dropper.bcminer / ZeroAccess

Hakon · 23.07.2012, 22:55

Hallo Leute,

nachdem ich heute abend Windows startete fiel mir auf, dass Microsoft Security Essential deaktiviert war. Beim Versuch es zu aktivieren bekam ich die Meldung (sinngemäß) "kann nicht aktiviert werden, da der Prozess nicht installiert ist". Googlen ergab, dass dieser Fehler in Zusammenhang mit dem Trojaner "ZeroAccess Rootkit" steht.

Ich habe Malewarebytes Anti-Maleware installiert und damit gescannt und tatsächlich wurde mir angezeigt, dass "ZeroAccess Rootkit" und "dropper.bcminer" gefunden wurden. Daraufhin habe ich auf "löschen" geklickt (was wohl ein Fehler war?). Jetzt findet Malewarebytes nur noch "dropper.bcminer", ich glaube jedoch nicht, dass "ZeroAccess Rootkit" gelöscht ist, da das Problem mit Microsoft Security Essential immernoch besteht.

Außer meinem deaktivierten Virenscanner habe ich keinerlei Symptome. Beim Googlen habe ich vor allem in deutschen Foren mehrmals gelesen, dass es keinen Ausweg gibt und man die Festplatte formatieren soll. Außerdem soll man sein Online-Banking sperren lassen, wenn man es nutzt (was ich tue).

Ich habe übrigens noch verschiedene andere Sachen versucht, bspw. tdsskiller.exe, aber ohne Erfolg.

Wie ist eure Meinung? Vielen Dank im Vorraus

Hier ist der Inhalt der OTL-txt, bei mir hat das Programm entgegen eurer Beschreibung nur diese eine txt ausgeworfenOTL Logfile:

Code:

ATTFilter

OTL logfile created on: 23.07.2012 23:22:15 - Run 3
OTL by OldTimer - Version 3.2.54.0     Folder = C:\Users\Hakon\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
4,00 Gb Total Physical Memory | 2,67 Gb Available Physical Memory | 66,74% Memory free
8,00 Gb Paging File | 6,71 Gb Available in Paging File | 83,92% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97,56 Gb Total Space | 27,87 Gb Free Space | 28,57% Space Free | Partition Type: NTFS
Drive D: | 368,10 Gb Total Space | 165,53 Gb Free Space | 44,97% Space Free | Partition Type: NTFS
 
Computer Name: RIVA | User Name: Hakon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.07.23 23:06:16 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Hakon\Desktop\OTL.exe
PRC - [2012.07.05 18:41:46 | 003,048,136 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2012.01.03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - [2012.04.06 04:16:02 | 000,236,544 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2012.04.05 21:57:34 | 000,361,984 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV:64bit: - [2012.03.26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2010.04.11 23:46:53 | 001,038,088 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV - [2012.07.23 15:05:18 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.07.05 18:41:46 | 003,048,136 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2012.07.03 13:19:28 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012.01.03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010.04.11 23:46:45 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV:64bit: - [2012.04.06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2012.04.06 07:22:40 | 011,174,400 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2012.04.06 03:10:44 | 000,343,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2012.03.20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012.03.05 16:04:30 | 000,053,888 | ---- | M] (Advanced Micro Devices) [Kernel | Auto | Running] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys -- (AODDriver4.1)
DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012.02.23 14:32:04 | 000,095,760 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2011.05.18 09:08:32 | 000,047,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
DRV:64bit: - [2010.11.20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010.11.20 15:32:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010.11.20 15:32:46 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010.11.20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010.02.18 09:18:24 | 000,046,136 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdiox64.sys -- (amdiox64)
DRV:64bit: - [2009.08.20 18:00:10 | 000,664,576 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTL8192su.sys -- (RTL8192su)
DRV:64bit: - [2009.08.17 19:20:46 | 001,235,968 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV:64bit: - [2009.07.16 05:38:40 | 000,015,416 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.06.24 18:23:24 | 000,205,472 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtHDMIVX.sys -- (RTHDMIAzAudService)
DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.05.22 16:52:30 | 000,215,040 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009.05.05 12:30:28 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
DRV:64bit: - [2008.06.27 07:51:10 | 000,088,632 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\adfs.sys -- (adfs)
DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2009.02.23 13:08:34 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Stopped] -- C:\Windows\SysWOW64\drivers\SSPORT.SYS -- (SSPORT)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 C5 8C 4F 05 38 CD 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: easelink@ashi.cn:1.0.2.3
FF - prefs.js..extensions.enabledItems: {35379F86-8CCB-4724-AE33-4278DE266C70}:1.0.5
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_265.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
[2010.05.20 19:57:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hakon\AppData\Roaming\mozilla\Extensions
[2011.05.31 12:45:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hakon\AppData\Roaming\mozilla\Firefox\Profiles\0lfkqygm.default\extensions
[2010.10.02 14:39:11 | 000,000,000 | ---D | M] (Ease Link) -- C:\Users\Hakon\AppData\Roaming\mozilla\Firefox\Profiles\0lfkqygm.default\extensions\easelink@ashi.cn
[2012.03.26 22:01:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.02.26 00:09:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012.02.26 00:09:08 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
 
O1 HOSTS File: ([2010.04.12 15:04:18 | 000,000,857 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1				activate.adobe.com
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{208CDA37-D3A7-4830-BCE0-1E9C583D30DE}: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5D9CB366-7D9C-494D-9A6B-8E2394FBCFAE}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.07.23 23:31:32 | 000,000,000 | ---D | C] -- C:\FRST
[2012.07.23 23:06:15 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Hakon\Desktop\OTL.exe
[2012.07.23 22:53:39 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Hakon\Desktop\aswMBR.exe
[2012.07.23 21:34:56 | 001,437,781 | ---- | C] (Farbar) -- C:\Users\Hakon\Desktop\FRST64.exe
[2012.07.23 21:19:01 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Hakon\Desktop\dds.scr
[2012.07.23 20:55:15 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012.07.23 20:54:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Wise Installation Wizard
[2012.07.23 20:52:26 | 000,000,000 | ---D | C] -- C:\Users\Hakon\Desktop\tdsskiller
[2012.07.23 20:33:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PC Tools
[2012.07.23 20:26:32 | 000,251,528 | ---- | C] (PC Tools) -- C:\Windows\SysNative\drivers\PCTSD64.sys
[2012.07.23 20:26:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PC Tools
[2012.07.23 20:26:13 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2012.07.23 20:26:12 | 000,000,000 | ---D | C] -- C:\Users\Hakon\AppData\Roaming\TestApp
[2012.07.23 20:26:12 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2012.07.23 19:53:10 | 000,000,000 | ---D | C] -- C:\Users\Hakon\AppData\Roaming\Malwarebytes
[2012.07.23 19:53:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.07.23 19:53:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.07.23 19:53:03 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.07.23 19:53:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012.07.23 15:01:51 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2012.07.19 18:29:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF-XChange PDF Viewer
[2012.07.19 18:29:38 | 000,000,000 | ---D | C] -- C:\Program Files\Tracker Software
[2012.07.19 18:22:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
[2012.07.19 18:22:37 | 000,000,000 | ---D | C] -- C:\Users\Hakon\AppData\Roaming\pdfforge
[2012.07.19 18:22:34 | 000,095,744 | ---- | C] (pdfforge GbR) -- C:\Windows\SysNative\pdfcmon.dll
[2012.07.19 18:22:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PDFCreator
[2012.07.16 19:04:13 | 000,000,000 | ---D | C] -- C:\Users\Hakon\AppData\Roaming\Braid
[2012.07.16 18:47:09 | 000,000,000 | ---D | C] -- C:\Users\Hakon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MumboJumbo
[2012.07.16 18:46:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MumboJumbo
[2012.07.04 13:32:49 | 000,000,000 | ---D | C] -- C:\Users\Hakon\AppData\Local\MetaGeek,_LLC
[2012.07.04 13:02:13 | 000,000,000 | ---D | C] -- C:\Users\Hakon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MetaGeek
[2012.07.04 13:02:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\inSSIDer
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012.07.23 23:11:44 | 000,020,096 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.07.23 23:11:44 | 000,020,096 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.07.23 23:11:31 | 001,507,418 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.07.23 23:11:31 | 000,656,196 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.07.23 23:11:31 | 000,617,860 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.07.23 23:11:31 | 000,131,952 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.07.23 23:11:31 | 000,108,396 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.07.23 23:06:16 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Hakon\Desktop\OTL.exe
[2012.07.23 23:05:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.07.23 23:04:29 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.07.23 23:04:23 | 3220,574,208 | -HS- | M] () -- C:\hiberfil.sys
[2012.07.23 22:55:46 | 000,000,512 | ---- | M] () -- C:\Users\Hakon\Desktop\MBR.dat
[2012.07.23 22:53:57 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Hakon\Desktop\aswMBR.exe
[2012.07.23 22:45:10 | 000,002,198 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012.07.23 22:11:35 | 000,009,026 | ---- | M] () -- C:\Users\Hakon\Documents\cc_20120723_221130.reg
[2012.07.23 21:34:56 | 001,437,781 | ---- | M] (Farbar) -- C:\Users\Hakon\Desktop\FRST64.exe
[2012.07.23 21:21:19 | 000,000,000 | ---- | M] () -- C:\Users\Hakon\defogger_reenable
[2012.07.23 21:19:01 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Hakon\Desktop\dds.scr
[2012.07.23 21:18:57 | 000,881,494 | ---- | M] () -- C:\Users\Hakon\Desktop\SecurityCheck.exe
[2012.07.23 21:18:53 | 000,050,477 | ---- | M] () -- C:\Users\Hakon\Desktop\Defogger.exe
[2012.07.23 20:50:21 | 002,116,765 | ---- | M] () -- C:\Users\Hakon\Desktop\tdsskiller.zip
[2012.07.23 20:26:41 | 002,050,599 | ---- | M] () -- C:\Windows\SysNative\drivers\Cat.DB
[2012.07.23 19:54:03 | 000,001,105 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.07.16 18:54:11 | 000,000,464 | ---- | M] () -- C:\Users\Hakon\Documents\cc_20120716_185404.reg
[2012.07.16 18:47:09 | 000,001,104 | ---- | M] () -- C:\Users\Hakon\Desktop\Braid.lnk
[2012.07.11 14:05:42 | 002,946,480 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.07.05 22:52:08 | 000,002,162 | ---- | M] () -- C:\Users\Public\Documents\cc_20120705_225203.reg
[2012.07.05 13:02:30 | 000,095,744 | ---- | M] (pdfforge GbR) -- C:\Windows\SysNative\pdfcmon.dll
[2012.07.03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.07.01 16:37:34 | 001,527,566 | ---- | M] () -- C:\Users\Hakon\Desktop\Reiserouten.pdf
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012.07.23 22:55:46 | 000,000,512 | ---- | C] () -- C:\Users\Hakon\Desktop\MBR.dat
[2012.07.23 22:11:33 | 000,009,026 | ---- | C] () -- C:\Users\Hakon\Documents\cc_20120723_221130.reg
[2012.07.23 21:21:19 | 000,000,000 | ---- | C] () -- C:\Users\Hakon\defogger_reenable
[2012.07.23 21:18:57 | 000,881,494 | ---- | C] () -- C:\Users\Hakon\Desktop\SecurityCheck.exe
[2012.07.23 21:18:52 | 000,050,477 | ---- | C] () -- C:\Users\Hakon\Desktop\Defogger.exe
[2012.07.23 20:50:21 | 002,116,765 | ---- | C] () -- C:\Users\Hakon\Desktop\tdsskiller.zip
[2012.07.23 20:48:26 | 000,232,960 | ---- | C] () -- C:\Windows\Installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\U\00000008.@
[2012.07.23 20:26:35 | 002,050,599 | ---- | C] () -- C:\Windows\SysNative\drivers\Cat.DB
[2012.07.23 19:53:04 | 000,001,105 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.07.23 14:58:40 | 000,000,884 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.07.23 14:48:16 | 000,092,160 | ---- | C] () -- C:\Windows\Installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\U\80000032.@
[2012.07.23 14:48:16 | 000,080,896 | ---- | C] () -- C:\Windows\Installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\U\80000064.@
[2012.07.23 14:48:16 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\L\00000004.@
[2012.07.23 14:48:12 | 000,016,896 | ---- | C] () -- C:\Windows\Installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\U\80000000.@
[2012.07.23 14:48:11 | 000,002,048 | ---- | C] () -- C:\Windows\Installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\U\00000004.@
[2012.07.23 14:48:11 | 000,001,632 | ---- | C] () -- C:\Windows\Installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\U\000000cb.@
[2012.07.16 18:54:09 | 000,000,464 | ---- | C] () -- C:\Users\Hakon\Documents\cc_20120716_185404.reg
[2012.07.16 18:47:09 | 000,001,104 | ---- | C] () -- C:\Users\Hakon\Desktop\Braid.lnk
[2012.07.05 22:52:06 | 000,002,162 | ---- | C] () -- C:\Users\Public\Documents\cc_20120705_225203.reg
[2012.07.01 16:37:26 | 001,527,566 | ---- | C] () -- C:\Users\Hakon\Desktop\Reiserouten.pdf
[2012.04.04 21:30:15 | 000,007,597 | ---- | C] () -- C:\Users\Hakon\AppData\Local\Resmon.ResmonCfg
[2012.03.19 22:34:59 | 000,000,093 | ---- | C] () -- C:\Users\Hakon\AppData\Local\fusioncache.dat
[2012.03.09 06:31:26 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012.03.09 06:31:26 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2012.01.31 07:00:24 | 000,016,896 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
[2012.01.20 18:35:07 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\@
[2012.01.20 18:35:07 | 000,002,048 | -HS- | C] () -- C:\Users\Hakon\AppData\Local\{4955abf5-985c-99d6-1d5e-acdd601cd822}\@
[2011.09.13 00:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011.07.07 22:35:23 | 000,022,240 | ---- | C] () -- C:\Users\Hakon\Desktop.pdf
[2011.06.20 19:43:07 | 000,218,422 | ---- | C] () -- C:\Users\Hakon\Deskto.pdf
[2011.05.04 14:16:16 | 000,482,408 | ---- | C] () -- C:\Windows\ssndii.exe
[2011.01.26 19:30:21 | 001,528,554 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010.11.20 15:39:58 | 000,088,891 | ---- | C] () -- C:\Windows\War3Unin.dat
[2010.10.05 01:43:27 | 000,029,609 | ---- | C] () -- C:\Users\Hakon\AppData\Roaming\mdbu.bin
[2010.10.02 14:37:58 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010.04.21 20:37:28 | 000,000,218 | ---- | C] () -- C:\Users\Hakon\.recently-used.xbel
[2010.04.21 17:51:15 | 000,032,585 | ---- | C] () -- C:\Users\Hakon\helden.xml
[2010.04.21 17:09:22 | 000,001,976 | ---- | C] () -- C:\Users\Hakon\.heldEinstellungen.xml
[2010.04.21 17:09:21 | 000,000,204 | ---- | C] () -- C:\Users\Hakon\.dsa4.properties
 
========== LOP Check ==========
 
[2010.06.30 21:42:23 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\.purple
[2012.07.16 19:04:52 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\Braid
[2011.11.10 15:10:27 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\Canneverbe Limited
[2011.01.28 01:38:13 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\ePaperPress
[2010.05.06 21:09:15 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\FlashGet
[2012.07.10 22:33:53 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\foobar2000
[2010.06.14 20:37:56 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\Foxit Software
[2011.01.12 11:51:22 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\GrabPro
[2010.04.21 20:37:13 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\gtk-2.0
[2010.05.22 02:20:18 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\IN-MEDIAKG
[2011.01.26 20:11:03 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\IrfanView
[2012.01.26 01:36:22 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\KeePass
[2010.05.22 02:20:17 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\mresreg
[2010.10.14 21:10:16 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\Opera
[2011.05.31 12:45:21 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\Orbit
[2012.07.19 18:22:37 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\pdfforge
[2011.01.12 11:51:46 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\ProgSense
[2010.05.31 23:14:37 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\SteelBytes
[2012.07.23 20:26:12 | 000,000,000 | ---D | M] -- C:\Users\Hakon\AppData\Roaming\TestApp
[2012.07.13 20:44:54 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >

--- --- ---
Hier noch das Log von Malewarebytes:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.23.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Hakon :: RIVA [Administrator]

24.07.2012 00:02:00
mbam-log-2012-07-24 (00-02-38).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 188511
Laufzeit: 33 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Windows\Installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Keine Aktion durchgeführt.

(Ende)

Ergänzung:

Ich bin zu der Überzeugung gelangt, dass es in diesem Fall wohl besser ist, die Festplatte zu formatieren. Das kann ich allerdings erst in ein paar Tagen machen und bis dahin möchte ich den PC noch nutzen.

Ich bin daher hauptsächlich daran interessiert zu erfahren, wo ich mir diesen Trojaner eingefangen habe und was die Schwachstelle meines Systems war.

Durch Googlen bin ich darauf gekommen, dieses Programm mal auszuführen:
hxxp://www.sur-la-toile.com/RogueKiller/

Das hier ist der Log:

RogueKiller V7.6.4 [07/17/2012] durch Tigzy
mail: tigzyRK<at>gmail<dot>com
Kommentare: hxxp://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: hxxp://tigzyrk.blogspot.com

Betriebssystem: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Gestartet in: Normal Modus
Benutzer: Hakon [Admin Rechte]
Funktion: Scannen --Datum: 07/24/2012 10:37:13

¤¤¤ Böswillige Prozesse: 1 ¤¤¤
[SUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]

¤¤¤ Registry-Einträge: 8 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Hakon\AppData\Local\{4955abf5-985c-99d6-1d5e-acdd601cd822}\n.) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Bestimmte Dateien / Ordner: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{4955abf5-985c-99d6-1d5e-acdd601cd822}\L --> FOUND
[ZeroAccess][FILE] n : c:\users\hakon\appdata\local\{4955abf5-985c-99d6-1d5e-acdd601cd822}\n --> FOUND
[ZeroAccess][FILE] @ : c:\users\hakon\appdata\local\{4955abf5-985c-99d6-1d5e-acdd601cd822}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\hakon\appdata\local\{4955abf5-985c-99d6-1d5e-acdd601cd822}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\hakon\appdata\local\{4955abf5-985c-99d6-1d5e-acdd601cd822}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

¤¤¤ Treiber: [NICHT GELADEN] ¤¤¤

¤¤¤ Infektion : ZeroAccess ¤¤¤

¤¤¤ Hosts-Datei: ¤¤¤
127.0.0.1 activate.adobe.com

¤¤¤ MBR überprüfen: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD502HJ ATA Device +++++
--- User ---
[MBR] 9a31e2eeeef09aa30aae55490f84b705
[BSP] 90615ebc75e26544b9712bb26002398a : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99899 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204800000 | Size: 376939 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Abgeschlossen : << RKreport[1].txt >>
RKreport[1].txt

Sehe ich das richtig, dass demnach c2c_service.exe also Skype das Einfallstor für den Trojaner war?

cosinus · 27.07.2012, 13:06

Bitte erstmal routinemäßig einen Vollscan mit Malwarebytes machen und Log posten. =>ALLE lokalen Datenträger (außer CD/DVD) überprüfen lassen!
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Die Funde mit Malwarebytes bitte alle entfernen, sodass sie in der Quarantäne von Malwarebytes aufgehoben werden! NICHTS voreilig aus der Quarantäne entfernen!

Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten!

ESET Online Scanner

Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
Lade und starte Eset Online Scanner
Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
Klicke auf Starten.
Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
Klicke am Ende des Suchlaufs auf Fertig stellen.
Schließe das Fenster von ESET.
Explorer öffnen.
C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
Logfile hier posten.
Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

Bitte alles nach Möglichkeit hier in CODE-Tags posten.

Wird so gemacht:

[code] hier steht das Log [/code]

Und das ganze sieht dann so aus:

Code:

ATTFilter

 hier steht das Log

dropper.bcminer / ZeroAccess

Log-Analyse und Auswertung: dropper.bcminer / ZeroAccess

dropper.bcminer / ZeroAccess

dropper.bcminer / ZeroAccess

Ähnliche Themen: dropper.bcminer / ZeroAccess