| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: bProtector for Windows searchpluginsWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
31.07.2012, 13:27
| #4 |
| /// Helfer-Team  |  bProtector for Windows searchplugins Fixen mit OTL Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).
Code:
ATTFilter :OTL
MOD - c:\ProgramData\bProtectorForWindows\2.2.463.83\protector.dll ()
SRV - (bProtector) -- C:\ProgramData\bProtectorForWindows\2.2.463.83\bProtect.exe (bProtector)
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Programme\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3227975
IE - HKLM\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50winampie7
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\SOFTWARE\Microsoft\Internet Explorer\Main,bProtector Start Page = http://search.conduit.com?SearchSource=10&ctid=CT3227975
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT3227975
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Programme\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\SearchScopes,bProtectorDefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\SearchScopes\{31CF9EBE-5755-4a1d-AC25-2834D952D9B4}: "URL" = http://search.pdfcreator-toolbar.org/search?p=Q&ts=ne&w={searchTerms}&csrc=search-field
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\SearchScopes\{379378E5-2813-4E77-81D1-880619D81CB6}: "URL" = http://www.google.de/search?q={searchTerms}
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3227975
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&query={searchTerms}&invocationType=tb50winampie7
IE - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - prefs.js..extensions.enabledItems: MapShare-status@tomtom.com:1.7.1
FF - prefs.js..extensions.enabledItems: baseTheme@tomtom.com:1.0.2
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{b64982b1-d112-42b5-b1e4-d3867c4533f8}: C:\ProgramData\bProtectorForWindows\2.2.463.83\FirefoxExtension [2012.07.14 17:30:07 | 000,000,000 | ---D | M]
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Reg Error: Value error.) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Programme\Google\GoogleToolbar1.dll (Google Germany GmbH)
O3 - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\Toolbar\WebBrowser: (PDFCreator Toolbar) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll ()
O3 - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent File not found
O4 - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000..\Run: [TOSCDSPD] TOSCDSPD.EXE File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\S-1-5-21-3763147448-2540374928-1796028379-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe File not found
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe File not found
O9 - Extra Button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url_de.pl?http://www.ebay.de/ File not found
O20 - AppInit_DLLs: (c:\progra~2\bprote~1\22463~1.83\protec~1.dll) - c:\ProgramData\bProtectorForWindows\2.2.463.83\protector.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{15e5c95e-2107-11df-a9b2-00a0d16c74bb}\Shell\AutoRun\command - "" = RECYCLER\autorun.exe
O33 - MountPoints2\{15e5c95e-2107-11df-a9b2-00a0d16c74bb}\Shell\open\command - "" = RECYCLER\autorun.exe
O33 - MountPoints2\{3bc04713-b6a9-11dc-843e-00a0d16c74bb}\Shell - "" = AutoRun
O33 - MountPoints2\{3bc04713-b6a9-11dc-843e-00a0d16c74bb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\{3bc0472d-b6a9-11dc-843e-00a0d16c74bb}\Shell - "" = AutoRun
O33 - MountPoints2\{3bc0472d-b6a9-11dc-843e-00a0d16c74bb}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{8423d886-ec3c-11dd-9a8e-00a0d16c74bb}\Shell - "" = AutoRun
O33 - MountPoints2\{8423d886-ec3c-11dd-9a8e-00a0d16c74bb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\{c276349d-b95b-11dc-b533-00a0d16c74bb}\Shell - "" = AutoRun
O33 - MountPoints2\{c276349d-b95b-11dc-b533-00a0d16c74bb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\{c86227dd-128b-11dd-8f2e-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{c86227dd-128b-11dd-8f2e-806e6f6e6963}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\{ce76eadd-1230-11dd-91e7-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{ce76eadd-1230-11dd-91e7-806e6f6e6963}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\{ce76ec36-1230-11dd-91e7-00a0d16c74bb}\Shell - "" = AutoRun
O33 - MountPoints2\{ce76ec36-1230-11dd-91e7-00a0d16c74bb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\setup.exe
[2012.07.14 17:31:11 | 000,017,464 | ---- | C] (PerformerSoft LLC) -- C:\Windows\System32\roboot.exe
[2012.07.14 17:30:01 | 000,000,000 | ---D | C] -- C:\ProgramData\bProtectorForWindows
[182 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[2012.07.31 09:46:48 | 000,032,128 | ---- | M] () -- C:\Users\Hannes\AppData\Roaming\nvModes.001
[2012.07.30 14:44:58 | 000,032,128 | ---- | M] () -- C:\Users\Hannes\AppData\Roaming\nvModes.dat
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:24051EFF
[2012.07.31 10:25:45 | 000,000,000 | ---D | C] -- C:\Users\Hannes\Desktop\bProtectorForWindows
[2012.07.31 10:03:40 | 000,000,000 | ---D | C] -- C:\Users\Hannes\Desktop\searchplugins
[2012.07.31 07:45:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\searchplugins
[2012.07.31 07:45:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\bProtectorForWindows
[2012.07.20 14:57:09 | 000,000,000 | ---D | C] -- C:\Users\Hannes\bProtectorForWindows
[2012.07.14 17:31:20 | 000,000,000 | ---D | C] -- C:\Users\Hannes\AppData\Roaming\PerformerSoft
[2012.07.14 17:30:57 | 000,000,000 | ---D | C] -- C:\Program Files\PC Performer
[2012.07.14 17:30:39 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2012.07.14 17:30:33 | 000,000,000 | ---D | C] -- C:\Users\Hannes\AppData\Local\Conduit
[2012.07.14 17:30:07 | 000,000,000 | ---D | C] -- C:\Users\Hannes\searchplugins
[2012.07.14 17:30:06 | 000,000,000 | ---D | C] -- C:\Windows\System32\Extensions
[2012.07.14 17:30:05 | 000,000,000 | ---D | C] -- C:\Windows\System32\searchplugins
[2012.07.14 17:30:05 | 000,000,000 | ---D | C] -- C:\Windows\System32\bProtectorForWindows
[2012.07.14 17:30:46 | 000,000,009 | ---- | M] () -- C:\END
[2012.07.31 13:25:19 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D9B30BB4-63C0-47D4-A444-A174F9308500}.job
[2012.07.31 12:52:22 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.07.31 12:53:27 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012.07.31 12:53:27 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012.07.31 09:52:01 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[emptyflash]
Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen! |
| Themen zu bProtector for Windows searchplugins |
| anti-malware, bprotector, bprotector for windows, durchgeführt, externe, inter, interne, internen, malwarebytes, malwarebytes anti-malware, searchplugins, windows |
Baum-Darstellung