnte

Danke nochmal
Gruß IBo

Psychotic · 05.03.2012, 12:03

ComboFix

Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Downloade dir bitte Combofix von einem dieser Downloadspiegel

Link 1
Link 2

WICHTIG - Speichere Combofix auf deinem Desktop

Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

IBoZzI · 05.03.2012, 12:29

Done !

Er hat auch was gelöscht ..

Log-Combofix :

[quote]
Combofix Logfile:

Code:

ATTFilter

ComboFix 12-03-04.02 - Naturalista 05.03.2012  12:23:31.1.4 - x64 MINIMAL
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.3946.3139 [GMT 1:00]
ausgeführt von:: c:\users\Naturalista\Desktop\ComboFix.exe
AV: McAfee VirusScan *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Personal Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee VirusScan *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\users\Naturalista\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0.502662946510703g8j8.exe.lnk
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-02-05 bis 2012-03-05  ))))))))))))))))))))))))))))))
.
.
2012-03-05 11:26 . 2012-03-05 11:26	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-03-03 01:53 . 2009-07-14 01:15	18432	----a-w-	c:\windows\SysWow64\corpol.dll
2012-03-03 01:53 . 2009-06-18 01:15	49480	----a-w-	c:\windows\system32\drivers\mfesmfk.sys
2012-03-03 01:53 . 2009-06-18 01:08	40904	----a-w-	c:\windows\system32\drivers\mferkdk.sys
2012-03-03 01:53 . 2009-04-09 05:23	176144	----a-w-	c:\windows\system32\drivers\Mpfp.sys
2012-03-03 01:53 . 2009-06-18 01:15	307400	----a-w-	c:\windows\system32\drivers\mfehidk.sys
2012-03-03 01:53 . 2009-06-18 01:15	102600	----a-w-	c:\windows\system32\drivers\mfeavfk.sys
2012-03-03 01:53 . 2009-07-14 01:40	22016	----a-w-	c:\windows\system32\corpol.dll
2012-03-02 17:05 . 2012-02-08 07:13	8643640	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{9F8B3CD3-3A89-4546-8239-DC79BFEA057B}\mpengine.dll
2012-02-26 19:28 . 2012-02-26 19:36	--------	d-----w-	c:\users\Naturalista\AppData\Local\.elfohilfe
2012-02-23 19:22 . 2012-02-23 19:22	--------	d-----w-	c:\users\Naturalista\AppData\Roaming\elsterformular
2012-02-23 19:22 . 2012-02-23 19:22	--------	d-----w-	c:\programdata\elsterformular
2012-02-23 19:22 . 2012-02-23 19:22	--------	d-----w-	c:\program files (x86)\ElsterFormular
2012-02-16 10:49 . 2012-01-04 10:44	509952	----a-w-	c:\windows\system32\ntshrui.dll
2012-02-16 10:49 . 2012-01-04 08:58	442880	----a-w-	c:\windows\SysWow64\ntshrui.dll
2012-02-16 10:49 . 2012-01-14 04:06	3145728	----a-w-	c:\windows\system32\win32k.sys
2012-02-16 10:49 . 2011-12-28 03:59	498688	----a-w-	c:\windows\system32\drivers\afd.sys
2012-02-16 10:49 . 2011-12-30 06:26	515584	----a-w-	c:\windows\system32\timedate.cpl
2012-02-16 10:49 . 2011-12-30 05:27	478720	----a-w-	c:\windows\SysWow64\timedate.cpl
2012-02-16 10:49 . 2011-12-16 08:46	634880	----a-w-	c:\windows\system32\msvcrt.dll
2012-02-16 10:49 . 2011-12-16 07:52	690688	----a-w-	c:\windows\SysWow64\msvcrt.dll
2012-02-11 14:15 . 2012-02-11 14:15	--------	d-----w-	c:\program files (x86)\DriverTuner
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 18:35 . 2011-06-19 22:13	414368	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-29 04:10 . 2011-06-23 16:56	279656	------w-	c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-07-06 98304]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FSC RC.lnk - c:\program files (x86)\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2011-10-20 675840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
R2 Rezip;Rezip;c:\windows\SysWOW64\Rezip.exe [2009-03-05 311296]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-07 10144288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.de/
mStart Page = hxxp://samsung.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Free YouTube to MP3 Converter - c:\users\Naturalista\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Nach Microsoft &Excel exportieren - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Naturalista\AppData\Roaming\Mozilla\Firefox\Profiles\jpbtzu7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://de.wikipedia.org/wiki/Wikipedia:Hauptseite
FF - prefs.js: network.proxy.type - 0
FF - user.js: general.useragent.extra.brc - 
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-SkypeM - c:\users\Naturalista\AppData\Local\Skype\Skype.exe
Toolbar-Locked - (no file)
HKLM-Run-ETDWare - c:\program files (x86)\Elantech\ETDCtrl.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-03-05  12:27:35
ComboFix-quarantined-files.txt  2012-03-05 11:27
.
Vor Suchlauf: 8 Verzeichnis(se), 73.796.907.008 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 73.290.002.432 Bytes frei
.
- - End Of File - - AFE14CDFCBB1C181EE7B63918C0E0624

--- --- ---

Psychotic · 05.03.2012, 13:00

hm, da scheint einiges kaputt zu sein!

Zitat:

Windows Live
Windows Live ??
Windows Live ?? ???
Windows Live ???
Windows Live ????
Windows Live Communications Platform
Windows Live Essentials
Windows Live Fotótár
Windows Live Foto-galerija
Windows Live fotoattelu galerija
Windows Live Fotogalerie
Windows Live Fotogalleri
Windows Live Fotogaléria
Windows Live Fotograf Galerisi
Windows Live Galeria de Fotos
Windows Live Galerija fotografija
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Pošta
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Temel Parçalar
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Liven asennustyökalu
Windows Liven sähköposti
Windows Liven valokuvavalikoima

Versuche einmal, über die Systemsteuerung Windows Live komplett zu deinstallieren.

Starte neu und berichte.

Außerdem folgendes:

Adobe Reader update

Dein Adobe Reader ist veraltet. Da einige Schädlinge die Schwachstellen in veralteten Versionen nutzen, werden wir sie aktualisieren.

Drücke die Windows- und die R-Taste, gib im folgenden Fenster appwiz.cpl ein und klicke auf OK.
Suche dir in der Liste den Eintrag "Adobe Reader Adobe Reader 9.5.0 - Deutsch - Deutsch" und deinstalliere die Software, in dem du sie markierst und auf "entfernen" klickst.
Lade dir den aktuellen Adobe Reader von hier herunter. Wichtig: Entferne den Haken für optionale Software (z.B. Google Chrome), der auf der Seite angezeigt wird, bevor du auf "Jetzt herunterladen" klickst.
Starte die Installation und folge den Anweisungen auf dem Bildschirm.

IBoZzI · 05.03.2012, 17:50

Tjaaa .. ^^

Hoffnung stirbt zu letzt, Ich habs jetzt zwar geschafft den Laptop zurück zu setzen zu einem Frühren zeitpunkt aber die Symbole usw. sind immernoch net zu sehen.

Hab aber auch Grünes licht vom Kunden das System Neu aufzusetzen.

Von dahher Vielen Lieben Dank @PsYchoTiC für deine Hilfe

Gruß IBo

05.03.2012, 10:09	#2
Psychotic /// Malwareteam	Nach BKA/GEMA Trojaner entfernung keine Reiter mehr zu sehen !! Um eine genauere Analyse zu ermöglichen, befolge bitte diesen Link: An alle Hilfesuchenden! Was muss ich vor Eröffnung eines Themas beachten? Hinweis: Poste die Logfiles bitte hier in deinen Thread - erstelle entgegen den anweisungen KEINEN neuen! __________________ __________________

Nach BKA/GEMA Trojaner entfernung keine Reiter mehr zu sehen !!

Plagegeister aller Art und deren Bekämpfung: Nach BKA/GEMA Trojaner entfernung keine Reiter mehr zu sehen !!