!Tojaner TR/ATRAPS.GEN2 und TR/Sirefef.AG.35 und andere

MurXx · 03.06.2012, 16:16

Hallo erstmal.

Ich habe mir wie einige andere auch die Compilation der Trojaner TR/ATRAPS.GEN2 und TR/Sirefef.AG.35 eingefangen. Angefangen hat es das ich mir eine corruptet file DLed habe und Avira mir ab dann die beiden obenen genannten ständig angezigt hat.

Mdam noch Rootkit.0Acces und Trojan.Small erkannt.

Mein bisheriges vorgehen war so:
(offline)

1.defrogger -> alle Virt.Volumen deactiviert -> Neustart
2. OLT scan -> logs gesaved
3. GMer Scan(alle Virenscanner deactiviert)-> logs gesaved -> Neustart
4. mdam -> Vollständiger Scan/gelöscht -> Neustart

5. Alle wieder activiert -> Online -> hier posten

Was mir dabei aufgefallen ist, das als ich Online ging die Trojaner Warnung wieder kam.

Ich habe keine Lust mein System nocheinmal neu draufzuhauen und würde mich daher freuen wenn Ihr mir helfend zur Seite stehen könntet.

MfG
MurXx

OLT-Scan:

OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 03.06.2012 16:33:19 - Run 2
OTL by OldTimer - Version 3.2.45.0     Folder = C:\Users\murxx\Desktop\Programme
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,29 Gb Available Physical Memory | 64,68% Memory free
4,00 Gb Paging File | 3,12 Gb Available in Paging File | 78,04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 297,99 Gb Total Space | 173,15 Gb Free Space | 58,11% Space Free | Partition Type: NTFS
 
Computer Name: MURXX-PC | User Name: murxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.06.02 20:08:18 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\murxx\Desktop\Programme\OTL.exe
PRC - [2012.05.08 23:12:49 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.08 23:12:48 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.05.08 23:12:48 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.05.08 23:12:48 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.04.04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011.04.20 02:04:38 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2011.04.20 02:04:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010.05.04 12:07:22 | 000,503,080 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Update\NASvc.exe
PRC - [2004.09.10 07:00:00 | 000,189,536 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.06.01 21:16:57 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\1a690902e9a6293de228c16fab21e2f7\System.Web.ni.dll
MOD - [2012.06.01 21:16:37 | 012,433,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\90555968565afd59bce4b0974e9903bd\System.Windows.Forms.ni.dll
MOD - [2012.06.01 21:16:32 | 001,590,784 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\69f6e582cb79f107c61308b468c1a215\System.Drawing.ni.dll
MOD - [2012.05.11 21:04:31 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll
MOD - [2012.05.11 21:03:46 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012.05.11 21:03:43 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012.05.11 21:03:42 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012.05.11 21:03:32 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2010.09.30 22:36:20 | 000,270,336 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
MOD - [2010.08.04 15:58:06 | 000,016,384 | R--- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2012.05.20 03:05:06 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012.05.08 23:12:49 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.05.08 23:12:48 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.05.05 04:57:06 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.04.25 16:07:16 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011.09.09 18:08:54 | 000,475,088 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -- (vpnagent)
SRV - [2011.05.16 00:50:00 | 004,135,800 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2011.04.20 02:04:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010.11.20 14:19:33 | 000,068,096 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\Mcx2Svc.dll -- (Mcx2Svc)
SRV - [2010.05.04 12:07:22 | 000,503,080 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2010.03.18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2010.03.18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpActivator)
SRV - [2010.03.18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetPipeActivator)
SRV - [2010.03.18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetMsmqActivator)
SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,075,264 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\mprdim.dll -- (RemoteAccess)
SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2004.09.10 07:00:00 | 000,189,536 | ---- | M] (SafeNet, Inc) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [File_System | On_Demand | Stopped] -- system32\DRIVERS\vproiah.sys -- (vproiah)
DRV - [2012.05.08 23:12:49 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.05.08 23:12:49 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012.04.04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011.10.22 22:51:51 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2011.10.11 15:00:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011.09.09 18:00:05 | 000,023,464 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vpnva.sys -- (vpnva)
DRV - [2011.09.09 17:59:19 | 000,087,976 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\acsock.sys -- (acsock)
DRV - [2011.04.20 02:43:42 | 007,772,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2011.04.20 02:43:42 | 007,772,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2011.04.20 01:22:10 | 000,243,712 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010.11.20 10:42:28 | 000,246,784 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\udfs.sys -- (udfs)
DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.07.14 03:20:28 | 000,022,096 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\crcdisk.sys -- (crcdisk)
DRV - [2009.07.14 01:55:02 | 000,016,384 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\ws2ifsl.sys -- (ws2ifsl)
DRV - [2007.12.04 18:10:30 | 000,016,640 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2005.11.02 10:54:44 | 000,011,596 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\copperhd.sys -- (UsbFltr)
DRV - [2004.09.10 07:00:00 | 000,084,064 | ---- | M] (Rainbow Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\sentinel.sys -- (Sentinel)
DRV - [1998.07.10 18:01:00 | 000,007,328 | ---- | M] () [Unknown (0) | Boot | Unknown] -- C:\Windows\System32\drivers\ds1410d.sys -- (DS1410D)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{70B32755-8E37-45F1-B1C5-15E74D747C7F}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 52 AB 1F B4 D8 90 CC 01  [binary data]
IE - HKCU\..\URLSearchHook: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://startsear.ch/?aff=1&src=sp&cf=573a6041-12d5-11e1-a722-00241dd2c3b6&q={searchTerms}
IE - HKCU\..\SearchScopes\{70B32755-8E37-45F1-B1C5-15E74D747C7F}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = www-chache.uni-mannheim.de:3128
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@palmsource.com/installer,version=1.0: C:\PROGRA~1\Palm\PACKAG~1\NPInstal.dll ()
FF - HKLM\Software\MozillaPlugins\@rsj.de/prodown:  File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.04.25 16:07:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.06.03 15:21:58 | 000,000,000 | ---D | M]
 
[2012.04.25 16:07:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012.04.25 16:07:16 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.04.06 18:32:32 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011.11.11 00:35:49 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011.11.11 00:35:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011.11.11 00:35:49 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011.11.11 00:35:49 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2011.11.11 00:35:49 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011.11.11 00:35:49 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Users\murxx\Desktop\PartyPoker.lnk ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Users\murxx\Desktop\PartyPoker.lnk ()
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 134.155.96.52 134.155.96.53
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4476AC6D-B05C-41E9-8E49-31173B642EE1}: DhcpNameServer = 134.155.96.52 134.155.96.53
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.06.03 14:19:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.06.03 14:19:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.06.03 14:19:14 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.06.03 14:19:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.06.03 13:23:14 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012.05.29 18:16:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2012.05.28 17:11:48 | 000,000,000 | ---D | C] -- C:\Users\murxx\Desktop\PSC
[2012.05.22 23:46:44 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2012.05.22 23:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\SIMSCI
[2012.05.21 19:02:18 | 000,000,000 | ---D | C] -- C:\Users\murxx\Desktop\RT2P
[2012.05.19 13:39:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
[2012.05.19 13:39:21 | 000,000,000 | ---D | C] -- C:\Program Files\TeamSpeak 3 Client
[2012.05.17 11:35:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo III
 
========== Files - Modified Within 30 Days ==========
 
[2012.06.03 16:32:09 | 000,019,088 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.06.03 16:32:09 | 000,019,088 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.06.03 16:30:10 | 000,664,936 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.06.03 16:30:10 | 000,128,934 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.06.03 16:24:51 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.06.03 16:24:43 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2012.06.03 15:57:05 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.06.03 14:19:15 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.06.03 01:52:48 | 000,001,168 | ---- | M] () -- C:\Windows\FOE2.ini
[2012.06.02 20:09:12 | 000,000,176 | ---- | M] () -- C:\Users\murxx\defogger_reenable
[2012.06.01 15:12:04 | 000,428,648 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.05.29 18:16:29 | 000,001,024 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2012.05.29 18:11:01 | 022,259,528 | ---- | M] () -- C:\Users\murxx\Desktop\vlc-2.0.1-win32.exe
[2012.05.23 08:12:49 | 000,001,713 | ---- | M] () -- C:\Users\Public\Desktop\PROII 8.1.lnk
[2012.05.21 03:25:32 | 000,824,819 | ---- | M] () -- C:\Users\murxx\Desktop\Anl-WSU.pdf
[2012.05.19 13:39:27 | 000,001,120 | ---- | M] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2012.05.17 11:55:04 | 000,000,921 | ---- | M] () -- C:\Users\Public\Desktop\Diablo III.lnk
[2012.05.08 23:12:49 | 000,137,928 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2012.05.08 23:12:49 | 000,083,392 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
 
========== Files Created - No Company Name ==========
 
[2012.06.03 14:19:15 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.06.02 20:09:01 | 000,000,176 | ---- | C] () -- C:\Users\murxx\defogger_reenable
[2012.05.29 18:16:29 | 000,001,024 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2012.05.29 18:10:11 | 022,259,528 | ---- | C] () -- C:\Users\murxx\Desktop\vlc-2.0.1-win32.exe
[2012.05.23 08:19:31 | 000,824,819 | ---- | C] () -- C:\Users\murxx\Desktop\Anl-WSU.pdf
[2012.05.23 08:12:49 | 000,001,713 | ---- | C] () -- C:\Users\Public\Desktop\PROII 8.1.lnk
[2012.05.19 13:39:27 | 000,001,120 | ---- | C] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2012.05.17 11:35:59 | 000,000,921 | ---- | C] () -- C:\Users\Public\Desktop\Diablo III.lnk
[2012.04.02 14:29:26 | 000,007,328 | ---- | C] () -- C:\Windows\System32\drivers\ds1410d.sys
[2012.02.28 17:06:12 | 000,280,976 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2012.02.28 17:06:11 | 000,075,136 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2011.12.08 01:03:48 | 000,001,168 | ---- | C] () -- C:\Windows\FOE2.ini
[2011.10.23 20:07:23 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011.10.22 17:51:56 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011.04.20 01:21:02 | 000,037,376 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2011.03.17 17:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2011.02.28 21:30:06 | 000,233,012 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
 
========== LOP Check ==========
 
[2012.04.06 12:47:31 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:CB2A6156

< End of report >

--- --- ---

Gmer-Scan:

Code:

ATTFilter

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-06-03 16:46:35
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200AAKS-00L9A0 rev.01.03E01
Running: 04w8cc11.exe; Driver: C:\Users\murxx\AppData\Local\Temp\ugloypog.sys


---- System - GMER 1.0.15 ----

SSDT            96C53A0E                                                                                                            ZwCreateSection
SSDT            96C53A18                                                                                                            ZwRequestWaitReplyPort
SSDT            96C53A13                                                                                                            ZwSetContextThread
SSDT            96C53A1D                                                                                                            ZwSetSecurityObject
SSDT            96C53A22                                                                                                            ZwSystemDebugControl
SSDT            96C539AF                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwRollbackEnlistment + 140D                                                                            82A8D3C9 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                              82AC6D52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntkrnlpa.exe!KeRemoveQueueEx + 11F7                                                                                 82ACDEAC 4 Bytes  [0E, 3A, C5, 96] {PUSH CS; CMP AL, CH; XCHG ESI, EAX}
.text           ntkrnlpa.exe!KeRemoveQueueEx + 1553                                                                                 82ACE208 4 Bytes  [18, 3A, C5, 96]
.text           ntkrnlpa.exe!KeRemoveQueueEx + 1597                                                                                 82ACE24C 4 Bytes  [13, 3A, C5, 96]
.text           ntkrnlpa.exe!KeRemoveQueueEx + 1613                                                                                 82ACE2C8 2 Bytes  [1D, 3A]
.text           ntkrnlpa.exe!KeRemoveQueueEx + 1616                                                                                 82ACE2CB 1 Byte  [96]
.text           ...                                                                                                                 
?               System32\drivers\wareak.sys                                                                                         The system cannot find the path specified. !
.text           C:\Windows\system32\DRIVERS\atikmdag.sys                                                                            section is writeable [0x8F02A000, 0x38CD55, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

?               C:\Windows\system32\services.exe[488] C:\Windows\system32\smss.exe                                                  image checksum mismatch; time/date stamp mismatch; unknown module: MSWSOCK.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\0000004b                                                                                   halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x9D 0x20 0xEF 0xC0 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x25 0x1A 0xD8 0x75 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x76 0x8C 0xCF 0x25 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9D 0x20 0xEF 0xC0 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x25 0x1A 0xD8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x76 0x8C 0xCF 0x25 ...

---- EOF - GMER 1.0.15 ----

mbam-scan:

Code:

ATTFilter

 Malwarebytes Anti-Malware  (Test) 1.61.0.1400
www.malwarebytes.org

Datenbank Version: v2012.06.03.03

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
murxx :: MURXX-PC [Administrator]

Schutz: Aktiviert

03.06.2012 15:16:16
mbam-log-2012-06-03 (15-16-16).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 194904
Laufzeit: 4 Minute(n), 24 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 15
HKCR\CLSID\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCR\TypeLib\{BB7256DD-EBA9-480B-8441-A00388C2BEC3} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCR\Interface\{3D782BB2-F2A5-11D3-BF4C-000000000000} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO.1 (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCR\CLSID\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCR\MyNewsBarLauncher.IE5BarLauncher.1 (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCR\MyNewsBarLauncher.IE5BarLauncher (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Keine Aktion durchgeführt.

Infizierte Registrierungswerte: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Daten: VShareTB -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Daten:  -> Keine Aktion durchgeführt.

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 4
C:\Program Files\vShare.tv plugin\BarLcher.dll (PUP.VShareRedir) -> Keine Aktion durchgeführt.
C:\Windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade}\U\00000001.@ (Trojan.Small) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade}\U\80000000.@ (Trojan.Sirefef) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade}\U\800000cb.@ (Rootkit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

€dit:Avira bringt nun nicht mehr ständig die Meldung das er die beiden Plagegeister (TR/ATRAPS.GEN2 und TR/Sirefef.AG.35 ) findet.

Aber als ich vorhin wieder Online ging kam von mbam die meldung über :
2 Trojaner ... find es aber grad im Quarantäne ordner nicht

Psychotic · 04.06.2012, 08:25

Mein Name ist Marius und ich werde dir bei deinem Problem helfen.

Eines vorneweg:

Hinweis: Wir können hier nie dafür garantieren, dass wir sämtliche Reste von Schadsoftware gefunden haben. Eine Formatierung ist meist der schnellste und immer der sicherste Weg.

Solltest Du Dich für eine Bereinigung entscheiden, arbeite solange mit, bis dir jemand vom Team sagt, dass dein Rechner clean ist.

Eine Bereinigung ist mitunter mit viel Arbeit für dich verbunden.

Bitte arbeite alle Schritte der Reihe nach ab.
Lese die Anleitungen sorgfältig. Solltest du irgendwo nicht weiterkommen, stoppe an diesem Punkt und beschreibe dein Problem hier!
Nur Scans durchführen, zu denen du von einem Helfer aufgefordert wirst.
Bitte kein Crossposting (posten in mehreren Foren) - wenn du die Anweisungen mehrere Helfer ausführst, kann das schwere Probleme nach sich ziehen!.
Installiere oder Deinstalliere während der Bereinigung keine Software (ausser, du wurdest dazu aufgefordert).
Wenn etwas unklar ist: Frage, bevor du etwas "blind" machst!

...und ganz wichtig:
Poste die Logfiles direkt in deinen Thread. Nicht anhängen, außer, ich fordere dich dazu auf. (Erschwert mir nämlich das Auswerten).

Vista und Win7 User
Alle Tools mit Rechtsklick --> "als Administrator ausführen" starten.

Zitat:

5. Alle wieder activiert

Bedeutet das, dass du den defogger-reenable-Button gedrückt hast?

MurXx · 04.06.2012, 10:25

Hallo Psychotic,

Mit

Zitat:

5. Alle wieder activiert

meinte ich natürlich meine antiViren-scans(Was nach einem Neustart ja automatisch passiert

), nicht die virtuellen laufwerke.

Sorry das ich mich unverständlich ausgedrückt habe.

Psychotic · 04.06.2012, 10:29

Combofix

Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Downloade dir bitte Combofix von einem dieser Downloadspiegel

Link 1
Link 2

WICHTIG - Speichere Combofix auf deinem Desktop

Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

MurXx · 04.06.2012, 11:14

Combofix wurde durchgeführt.

Hier das log:

Code:

ATTFilter

ComboFix 12-06-03.05 - murxx 04.06.2012  11:56:07.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1033.18.2046.1256 [GMT 2:00]
ausgeführt von:: c:\users\murxx\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\64dlls.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\intel64.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\Kernel32.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\localsys64.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\ntos.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\oembios.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\sdra64.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\sdra73.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\swin32.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\twex.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\twext.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\wsnpoema.exe
C:\install.exe
.
Infizierte Kopie von c:\windows\system32\services.exe wurde gefunden und desinfiziert 
Kopie von - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!winsxs!x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b!services.exe wurde wiederhergestellt 
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-05-04 bis 2012-06-04  ))))))))))))))))))))))))))))))
.
.
2012-06-03 20:11 . 2012-06-03 20:11	--------	d-----w-	c:\program files\ESET
2012-06-03 12:19 . 2012-06-03 12:19	--------	d-----w-	c:\users\murxx\AppData\Roaming\Malwarebytes
2012-06-03 12:19 . 2012-06-03 12:19	--------	d-----w-	c:\programdata\Malwarebytes
2012-06-03 12:19 . 2012-06-03 12:19	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2012-06-03 12:19 . 2012-04-04 13:56	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-01 19:17 . 2012-05-08 16:40	6737808	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{D01894E5-0449-4077-96F0-CF1FB6E3B486}\mpengine.dll
2012-05-22 21:46 . 2012-05-22 21:46	--------	d-----w-	c:\windows\Downloaded Installations
2012-05-22 21:45 . 2012-05-22 21:45	--------	d-----w-	c:\program files\SIMSCI
2012-05-19 11:39 . 2012-06-02 19:14	--------	d-----w-	c:\users\murxx\AppData\Roaming\TS3Client
2012-05-19 11:39 . 2012-05-19 11:39	--------	d-----w-	c:\program files\TeamSpeak 3 Client
2012-05-11 10:23 . 2012-03-30 10:23	1291632	----a-w-	c:\windows\system32\drivers\tcpip.sys
2012-05-11 10:23 . 2012-03-31 04:30	1221632	----a-w-	c:\program files\Windows Journal\NBDoc.DLL
2012-05-11 10:23 . 2012-03-31 04:29	936960	----a-w-	c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 10:23 . 2012-03-31 04:29	989184	----a-w-	c:\program files\Windows Journal\JNTFiltr.dll
2012-05-11 10:23 . 2012-03-31 04:29	969216	----a-w-	c:\program files\Windows Journal\JNWDRV.dll
2012-05-11 10:23 . 2012-03-17 07:27	56176	----a-w-	c:\windows\system32\drivers\partmgr.sys
2012-05-11 10:23 . 2012-03-31 04:39	3968368	----a-w-	c:\windows\system32\ntkrnlpa.exe
2012-05-11 10:22 . 2012-03-31 04:39	3913072	----a-w-	c:\windows\system32\ntoskrnl.exe
2012-05-11 10:22 . 2012-03-31 02:36	2343424	----a-w-	c:\windows\system32\win32k.sys
2012-05-11 10:21 . 2012-03-03 05:31	1077248	----a-w-	c:\windows\system32\DWrite.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 21:12 . 2011-10-22 16:40	83392	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2012-05-08 21:12 . 2011-10-22 16:40	137928	----a-w-	c:\windows\system32\drivers\avipbb.sys
2012-05-05 02:57 . 2012-04-04 09:56	419488	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-05-05 02:57 . 2011-10-22 22:20	70304	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-06 16:32 . 2011-10-22 22:01	472808	----a-w-	c:\windows\system32\deployJava1.dll
2012-03-25 00:11 . 2012-03-25 00:11	368640	----a-w-	c:\windows\system32\ReWire.dll
2012-03-25 00:11 . 2012-03-25 00:11	233472	----a-w-	c:\windows\system32\REX Shared Library.dll
2012-04-25 14:07 . 2011-10-22 17:14	97208	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2011-09-09 523216]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-30 98304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^murxx^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=c:\users\murxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=c:\windows\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02	254696	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-25 129976]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-05-15 4135800]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 vproiah;vproiah;c:\windows\system32\DRIVERS\vproiah.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-10-22 691696]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-11 36000]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
S2 AntiVirSchedulerService;Avira Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2012-05-08 86224]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-05-04 503080]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2011-09-09 475088]
S3 acsock;acsock;c:\windows\system32\DRIVERS\acsock.sys [2011-09-09 87976]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-19 243712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
S3 UsbFltr;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [2005-11-02 11596]
.
.
Inhalt des "geplante Tasks" Ordners
.
2012-06-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 02:57]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = www-chache.uni-mannheim.de:3128
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 134.155.96.52 134.155.96.53
FF - ProfilePath - 
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
URLSearchHooks-{c840e246-6b95-475e-9bd7-caa1c7eca9f2} - (no file)
WebBrowser-{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-06-04  12:07:17 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2012-06-04 10:07
.
Vor Suchlauf: 181.534.564.352 bytes free
Nach Suchlauf: 181.455.736.832 bytes free
.
- - End Of File - - 71D1A3DD2EF06F176B3DBAE5565343C8

Psychotic · 04.06.2012, 12:50

Sieht ganz gut aus - kontrollieren wir alles nochmal!

Schritt 1: MBAM vollständig

Downloade Dir bitte Malwarebytes

Installiere das Programm in den vorgegebenen Pfad.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Starte Malwarebytes, klicke auf Aktualisierung --> Suche nach Aktualisierung
Wenn das Update beendet wurde, aktiviere Vollständigen Scan durchführen und drücke auf Scannen. (Hinweis: Alle Festplatten anhaken!)
Wenn der Scan beendet ist, klicke auf Ergebnisse anzeigen.
Versichere Dich, dass alle Funde markiert sind und drücke Entferne Auswahl.
Poste das Logfile, welches sich in Notepad öffnet, hier in den Thread.
Nachträglich kannst du den Bericht unter "Log Dateien" finden.

Schritt 2: ESET

ESET Online Scanner

Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
Lade und starte Eset Online Scanner
Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
Klicke auf Starten.
Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
Klicke am Ende des Suchlaufs auf Fertig stellen.
Schließe das Fenster von ESET.
Explorer öffnen.
C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
Logfile hier posten.
Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

Schritt 3: Gmer

Bitte

alle anderen Scanner gegen Viren, Spyware, usw. deaktivieren,
keine bestehende Verbindung zu einem Netzwerk/Internet (WLAN nicht vergessen),
nichts am Rechner arbeiten,
nach jedem Scan der Rechner neu gestarten.

Gmer scannen lassen

Lade Dir Gmer von dieser Seite herunter (auf den Button Download EXE drücken) und das Programm auf dem Desktop speichern.
Alle anderen Programme sollen geschlossen sein.
Starte gmer.exe (Programm hat einen willkürlichen Programm-Namen). Vista und Win7 User mit Rechtsklick und als Administrator starten.
Sollte sich ein Fenster mit folgender Warnung öffnen:
WARNING !!! GMER has found system modification, which might have been caused by ROOTKIT activity. Do you want to fully scan your system ?
Unbedingt auf "No" klicken.
Entferne rechts den Hacken bei:
- IAT/EAT
- Alle Festplatten ausser die Systemplatte (normalerweise ist nur C:\ angehackt)
- Show all (sollte abgehackt sein)
Starte den Scan mit "Scan". Mache nichts am Computer während der Scan läuft.
Wenn der Scan fertig ist klicke auf Save und speichere die Logfile unter Gmer.txt auf deinem Desktop. Mit "Ok" wird GMER beendet.

Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!

MurXx · 04.06.2012, 13:42

mbam:

Code:

ATTFilter

 Malwarebytes Anti-Malware  (Test) 1.61.0.1400
www.malwarebytes.org

Datenbank Version: v2012.06.04.03

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
murxx :: MURXX-PC [Administrator]

Schutz: Aktiviert

04.06.2012 13:57:05
mbam-log-2012-06-04 (13-57-05).txt

Art des Suchlaufs: Vollständiger Suchlauf
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 320583
Laufzeit: 42 Minute(n), 36 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Titan Poker (PUP.Casino) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 2
C:\Poker\Titan Poker\_TitanPSetup_556b94.exe (PUP.Casino) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade}\U\00000001.@ (Trojan.Small) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

rest folgt.

ESET-log:

Code:

ATTFilter

C:\Users\murxx\Desktop\SavedFiles\progis\unlocker1.9.0.exe	Win32/Adware.ADON application

Gmer:

Code:

ATTFilter

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-06-04 15:55:20
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200AAKS-00L9A0 rev.01.03E01
Running: 04w8cc11.exe; Driver: C:\Users\murxx\AppData\Local\Temp\ugloypog.sys


---- System - GMER 1.0.15 ----

SSDT            8EB7C36E                                                                                                            ZwCreateSection
SSDT            8EB7C378                                                                                                            ZwRequestWaitReplyPort
SSDT            8EB7C373                                                                                                            ZwSetContextThread
SSDT            8EB7C37D                                                                                                            ZwSetSecurityObject
SSDT            8EB7C382                                                                                                            ZwSystemDebugControl
SSDT            8EB7C30F                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwRollbackEnlistment + 140D                                                                            82A813C9 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                              82ABAD52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntkrnlpa.exe!KeRemoveQueueEx + 11F7                                                                                 82AC1EAC 4 Bytes  [6E, C3, B7, 8E] {OUTSB ; RET ; MOV BH, 0x8e}
.text           ntkrnlpa.exe!KeRemoveQueueEx + 1553                                                                                 82AC2208 4 Bytes  [78, C3, B7, 8E] {JS 0xffffffffffffffc5; MOV BH, 0x8e}
.text           ntkrnlpa.exe!KeRemoveQueueEx + 1597                                                                                 82AC224C 4 Bytes  [73, C3, B7, 8E] {JAE 0xffffffffffffffc5; MOV BH, 0x8e}
.text           ntkrnlpa.exe!KeRemoveQueueEx + 1613                                                                                 82AC22C8 4 Bytes  [7D, C3, B7, 8E] {JGE 0xffffffffffffffc5; MOV BH, 0x8e}
.text           ntkrnlpa.exe!KeRemoveQueueEx + 1667                                                                                 82AC231C 4 Bytes  [82, C3, B7, 8E]
.text           ...                                                                                                                 
?               System32\drivers\rmdhpsw.sys                                                                                        The system cannot find the path specified. !
.text           C:\Windows\system32\DRIVERS\atikmdag.sys                                                                            section is writeable [0x8F00D000, 0x38CD55, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\Mozilla Firefox\firefox.exe[3212] ntdll.dll!LdrLoadDll                                             778B223E 5 Bytes  JMP 61E1C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           C:\Program Files\Mozilla Firefox\firefox.exe[3212] kernel32.dll!MapViewOfFile                                       760293DB 4 Bytes  JMP 6204E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           C:\Program Files\Mozilla Firefox\firefox.exe[3212] kernel32.dll!VirtualAlloc                                        7602C43A 4 Bytes  JMP 6204E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           C:\Program Files\Mozilla Firefox\firefox.exe[3212] GDI32.dll!CreateDIBSection                                       77A38850 5 Bytes  JMP 6204E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                              rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                              fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                              rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\0000004c                                                                                   halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x9D 0x20 0xEF 0xC0 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x25 0x1A 0xD8 0x75 ...
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg             HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x76 0x8C 0xCF 0x25 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0x00 0x00 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9D 0x20 0xEF 0xC0 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x25 0x1A 0xD8 0x75 ...
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x76 0x8C 0xCF 0x25 ...

---- EOF - GMER 1.0.15 ----

Psychotic · 05.06.2012, 07:33

Hmmm....

Schritt 1: CF-Script

Hinweis für Mitleser:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von einem der folgenden Download-Spiegel neu herunter:

BleepingComputer.com - ForoSpyware.com

und speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!

Drücke die Windows + R Taste --> Notepad (hinein schreiben) --> OK

Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.

Code:

ATTFilter

DIRLOOK::
C:\Windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade}

Schritt 2: adwCleaner

Downloade Dir bitte AdwCleaner auf deinen Desktop.

Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Search.
Nach Ende des Suchlaufs öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.

Speichere dies als CFScript.txt auf Deinem Desktop.

Wichtig:

Stelle deine Anti Viren Software temprär ab. Dies kann ComboFix nämlich bei der Arbeit behindern.
Danach wieder anstellen nicht vergessen!
Bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein.
Dies kann dazu führen, dass ComboFix sich aufhängt.
Schließe alle laufenden Programme. Gehe sicher das ComboFix ungehindert arbeiten kann.
Mache nichts am PC solange ComboFix läuft.

In Bezug auf obiges Bild, ziehe CFScript.txt in die ComboFix.exe
Wenn ComboFix fertig ist, wird es ein Log erstellen, C:\ComboFix.txt. Bitte füge es hier als Antwort ein.

Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen.

MurXx · 05.06.2012, 08:04

moin Psyc,

Wie soll ich die txt-file mit

Code:

ATTFilter

DIRLOOK::
C:\Windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade}

nennen? Soll die nich cfscript heissen? Sonst hat die txt-file doch keinen sinn oder?

Will mit ComboFix nichts falsch machen, daher nochmal die nachfrage

Gruß

MurXx

Psychotic · 05.06.2012, 08:26

Irgendwie wurde mein posting durcheinandergeworfen!

Schritt 1: CF-Script

Hinweis für Mitleser:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von einem der folgenden Download-Spiegel neu herunter:

BleepingComputer.com - ForoSpyware.com

und speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!

Drücke die Windows + R Taste --> Notepad (hinein schreiben) --> OK

Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.

Code:

ATTFilter

DIRLOOK::
C:\Windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade}

Speichere dies als CFScript.txt auf Deinem Desktop.

Wichtig:

Stelle deine Anti Viren Software temprär ab. Dies kann ComboFix nämlich bei der Arbeit behindern.
Danach wieder anstellen nicht vergessen!
Bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein.
Dies kann dazu führen, dass ComboFix sich aufhängt.
Schließe alle laufenden Programme. Gehe sicher das ComboFix ungehindert arbeiten kann.
Mache nichts am PC solange ComboFix läuft.

In Bezug auf obiges Bild, ziehe CFScript.txt in die ComboFix.exe
Wenn ComboFix fertig ist, wird es ein Log erstellen, C:\ComboFix.txt. Bitte füge es hier als Antwort ein.

Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen.

Schritt 2: adwCleaner

Downloade Dir bitte AdwCleaner auf deinen Desktop.

Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Search.
Nach Ende des Suchlaufs öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.

MurXx · 05.06.2012, 08:51

Es kamen keine AUfforderungen die datei hochzuladen .

Hier die logs.

combofix:

Code:

ATTFilter

ComboFix 12-06-04.03 - murxx 05.06.2012   9:38.2.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1033.18.2046.1213 [GMT 2:00]
ausgeführt von:: c:\users\murxx\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\murxx\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\64dlls.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\intel64.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\Kernel32.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\localsys64.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\ntos.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\oembios.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\sdra64.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\sdra73.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\swin32.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\twex.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\twext.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\wsnpoema.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-05-05 bis 2012-06-05  ))))))))))))))))))))))))))))))
.
.
2012-06-05 07:43 . 2012-06-05 07:43	--------	d-----w-	c:\users\murxx\AppData\Local\temp
2012-06-05 07:43 . 2012-06-05 07:43	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-06-05 07:43 . 2012-06-05 07:43	--------	d-----w-	c:\users\Administrator\AppData\Local\temp
2012-06-03 12:19 . 2012-06-03 12:19	--------	d-----w-	c:\users\murxx\AppData\Roaming\Malwarebytes
2012-06-03 12:19 . 2012-06-03 12:19	--------	d-----w-	c:\programdata\Malwarebytes
2012-06-03 12:19 . 2012-06-03 12:19	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2012-06-03 12:19 . 2012-04-04 13:56	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-01 19:17 . 2012-05-08 16:40	6737808	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{D01894E5-0449-4077-96F0-CF1FB6E3B486}\mpengine.dll
2012-05-22 21:46 . 2012-05-22 21:46	--------	d-----w-	c:\windows\Downloaded Installations
2012-05-22 21:45 . 2012-05-22 21:45	--------	d-----w-	c:\program files\SIMSCI
2012-05-19 11:39 . 2012-06-02 19:14	--------	d-----w-	c:\users\murxx\AppData\Roaming\TS3Client
2012-05-19 11:39 . 2012-05-19 11:39	--------	d-----w-	c:\program files\TeamSpeak 3 Client
2012-05-11 10:23 . 2012-03-30 10:23	1291632	----a-w-	c:\windows\system32\drivers\tcpip.sys
2012-05-11 10:23 . 2012-03-31 04:30	1221632	----a-w-	c:\program files\Windows Journal\NBDoc.DLL
2012-05-11 10:23 . 2012-03-31 04:29	936960	----a-w-	c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 10:23 . 2012-03-31 04:29	989184	----a-w-	c:\program files\Windows Journal\JNTFiltr.dll
2012-05-11 10:23 . 2012-03-31 04:29	969216	----a-w-	c:\program files\Windows Journal\JNWDRV.dll
2012-05-11 10:23 . 2012-03-17 07:27	56176	----a-w-	c:\windows\system32\drivers\partmgr.sys
2012-05-11 10:23 . 2012-03-31 04:39	3968368	----a-w-	c:\windows\system32\ntkrnlpa.exe
2012-05-11 10:22 . 2012-03-31 04:39	3913072	----a-w-	c:\windows\system32\ntoskrnl.exe
2012-05-11 10:22 . 2012-03-31 02:36	2343424	----a-w-	c:\windows\system32\win32k.sys
2012-05-11 10:21 . 2012-03-03 05:31	1077248	----a-w-	c:\windows\system32\DWrite.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 21:12 . 2011-10-22 16:40	83392	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2012-05-08 21:12 . 2011-10-22 16:40	137928	----a-w-	c:\windows\system32\drivers\avipbb.sys
2012-05-05 02:57 . 2012-04-04 09:56	419488	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-05-05 02:57 . 2011-10-22 22:20	70304	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-06 16:32 . 2011-10-22 22:01	472808	----a-w-	c:\windows\system32\deployJava1.dll
2012-03-25 00:11 . 2012-03-25 00:11	368640	----a-w-	c:\windows\system32\ReWire.dll
2012-03-25 00:11 . 2012-03-25 00:11	233472	----a-w-	c:\windows\system32\REX Shared Library.dll
2012-04-25 14:07 . 2011-10-22 17:14	97208	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade} ----
.
2012-01-12 13:47 . 2011-11-17 05:38	2048	--sh--w-	c:\windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade}\@
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2011-09-09 523216]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-30 98304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^murxx^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=c:\users\murxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=c:\windows\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02	254696	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-25 129976]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-05-15 4135800]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 vproiah;vproiah;c:\windows\system32\DRIVERS\vproiah.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-10-22 691696]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-11 36000]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
S2 AntiVirSchedulerService;Avira Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2012-05-08 86224]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-05-04 503080]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2011-09-09 475088]
S3 acsock;acsock;c:\windows\system32\DRIVERS\acsock.sys [2011-09-09 87976]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-19 243712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
S3 UsbFltr;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [2005-11-02 11596]
.
.
Inhalt des "geplante Tasks" Ordners
.
2012-06-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 02:57]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = www-chache.uni-mannheim.de:3128
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 134.155.96.51 134.155.96.53
FF - ProfilePath - 
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-06-05  09:45:00
ComboFix-quarantined-files.txt  2012-06-05 07:45
ComboFix2.txt  2012-06-04 10:07
.
Vor Suchlauf: 186.008.252.416 bytes free
Nach Suchlauf: 186.801.242.112 bytes free
.
- - End Of File - - E67DF891772B9CE644875C85E6C1F07F

Adwclean:

Code:

ATTFilter

# AdwCleaner v1.608 - Logfile created 06/05/2012 at 09:46:14
# Updated 27/05/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : murxx - MURXX-PC
# Running from : C:\Users\murxx\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\murxx\AppData\Local\Conduit
Folder Found : C:\Users\murxx\AppData\LocalLow\Conduit
Folder Found : C:\Users\murxx\AppData\LocalLow\PriceGong
Folder Found : C:\Users\murxx\AppData\Roaming\Mozilla\Firefox\Profiles\bbeftfgc.default\ConduitCommon
Folder Found : C:\Program Files\Conduit
File Found : C:\Users\murxx\AppData\Roaming\Mozilla\Firefox\Profiles\bbeftfgc.default\searchplugins\Startsear.xml

***** [Registry] *****
[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2851647
Key Found : HKCU\Software\StartSearch
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F97BFF8-488B-4107-BCEE-B161AB4E4183}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F97BFF8-488B-4107-BCEE-B161AB4E4183}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1B48071-416D-474E-A13B-BE5456E7FC31}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v12.0 (de)

Profile name : default 
File : C:\Users\murxx\AppData\Roaming\Mozilla\Firefox\Profiles\bbeftfgc.default\prefs.js

Found : user_pref("CT2851647..clientLogIsEnabled", false);
Found : user_pref("CT2851647..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
Found : user_pref("CT2851647..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
Found : user_pref("CT2851647.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
Found : user_pref("CT2851647.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Found : user_pref("CT2851647.CTID", "CT2851647");
Found : user_pref("CT2851647.CurrentServerDate", "25-3-2012");
Found : user_pref("CT2851647.DSInstall", false);
Found : user_pref("CT2851647.DialogsAlignMode", "LTR");
Found : user_pref("CT2851647.DialogsGetterLastCheckTime", "Sun Mar 25 2012 11:42:09 GMT+0200");
Found : user_pref("CT2851647.DownloadReferralCookieData", "");
Found : user_pref("CT2851647.EMailNotifierPollDate", "Sun Mar 25 2012 12:02:25 GMT+0200");
Found : user_pref("CT2851647.FeedLastCount2532783744689806690", 60);
Found : user_pref("CT2851647.FeedPollDate2429156812186649977", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156813040823546", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156813130095866", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156813224203613", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156813230837251", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156813454291735", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156813729834876", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156813860870021", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156814264681793", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156814863075366", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedPollDate2429156815257761081", "Sun Mar 25 2012 11:42:12 GMT+0200");
Found : user_pref("CT2851647.FeedTTL2429156813130095866", 10);
Found : user_pref("CT2851647.FirstServerDate", "25-3-2012");
Found : user_pref("CT2851647.FirstTime", true);
Found : user_pref("CT2851647.FirstTimeFF3", true);
Found : user_pref("CT2851647.FixPageNotFoundErrors", true);
Found : user_pref("CT2851647.GroupingServerCheckInterval", 1440);
Found : user_pref("CT2851647.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Found : user_pref("CT2851647.HPInstall", false);
Found : user_pref("CT2851647.HasUserGlobalKeys", true);
Found : user_pref("CT2851647.HomePageProtectorEnabled", false);
Found : user_pref("CT2851647.HomepageBeforeUnload", "hxxp://www.google.de/");
Found : user_pref("CT2851647.Initialize", true);
Found : user_pref("CT2851647.InitializeCommonPrefs", true);
Found : user_pref("CT2851647.InstallationAndCookieDataSentCount", 1);
Found : user_pref("CT2851647.InstallationId", "ConduitXPEIntegration");
Found : user_pref("CT2851647.InstallationType", "ConduitXPEIntegration");
Found : user_pref("CT2851647.InstalledDate", "Sun Mar 25 2012 11:42:10 GMT+0200");
Found : user_pref("CT2851647.IsAlertDBUpdated", true);
Found : user_pref("CT2851647.IsGrouping", false);
Found : user_pref("CT2851647.IsInitSetupIni", true);
Found : user_pref("CT2851647.IsMulticommunity", false);
Found : user_pref("CT2851647.IsOpenThankYouPage", true);
Found : user_pref("CT2851647.IsOpenUninstallPage", false);
Found : user_pref("CT2851647.LanguagePackLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Found : user_pref("CT2851647.LanguagePackReloadIntervalMM", 1440);
Found : user_pref("CT2851647.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Found : user_pref("CT2851647.LastLogin_3.10.0.1", "Sun Mar 25 2012 11:42:13 GMT+0200");
Found : user_pref("CT2851647.LatestVersion", "3.10.0.1");
Found : user_pref("CT2851647.Locale", "de");
Found : user_pref("CT2851647.MCDetectTooltipHeight", "83");
Found : user_pref("CT2851647.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Found : user_pref("CT2851647.MCDetectTooltipWidth", "295");
Found : user_pref("CT2851647.MyStuffEnabledAtInstallation", true);
Found : user_pref("CT2851647.OriginalFirstVersion", "3.10.0.1");
Found : user_pref("CT2851647.SearchCaption", "uTorrentBar_DE Customized Web Search");
Found : user_pref("CT2851647.SearchEngineBeforeUnload", "Google");
Found : user_pref("CT2851647.SearchFromAddressBarIsInit", true);
Found : user_pref("CT2851647.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT285[...]
Found : user_pref("CT2851647.SearchInNewTabEnabled", true);
Found : user_pref("CT2851647.SearchInNewTabIntervalMM", 1440);
Found : user_pref("CT2851647.SearchInNewTabLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Found : user_pref("CT2851647.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
Found : user_pref("CT2851647.SearchProtectorEnabled", false);
Found : user_pref("CT2851647.SearchProtectorToolbarDisabled", false);
Found : user_pref("CT2851647.SendProtectorDataViaLogin", true);
Found : user_pref("CT2851647.ServiceMapLastCheckTime", "Sun Mar 25 2012 11:42:08 GMT+0200");
Found : user_pref("CT2851647.SettingsLastCheckTime", "Sun Mar 25 2012 11:42:09 GMT+0200");
Found : user_pref("CT2851647.SettingsLastUpdate", "1325075569");
Found : user_pref("CT2851647.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT2851647&SearchSource=13");
Found : user_pref("CT2851647.ThirdPartyComponentsInterval", 504);
Found : user_pref("CT2851647.ThirdPartyComponentsLastCheck", "Sun Mar 25 2012 11:42:08 GMT+0200");
Found : user_pref("CT2851647.ThirdPartyComponentsLastUpdate", "1255344657");
Found : user_pref("CT2851647.ToolbarShrinkedFromSetup", false);
Found : user_pref("CT2851647.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2851647");
Found : user_pref("CT2851647.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,clien[...]
Found : user_pref("CT2851647.Uninstall", true);
Found : user_pref("CT2851647.UserID", "UN56961405696844599");
Found : user_pref("CT2851647.WeatherNetwork", "");
Found : user_pref("CT2851647.WeatherPollDate", "Sun Mar 25 2012 11:42:13 GMT+0200");
Found : user_pref("CT2851647.WeatherUnit", "C");
Found : user_pref("CT2851647.alertChannelId", "1243681");
Found : user_pref("CT2851647.autoDisableScopes", -1);
Found : user_pref("CT2851647.backendstorage.cbfirsttime", "53756E204D617220323520323031322031313A35323A32352[...]
Found : user_pref("CT2851647.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.c[...]
Found : user_pref("CT2851647.globalFirstTimeInfoLastCheckTime", "Sun Mar 25 2012 11:42:10 GMT+0200");
Found : user_pref("CT2851647.homepageProtectorEnableByLogin", true);
Found : user_pref("CT2851647.initDone", true);
Found : user_pref("CT2851647.isAppTrackingManagerOn", true);
Found : user_pref("CT2851647.myStuffEnabled", true);
Found : user_pref("CT2851647.myStuffPublihserMinWidth", 400);
Found : user_pref("CT2851647.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
Found : user_pref("CT2851647.myStuffServiceIntervalMM", 1440);
Found : user_pref("CT2851647.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
Found : user_pref("CT2851647.navigateToUrlOnSearch", false);
Found : user_pref("CT2851647.revertSettingsEnabled", true);
Found : user_pref("CT2851647.searchProtectorDialogDelayInSec", 10);
Found : user_pref("CT2851647.searchProtectorEnableByLogin", true);
Found : user_pref("CT2851647.testingCtid", "");
Found : user_pref("CT2851647.toolbarAppMetaDataLastCheckTime", "Sun Mar 25 2012 11:42:09 GMT+0200");
Found : user_pref("CT2851647.toolbarContextMenuLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Found : user_pref("CT2851647.usagesFlag", 1);
Found : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT2851647/CT2851647[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1243681/1239354/DE", "\"0\"[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2851647", [...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.10[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2851647",[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=de", "\"673[...]
Found : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\murxx\\AppData\\Roaming\\Mozilla\\F[...]
Found : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.10.0.1");
Found : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://startsear.ch/?aff=1&src=sp&cf=573[...]
Found : user_pref("CommunityToolbar.ToolbarsList", "CT2851647");
Found : user_pref("CommunityToolbar.ToolbarsList2", "CT2851647");
Found : user_pref("CommunityToolbar.ToolbarsList4", "CT2851647");
Found : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Found : user_pref("CommunityToolbar.globalUserId", "f6fb261f-5264-41a6-99a9-603318823f72");
Found : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Found : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Found : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2851647");
Found : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Sun Mar 25 2012 11:42:1[...]
Found : user_pref("CommunityToolbar.notifications.alertInfoInterval", 60);
Found : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Sun Mar 25 2012 11:52:33 GMT+020[...]
Found : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
Found : user_pref("CommunityToolbar.notifications.locale", "en");
Found : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
Found : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Found : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
Found : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
Found : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
Found : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
Found : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
Found : user_pref("CommunityToolbar.notifications.userId", "579f38c6-5c8d-4a05-9155-40e971bbb9f4");
Found : user_pref("CommunityToolbar.originalHomepage", "hxxp://www.google.de/");
Found : user_pref("CommunityToolbar.originalSearchEngine", "Google");
Found : user_pref("browser.search.defaultengine", "Web Search");
Found : user_pref("browser.search.defaultenginename", "Web Search");
Found : user_pref("browser.search.order.1", "Web Search");
Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2851647&SearchSource=2&q=[...]

*************************

AdwCleaner[R1].txt - [14115 octets] - [05/06/2012 08:58:23]
AdwCleaner[R2].txt - [14045 octets] - [05/06/2012 09:46:14]

########## EOF - C:\AdwCleaner[R2].txt - [14174 octets] ##########

Bin nun erstmal 2-3h an der Uni.

Gruß MurXx

Psychotic · 05.06.2012, 09:18

Schritt 1: TeaTimer deaktivieren

Mit laufendem TeaTimer von Spybot Search&Destroy lässt sich keine Reinigung durchführen, da er alle gelöschten Einträge wiederherstellt. Der Teatimer muss also während der Reinigungsarbeiten abgestellt werden (lasse den Teatimer so lange ausgeschaltet, bis wir mit der Reinigung fertig sind): Starte Spybot S&D => stelle im Menü "Modus" den "Erweiterten Modus" ein => klicke dann links unten auf "Werkzeuge" => klicke auf "Resident" => das Häkchen entfernen bei Resident "TeaTimer" (Schutz aller Systemeinstellungen) => Spybot Search&Destroy schließen => Rechner neu starten. Bebilderte Anleitung.

Schritt 2: defogger

Downloade Dir bitte defogger von jpshortstuff auf Deinem Desktop.

Starte das Tool mit Doppelklick.
Vista und Win7 User mit Rechtsklick "als Administrator starten".
Klicke nun auf den Disable Button um die Treiber gewisser Emulatoren zu deaktivieren.
Wenn der Scan beendet wurde ( Finished ), klicke auf OK.
Defogger fordert gegebenfalls zum Neustart auf. Bestätige dies mit OK.

Sollte Defogger eine Fehlermeldung ausgeben, poste bitte die defogger_disable Log von deinem Desktop.
Klicke den Re-enable Button nicht ohne Anweisung.

Schritt 3: Fix mit adwCleaner

Schließe alle offenen Programme und Browser.
Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Delete.
Bestätige jeweils mit Ok.
Dein Rechner wird neu gestartet. Nach dem Neustart öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.

Schritt 4: CF-Script

Hinweis für Mitleser:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von einem der folgenden Download-Spiegel neu herunter:

BleepingComputer.com - ForoSpyware.com

und speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!

Drücke die Windows + R Taste --> Notepad (hinein schreiben) --> OK

Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.

Code:

ATTFilter

FOLDER::
Directory of c:\windows\Installer\{3fa21476-a729-0b39-ac62-f938ce3fcade}
c:\documents and settings\tdmbuild.FOXBORO_1
CLEARJAVACACHE::

Speichere dies als CFScript.txt auf Deinem Desktop.

Wichtig:

Stelle deine Anti Viren Software temprär ab. Dies kann ComboFix nämlich bei der Arbeit behindern.
Danach wieder anstellen nicht vergessen!
Bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein.
Dies kann dazu führen, dass ComboFix sich aufhängt.
Schließe alle laufenden Programme. Gehe sicher das ComboFix ungehindert arbeiten kann.
Mache nichts am PC solange ComboFix läuft.

In Bezug auf obiges Bild, ziehe CFScript.txt in die ComboFix.exe
Wenn ComboFix fertig ist, wird es ein Log erstellen, C:\ComboFix.txt. Bitte füge es hier als Antwort ein.

Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen.

Schritt 5: OTL (custom)

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Starte bitte die OTL.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Kopiere nun den Inhalt in die Textbox.

Code:

ATTFilter

activex
netsvcs
msconfig
%SYSTEMDRIVE%\*. /U /S
%PROGRAMFILES%\*.exe
%LOCALAPPDATA%\*.exe
%systemroot%\*. /mp /s 
/md5start
explorer.exe
regedit.exe
winlogon.exe
wininit.exe
userinit.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
CREATERESTOREPOINT

Schliesse bitte nun alle Programme. (Wichtig)
Klicke nun bitte auf den Quick Scan Button.
Kopiere nun den Inhalt aus OTL.txt und Extra.txt hier in Deinen Thread

MurXx · 05.06.2012, 13:58

1. TeaTimer deactiviert (dachte wenn ich echtzeitscan ausmach reicht das)
2.defrogger

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:22 on 05/06/2012 (murxx)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
SPTD -> Already disabled


-=E.O.F=-

3.adwearclean:

Code:

ATTFilter

# AdwCleaner v1.608 - Logfile created 06/05/2012 at 14:19:57
# Updated 27/05/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : murxx - MURXX-PC
# Running from : C:\Users\murxx\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\murxx\AppData\Local\Conduit
Folder Deleted : C:\Users\murxx\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\murxx\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\murxx\AppData\Roaming\Mozilla\Firefox\Profiles\bbeftfgc.default\ConduitCommon
Folder Deleted : C:\Program Files\Conduit
File Deleted : C:\Users\murxx\AppData\Roaming\Mozilla\Firefox\Profiles\bbeftfgc.default\searchplugins\Startsear.xml

***** [Registry] *****
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2851647
Key Deleted : HKCU\Software\StartSearch
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F97BFF8-488B-4107-BCEE-B161AB4E4183}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F97BFF8-488B-4107-BCEE-B161AB4E4183}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1B48071-416D-474E-A13B-BE5456E7FC31}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v12.0 (de)

Profile name : default 
File : C:\Users\murxx\AppData\Roaming\Mozilla\Firefox\Profiles\bbeftfgc.default\prefs.js

Deleted : user_pref("CT2851647..clientLogIsEnabled", false);
Deleted : user_pref("CT2851647..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
Deleted : user_pref("CT2851647..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
Deleted : user_pref("CT2851647.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
Deleted : user_pref("CT2851647.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Deleted : user_pref("CT2851647.CTID", "CT2851647");
Deleted : user_pref("CT2851647.CurrentServerDate", "25-3-2012");
Deleted : user_pref("CT2851647.DSInstall", false);
Deleted : user_pref("CT2851647.DialogsAlignMode", "LTR");
Deleted : user_pref("CT2851647.DialogsGetterLastCheckTime", "Sun Mar 25 2012 11:42:09 GMT+0200");
Deleted : user_pref("CT2851647.DownloadReferralCookieData", "");
Deleted : user_pref("CT2851647.EMailNotifierPollDate", "Sun Mar 25 2012 12:02:25 GMT+0200");
Deleted : user_pref("CT2851647.FeedLastCount2532783744689806690", 60);
Deleted : user_pref("CT2851647.FeedPollDate2429156812186649977", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156813040823546", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156813130095866", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156813224203613", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156813230837251", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156813454291735", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156813729834876", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156813860870021", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156814264681793", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156814863075366", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedPollDate2429156815257761081", "Sun Mar 25 2012 11:42:12 GMT+0200");
Deleted : user_pref("CT2851647.FeedTTL2429156813130095866", 10);
Deleted : user_pref("CT2851647.FirstServerDate", "25-3-2012");
Deleted : user_pref("CT2851647.FirstTime", true);
Deleted : user_pref("CT2851647.FirstTimeFF3", true);
Deleted : user_pref("CT2851647.FixPageNotFoundErrors", true);
Deleted : user_pref("CT2851647.GroupingServerCheckInterval", 1440);
Deleted : user_pref("CT2851647.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Deleted : user_pref("CT2851647.HPInstall", false);
Deleted : user_pref("CT2851647.HasUserGlobalKeys", true);
Deleted : user_pref("CT2851647.HomePageProtectorEnabled", false);
Deleted : user_pref("CT2851647.HomepageBeforeUnload", "hxxp://www.google.de/");
Deleted : user_pref("CT2851647.Initialize", true);
Deleted : user_pref("CT2851647.InitializeCommonPrefs", true);
Deleted : user_pref("CT2851647.InstallationAndCookieDataSentCount", 1);
Deleted : user_pref("CT2851647.InstallationId", "ConduitXPEIntegration");
Deleted : user_pref("CT2851647.InstallationType", "ConduitXPEIntegration");
Deleted : user_pref("CT2851647.InstalledDate", "Sun Mar 25 2012 11:42:10 GMT+0200");
Deleted : user_pref("CT2851647.IsAlertDBUpdated", true);
Deleted : user_pref("CT2851647.IsGrouping", false);
Deleted : user_pref("CT2851647.IsInitSetupIni", true);
Deleted : user_pref("CT2851647.IsMulticommunity", false);
Deleted : user_pref("CT2851647.IsOpenThankYouPage", true);
Deleted : user_pref("CT2851647.IsOpenUninstallPage", false);
Deleted : user_pref("CT2851647.LanguagePackLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Deleted : user_pref("CT2851647.LanguagePackReloadIntervalMM", 1440);
Deleted : user_pref("CT2851647.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Deleted : user_pref("CT2851647.LastLogin_3.10.0.1", "Sun Mar 25 2012 11:42:13 GMT+0200");
Deleted : user_pref("CT2851647.LatestVersion", "3.10.0.1");
Deleted : user_pref("CT2851647.Locale", "de");
Deleted : user_pref("CT2851647.MCDetectTooltipHeight", "83");
Deleted : user_pref("CT2851647.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Deleted : user_pref("CT2851647.MCDetectTooltipWidth", "295");
Deleted : user_pref("CT2851647.MyStuffEnabledAtInstallation", true);
Deleted : user_pref("CT2851647.OriginalFirstVersion", "3.10.0.1");
Deleted : user_pref("CT2851647.SearchCaption", "uTorrentBar_DE Customized Web Search");
Deleted : user_pref("CT2851647.SearchEngineBeforeUnload", "Google");
Deleted : user_pref("CT2851647.SearchFromAddressBarIsInit", true);
Deleted : user_pref("CT2851647.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT285[...]
Deleted : user_pref("CT2851647.SearchInNewTabEnabled", true);
Deleted : user_pref("CT2851647.SearchInNewTabIntervalMM", 1440);
Deleted : user_pref("CT2851647.SearchInNewTabLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Deleted : user_pref("CT2851647.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
Deleted : user_pref("CT2851647.SearchProtectorEnabled", false);
Deleted : user_pref("CT2851647.SearchProtectorToolbarDisabled", false);
Deleted : user_pref("CT2851647.SendProtectorDataViaLogin", true);
Deleted : user_pref("CT2851647.ServiceMapLastCheckTime", "Sun Mar 25 2012 11:42:08 GMT+0200");
Deleted : user_pref("CT2851647.SettingsLastCheckTime", "Sun Mar 25 2012 11:42:09 GMT+0200");
Deleted : user_pref("CT2851647.SettingsLastUpdate", "1325075569");
Deleted : user_pref("CT2851647.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT2851647&SearchSource=13");
Deleted : user_pref("CT2851647.ThirdPartyComponentsInterval", 504);
Deleted : user_pref("CT2851647.ThirdPartyComponentsLastCheck", "Sun Mar 25 2012 11:42:08 GMT+0200");
Deleted : user_pref("CT2851647.ThirdPartyComponentsLastUpdate", "1255344657");
Deleted : user_pref("CT2851647.ToolbarShrinkedFromSetup", false);
Deleted : user_pref("CT2851647.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2851647");
Deleted : user_pref("CT2851647.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,clien[...]
Deleted : user_pref("CT2851647.Uninstall", true);
Deleted : user_pref("CT2851647.UserID", "UN56961405696844599");
Deleted : user_pref("CT2851647.WeatherNetwork", "");
Deleted : user_pref("CT2851647.WeatherPollDate", "Sun Mar 25 2012 11:42:13 GMT+0200");
Deleted : user_pref("CT2851647.WeatherUnit", "C");
Deleted : user_pref("CT2851647.alertChannelId", "1243681");
Deleted : user_pref("CT2851647.autoDisableScopes", -1);
Deleted : user_pref("CT2851647.backendstorage.cbfirsttime", "53756E204D617220323520323031322031313A35323A32352[...]
Deleted : user_pref("CT2851647.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.c[...]
Deleted : user_pref("CT2851647.globalFirstTimeInfoLastCheckTime", "Sun Mar 25 2012 11:42:10 GMT+0200");
Deleted : user_pref("CT2851647.homepageProtectorEnableByLogin", true);
Deleted : user_pref("CT2851647.initDone", true);
Deleted : user_pref("CT2851647.isAppTrackingManagerOn", true);
Deleted : user_pref("CT2851647.myStuffEnabled", true);
Deleted : user_pref("CT2851647.myStuffPublihserMinWidth", 400);
Deleted : user_pref("CT2851647.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
Deleted : user_pref("CT2851647.myStuffServiceIntervalMM", 1440);
Deleted : user_pref("CT2851647.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
Deleted : user_pref("CT2851647.navigateToUrlOnSearch", false);
Deleted : user_pref("CT2851647.revertSettingsEnabled", true);
Deleted : user_pref("CT2851647.searchProtectorDialogDelayInSec", 10);
Deleted : user_pref("CT2851647.searchProtectorEnableByLogin", true);
Deleted : user_pref("CT2851647.testingCtid", "");
Deleted : user_pref("CT2851647.toolbarAppMetaDataLastCheckTime", "Sun Mar 25 2012 11:42:09 GMT+0200");
Deleted : user_pref("CT2851647.toolbarContextMenuLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Deleted : user_pref("CT2851647.usagesFlag", 1);
Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT2851647/CT2851647[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1243681/1239354/DE", "\"0\"[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2851647", [...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.10[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2851647",[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=de", "\"673[...]
Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\murxx\\AppData\\Roaming\\Mozilla\\F[...]
Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.10.0.1");
Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://startsear.ch/?aff=1&src=sp&cf=573[...]
Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2851647");
Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2851647");
Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT2851647");
Deleted : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Deleted : user_pref("CommunityToolbar.globalUserId", "f6fb261f-5264-41a6-99a9-603318823f72");
Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Deleted : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2851647");
Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Sun Mar 25 2012 11:42:1[...]
Deleted : user_pref("CommunityToolbar.notifications.alertInfoInterval", 60);
Deleted : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Sun Mar 25 2012 11:52:33 GMT+020[...]
Deleted : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Sun Mar 25 2012 11:42:13 GMT+0200");
Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
Deleted : user_pref("CommunityToolbar.notifications.userId", "579f38c6-5c8d-4a05-9155-40e971bbb9f4");
Deleted : user_pref("CommunityToolbar.originalHomepage", "hxxp://www.google.de/");
Deleted : user_pref("CommunityToolbar.originalSearchEngine", "Google");
Deleted : user_pref("browser.search.defaultengine", "Web Search");
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.order.1", "Web Search");
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2851647&SearchSource=2&q=[...]

*************************

AdwCleaner[R1].txt - [14115 octets] - [05/06/2012 08:58:23]
AdwCleaner[R2].txt - [14176 octets] - [05/06/2012 09:46:14]
AdwCleaner[S1].txt - [14432 octets] - [05/06/2012 14:19:57]

########## EOF - C:\AdwCleaner[S1].txt - [14561 octets] ##########

4.COmbofix:

Code:

ATTFilter

ComboFix 12-06-05.01 - murxx 05.06.2012  14:29:33.3.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1033.18.2046.1212 [GMT 2:00]
ausgeführt von:: c:\users\murxx\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\murxx\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\64dlls.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\intel64.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\Kernel32.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\localsys64.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\ntos.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\oembios.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\sdra64.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\sdra73.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\swin32.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\twex.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\twext.exe
c:\documents and settings\tdmbuild.FOXBORO_1\Application Data\wsnpoema.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-05-05 bis 2012-06-05  ))))))))))))))))))))))))))))))
.
.
2012-06-05 12:35 . 2012-06-05 12:35	--------	d-----w-	c:\users\murxx\AppData\Local\temp
2012-06-05 12:35 . 2012-06-05 12:35	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-06-05 12:35 . 2012-06-05 12:35	--------	d-----w-	c:\users\Administrator\AppData\Local\temp
2012-06-03 12:19 . 2012-06-03 12:19	--------	d-----w-	c:\users\murxx\AppData\Roaming\Malwarebytes
2012-06-03 12:19 . 2012-06-03 12:19	--------	d-----w-	c:\programdata\Malwarebytes
2012-06-03 12:19 . 2012-06-03 12:19	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2012-06-03 12:19 . 2012-04-04 13:56	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-01 19:17 . 2012-05-08 16:40	6737808	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{D01894E5-0449-4077-96F0-CF1FB6E3B486}\mpengine.dll
2012-05-22 21:46 . 2012-05-22 21:46	--------	d-----w-	c:\windows\Downloaded Installations
2012-05-22 21:45 . 2012-05-22 21:45	--------	d-----w-	c:\program files\SIMSCI
2012-05-19 11:39 . 2012-06-02 19:14	--------	d-----w-	c:\users\murxx\AppData\Roaming\TS3Client
2012-05-19 11:39 . 2012-05-19 11:39	--------	d-----w-	c:\program files\TeamSpeak 3 Client
2012-05-11 10:23 . 2012-03-30 10:23	1291632	----a-w-	c:\windows\system32\drivers\tcpip.sys
2012-05-11 10:23 . 2012-03-31 04:30	1221632	----a-w-	c:\program files\Windows Journal\NBDoc.DLL
2012-05-11 10:23 . 2012-03-31 04:29	936960	----a-w-	c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 10:23 . 2012-03-31 04:29	989184	----a-w-	c:\program files\Windows Journal\JNTFiltr.dll
2012-05-11 10:23 . 2012-03-31 04:29	969216	----a-w-	c:\program files\Windows Journal\JNWDRV.dll
2012-05-11 10:23 . 2012-03-17 07:27	56176	----a-w-	c:\windows\system32\drivers\partmgr.sys
2012-05-11 10:23 . 2012-03-31 04:39	3968368	----a-w-	c:\windows\system32\ntkrnlpa.exe
2012-05-11 10:22 . 2012-03-31 04:39	3913072	----a-w-	c:\windows\system32\ntoskrnl.exe
2012-05-11 10:22 . 2012-03-31 02:36	2343424	----a-w-	c:\windows\system32\win32k.sys
2012-05-11 10:21 . 2012-03-03 05:31	1077248	----a-w-	c:\windows\system32\DWrite.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 21:12 . 2011-10-22 16:40	83392	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2012-05-08 21:12 . 2011-10-22 16:40	137928	----a-w-	c:\windows\system32\drivers\avipbb.sys
2012-05-05 02:57 . 2012-04-04 09:56	419488	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-05-05 02:57 . 2011-10-22 22:20	70304	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-06 16:32 . 2011-10-22 22:01	472808	----a-w-	c:\windows\system32\deployJava1.dll
2012-03-25 00:11 . 2012-03-25 00:11	368640	----a-w-	c:\windows\system32\ReWire.dll
2012-03-25 00:11 . 2012-03-25 00:11	233472	----a-w-	c:\windows\system32\REX Shared Library.dll
2012-04-25 14:07 . 2011-10-22 17:14	97208	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2011-09-09 523216]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-30 98304]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^murxx^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=c:\users\murxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=c:\windows\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 12:02	254696	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-25 129976]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-05-15 4135800]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 vproiah;vproiah;c:\windows\system32\DRIVERS\vproiah.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-10-22 691696]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-11 36000]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 176128]
S2 AntiVirSchedulerService;Avira Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2012-05-08 86224]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-05-04 503080]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2011-09-09 475088]
S3 acsock;acsock;c:\windows\system32\DRIVERS\acsock.sys [2011-09-09 87976]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 7772160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-19 243712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
S3 UsbFltr;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [2005-11-02 11596]
.
.
Inhalt des "geplante Tasks" Ordners
.
2012-06-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 02:57]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = www-chache.uni-mannheim.de:3128
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 134.155.96.52 134.155.96.53
FF - ProfilePath - 
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2012-06-05  14:36:55
ComboFix-quarantined-files.txt  2012-06-05 12:36
ComboFix2.txt  2012-06-05 07:45
ComboFix3.txt  2012-06-04 10:07
.
Vor Suchlauf: 186.725.130.240 bytes free
Nach Suchlauf: 186.667.302.912 bytes free
.
- - End Of File - - 9447EC9234CF1BDCB4F861E4237F97BF

5.OTL:

Code:

ATTFilter

OTL logfile created on: 05.06.2012 14:41:36 - Run 3
OTL by OldTimer - Version 3.2.45.0     Folder = C:\Users\murxx\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
2,00 Gb Total Physical Memory | 1,18 Gb Available Physical Memory | 58,90% Memory free
4,00 Gb Paging File | 3,01 Gb Available in Paging File | 75,30% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 297,99 Gb Total Space | 173,92 Gb Free Space | 58,37% Space Free | Partition Type: NTFS
 
Computer Name: MURXX-PC | User Name: murxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.06.02 20:08:18 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\murxx\Desktop\OTL.exe
PRC - [2012.05.08 23:12:49 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.08 23:12:48 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.05.08 23:12:48 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.05.08 23:12:48 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.04.04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012.04.04 07:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011.09.09 18:08:54 | 000,475,088 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011.04.20 02:04:38 | 000,393,216 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2011.04.20 02:04:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010.05.04 12:07:22 | 000,503,080 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Update\NASvc.exe
PRC - [2004.09.10 07:00:00 | 000,189,536 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.06.01 21:16:57 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\1a690902e9a6293de228c16fab21e2f7\System.Web.ni.dll
MOD - [2012.06.01 21:16:37 | 012,433,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\90555968565afd59bce4b0974e9903bd\System.Windows.Forms.ni.dll
MOD - [2012.06.01 21:16:32 | 001,590,784 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\69f6e582cb79f107c61308b468c1a215\System.Drawing.ni.dll
MOD - [2012.05.11 21:04:31 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll
MOD - [2012.05.11 21:03:46 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012.05.11 21:03:43 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012.05.11 21:03:42 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012.05.11 21:03:32 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2011.05.28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010.09.30 22:36:20 | 000,270,336 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
MOD - [2010.08.04 15:58:06 | 000,016,384 | R--- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2012.05.20 03:05:06 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012.05.08 23:12:49 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.05.08 23:12:48 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.05.05 04:57:06 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.04.25 16:07:16 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.04.04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012.04.04 07:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011.09.09 18:08:54 | 000,475,088 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -- (vpnagent)
SRV - [2011.05.16 00:50:00 | 004,135,800 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2011.04.20 02:04:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010.11.20 14:19:33 | 000,068,096 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\Mcx2Svc.dll -- (Mcx2Svc)
SRV - [2010.05.04 12:07:22 | 000,503,080 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2010.03.18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2010.03.18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpActivator)
SRV - [2010.03.18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetPipeActivator)
SRV - [2010.03.18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetMsmqActivator)
SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.07.14 03:15:41 | 000,075,264 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\mprdim.dll -- (RemoteAccess)
SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2004.09.10 07:00:00 | 000,189,536 | ---- | M] (SafeNet, Inc) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [File_System | On_Demand | Stopped] -- system32\DRIVERS\vproiah.sys -- (vproiah)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\murxx\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012.05.08 23:12:49 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.05.08 23:12:49 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012.04.04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011.10.22 22:51:51 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2011.10.11 15:00:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011.09.09 18:00:05 | 000,023,464 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vpnva.sys -- (vpnva)
DRV - [2011.09.09 17:59:19 | 000,087,976 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\acsock.sys -- (acsock)
DRV - [2011.04.20 02:43:42 | 007,772,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2011.04.20 02:43:42 | 007,772,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2011.04.20 01:22:10 | 000,243,712 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010.11.20 10:42:28 | 000,246,784 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\udfs.sys -- (udfs)
DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.07.14 03:20:28 | 000,022,096 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\crcdisk.sys -- (crcdisk)
DRV - [2007.12.04 18:10:30 | 000,016,640 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2005.11.02 10:54:44 | 000,011,596 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\copperhd.sys -- (UsbFltr)
DRV - [2004.09.10 07:00:00 | 000,084,064 | ---- | M] (Rainbow Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\sentinel.sys -- (Sentinel)
DRV - [1998.07.10 18:01:00 | 000,007,328 | ---- | M] () [Unknown (0) | Boot | Unknown] -- C:\Windows\System32\drivers\ds1410d.sys -- (DS1410D)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{70B32755-8E37-45F1-B1C5-15E74D747C7F}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 52 AB 1F B4 D8 90 CC 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://startsear.ch/?aff=1&src=sp&cf=573a6041-12d5-11e1-a722-00241dd2c3b6&q={searchTerms}
IE - HKCU\..\SearchScopes\{70B32755-8E37-45F1-B1C5-15E74D747C7F}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = www-chache.uni-mannheim.de:3128
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@palmsource.com/installer,version=1.0: C:\PROGRA~1\Palm\PACKAG~1\NPInstal.dll ()
FF - HKLM\Software\MozillaPlugins\@rsj.de/prodown:  File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.04.25 16:07:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.06.04 00:32:30 | 000,000,000 | ---D | M]
 
[2012.04.25 16:07:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012.04.25 16:07:16 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.04.06 18:32:32 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011.11.11 00:35:49 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011.11.11 00:35:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011.11.11 00:35:49 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011.11.11 00:35:49 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2011.11.11 00:35:49 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011.11.11 00:35:49 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2012.06.05 14:35:51 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Users\murxx\Desktop\PartyPoker.lnk ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Users\murxx\Desktop\PartyPoker.lnk ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 134.155.96.52 134.155.96.53
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4476AC6D-B05C-41E9-8E49-31173B642EE1}: DhcpNameServer = 134.155.96.52 134.155.96.53
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
MsConfig - StartUpFolder: C:^Users^murxx^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE - (Microsoft Corporation)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - State: "startup" - 2
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.06.05 14:37:00 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012.06.05 14:36:57 | 000,000,000 | ---D | C] -- C:\Users\murxx\AppData\Local\temp
[2012.06.05 14:24:15 | 004,537,537 | R--- | C] (Swearware) -- C:\Users\murxx\Desktop\ComboFix.exe
[2012.06.04 11:49:29 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012.06.04 11:49:29 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012.06.04 11:49:29 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012.06.04 11:49:22 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012.06.04 11:39:05 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012.06.04 04:42:18 | 000,000,000 | ---D | C] -- C:\Users\murxx\Desktop\scanlogs
[2012.06.04 00:32:09 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2012.06.03 22:10:47 | 002,322,184 | ---- | C] (ESET) -- C:\Users\murxx\Desktop\esetsmartinstaller_enu.exe
[2012.06.03 16:55:55 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012.06.03 14:19:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.06.03 14:19:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.06.03 14:19:14 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.06.03 14:19:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.06.02 20:08:17 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\murxx\Desktop\OTL.exe
[2012.05.29 18:16:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2012.05.22 23:46:44 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2012.05.22 23:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\SIMSCI
[2012.05.19 13:39:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
[2012.05.19 13:39:21 | 000,000,000 | ---D | C] -- C:\Program Files\TeamSpeak 3 Client
[2012.05.17 11:35:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diablo III
 
========== Files - Modified Within 30 Days ==========
 
[2012.06.05 14:42:40 | 000,664,936 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.06.05 14:42:40 | 000,128,934 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.06.05 14:38:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.06.05 14:38:05 | 1609,424,896 | -HS- | M] () -- C:\hiberfil.sys
[2012.06.05 14:37:27 | 000,019,088 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.06.05 14:37:27 | 000,019,088 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.06.05 14:35:51 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012.06.05 14:24:25 | 004,537,537 | R--- | M] (Swearware) -- C:\Users\murxx\Desktop\ComboFix.exe
[2012.06.05 08:57:47 | 000,591,235 | ---- | M] () -- C:\Users\murxx\Desktop\adwcleaner.exe
[2012.06.05 08:57:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.06.04 21:01:27 | 000,056,315 | ---- | M] () -- C:\Users\murxx\Desktop\Zombie.jpg
[2012.06.04 00:32:31 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2012.06.03 22:10:49 | 002,322,184 | ---- | M] (ESET) -- C:\Users\murxx\Desktop\esetsmartinstaller_enu.exe
[2012.06.03 14:19:15 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.06.03 01:52:48 | 000,001,168 | ---- | M] () -- C:\Windows\FOE2.ini
[2012.06.02 20:09:12 | 000,000,176 | ---- | M] () -- C:\Users\murxx\defogger_reenable
[2012.06.02 20:08:18 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\murxx\Desktop\OTL.exe
[2012.06.02 20:08:07 | 000,050,477 | ---- | M] () -- C:\Users\murxx\Desktop\Defogger.exe
[2012.06.01 15:12:04 | 000,428,648 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.05.23 08:12:49 | 000,001,713 | ---- | M] () -- C:\Users\Public\Desktop\PROII 8.1.lnk
[2012.05.19 13:39:27 | 000,001,120 | ---- | M] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2012.05.17 11:55:04 | 000,000,921 | ---- | M] () -- C:\Users\Public\Desktop\Diablo III.lnk
[2012.05.08 23:12:49 | 000,137,928 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2012.05.08 23:12:49 | 000,083,392 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
 
========== Files Created - No Company Name ==========
 
[2012.06.05 08:57:46 | 000,591,235 | ---- | C] () -- C:\Users\murxx\Desktop\adwcleaner.exe
[2012.06.04 21:01:27 | 000,056,315 | ---- | C] () -- C:\Users\murxx\Desktop\Zombie.jpg
[2012.06.04 11:49:29 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012.06.04 11:49:29 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012.06.04 11:49:29 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012.06.04 11:49:29 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012.06.04 11:49:29 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012.06.04 00:32:31 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012.06.04 00:32:31 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2012.06.03 14:19:15 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.06.02 20:09:01 | 000,000,176 | ---- | C] () -- C:\Users\murxx\defogger_reenable
[2012.06.02 20:08:06 | 000,050,477 | ---- | C] () -- C:\Users\murxx\Desktop\Defogger.exe
[2012.05.23 08:12:49 | 000,001,713 | ---- | C] () -- C:\Users\Public\Desktop\PROII 8.1.lnk
[2012.05.19 13:39:27 | 000,001,120 | ---- | C] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2012.05.17 11:35:59 | 000,000,921 | ---- | C] () -- C:\Users\Public\Desktop\Diablo III.lnk
[2012.04.02 14:29:26 | 000,007,328 | ---- | C] () -- C:\Windows\System32\drivers\ds1410d.sys
[2012.02.28 17:06:12 | 000,280,976 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2012.02.28 17:06:11 | 000,075,136 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2011.12.08 01:03:48 | 000,001,168 | ---- | C] () -- C:\Windows\FOE2.ini
[2011.10.23 20:07:23 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011.10.22 17:51:56 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011.04.20 01:21:02 | 000,037,376 | ---- | C] () -- C:\Windows\System32\atitmpxx.dll
[2011.03.17 17:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2011.02.28 21:30:06 | 000,233,012 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
 
========== LOP Check ==========
 
[2012.06.04 11:38:59 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
< %SYSTEMDRIVE%\*. /U /S >
 
< %PROGRAMFILES%\*.exe >
 
< %LOCALAPPDATA%\*.exe >
 
< %systemroot%\*. /mp /s  >
 
< MD5 for: EXPLORER.EXE  >
[2011.02.26 07:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[2009.07.14 03:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2011.02.26 07:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe
[2009.10.31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2011.02.26 07:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe
[2010.11.20 14:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\ERDNT\cache\explorer.exe
[2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe
[2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[2009.08.03 07:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2009.08.03 07:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009.10.31 08:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
 
< MD5 for: REGEDIT.EXE  >
[2009.07.14 03:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\ERDNT\cache\regedit.exe
[2009.07.14 03:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\regedit.exe
[2009.07.14 03:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_f4050b883d2c3c08\regedit.exe
 
< MD5 for: USERINIT.EXE  >
[2010.11.20 14:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\ERDNT\cache\userinit.exe
[2010.11.20 14:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe
[2010.11.20 14:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2009.07.14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
 
< MD5 for: WININIT.EXE  >
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\ERDNT\cache\wininit.exe
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe
[2009.07.14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe
 
< MD5 for: WINLOGON.EXE  >
[2012.04.04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009.10.28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009.10.28 07:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2010.11.20 14:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\ERDNT\cache\winlogon.exe
[2010.11.20 14:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010.11.20 14:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2009.07.14 03:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
 
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Required: DebugWindows [binary data]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\\Windows: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-06-01 19:17:17
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 146 bytes -> C:\Users\All Users\TEMP:CB2A6156
@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:CB2A6156

< End of report >

OTL hat mir nur die normale OTL.txt ausgespuckt. Hab den ja schon paar mal benutzt aber an den einstellungen nichts verändert. die alte extra.txt is gelöscht.

soll ich ihn mir nochmal neu runterladen und ausführen? oder is an den einstellungen waws falsch ?

Psychotic · 05.06.2012, 15:14

Macht der Rechner noch Probleme? sonst räumen wir auf!

MurXx · 05.06.2012, 15:26

keine offensichtlichen.
Wenn du nichts absonderliches mehr in den Logs siehst, freu ich mich erstmal das ich das System nich neu aufsetzen musste und du kannst hier zu machen.

Viel Dank für deine Hilfe bei dem Problem. Werd dich in mein Morgengebet mit einbetten

MfG
MurXx

05.06.2012, 15:14	#14
Psychotic /// Malwareteam	!Tojaner TR/ATRAPS.GEN2 und TR/Sirefef.AG.35 und andere Macht der Rechner noch Probleme? sonst räumen wir auf! __________________ Kein Asylrecht für Trojaner! Proud Member of UNITE Hinweis: Ich bin nur werktags erreichbar! Anfragen über PM werden ignoriert! Du bist zufrieden mit uns? Dann unterstütze das Trojaner-Board!

!Tojaner TR/ATRAPS.GEN2 und TR/Sirefef.AG.35 und andere

Log-Analyse und Auswertung: !Tojaner TR/ATRAPS.GEN2 und TR/Sirefef.AG.35 und andere