Hallo,

Ich habe mir ebenfalls den BKA Trojaner eingefangen. Wenn ich Windows normal starte, sieht man kurz den Desktop und danach öffnen sich ein Popup "Der Computer ist für die Verletzung der Gesetze der Bundesrepublik Deutschland wurde blockiert" mit der Aufforderung per uCash 100 Euro zu zahlen.

Im abgesicherten Modus lässt sich der PC noch hoch fahren. Habe die Anweisungen "an alle Hilfesuchenden" durchgeführt. Allerdings hat mein Rechner kein Zugang zum Internet bekommen, daher konnte ich Malwarebytes nicht updaten. Anbei die Logfiles.
Avira hat bei einem Suchlauf noch 3 Treffer gehabt:
C:/Users/****/Downloads/mp3.exe ; C:/Users/****/AppaData/Roaming/appconf32.exe.vir; C:/Users/****/AppaData/Roaming/AcroIEHelpe180.dll
Ausser dem Avira Scan habe ich noch einen Scan mit Trojan Remover ohne Ergebniss und einmal CCleaner durchlaufen lassen. (Bevor ich mich bei euch schlau gemacht habe)
Vielen Dank im Voraus für eure Hilfe.
OTL Logfile:

Code: Alles auswählenAufklappen

ATTFilter

OTL logfile created on: 06.08.2012 00:56:17 - Run 3
OTL by OldTimer - Version 3.2.56.0     Folder = C:\Users\Sven\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 2,43 Gb Available Physical Memory | 80,87% Memory free
6,00 Gb Paging File | 5,49 Gb Available in Paging File | 91,54% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 298,09 Gb Total Space | 207,77 Gb Free Space | 69,70% Space Free | Partition Type: NTFS
Drive D: | 6,54 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
Drive E: | 249,71 Mb Total Space | 148,70 Mb Free Space | 59,55% Space Free | Partition Type: FAT
 
Computer Name: SVEN-PC | User Name: Sven | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Sven\Desktop\OTL.exe (OldTimer Tools)
 
 
========== Modules (No Company Name) ==========
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AntiVirSchedulerService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (vsmon) -- C:\Windows\SysWOW64\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (IswSvc) -- C:\Programme\CheckPoint\ZAForceField\ISWSVC.exe (Check Point Software Technologies)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (avipbb) -- C:\Windows\SysNative\drivers\avipbb.sys (Avira GmbH)
DRV:64bit: - (avgntflt) -- C:\Windows\SysNative\drivers\avgntflt.sys (Avira GmbH)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)
DRV:64bit: - (avkmgr) -- C:\Windows\SysNative\drivers\avkmgr.sys (Avira GmbH)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (ivusb) -- C:\Windows\SysNative\drivers\ivusb.sys (Initio Corporation)
DRV:64bit: - (Vsdatant) -- C:\Windows\SysNative\drivers\vsdatant.sys (Check Point Software Technologies LTD)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (yukonw7) -- C:\Windows\SysNative\drivers\yk62x64.sys (Marvell)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\drivers\ASACPI.sys ()
DRV - (ISWKL) -- C:\Programme\CheckPoint\ZAForceField\ISWKL.sys (Check Point Software Technologies)
DRV - (Vsdatant) -- C:\Windows\SysWOW64\drivers\vsdatant.sys (Check Point Software Technologies LTD)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\URLSearchHook: {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2613550
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=hp&babsrc=lnkry_nt
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 90 BA 0A 5D 2E CD CC 01  [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms}
IE - HKCU\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKCU\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2613550
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "hxxp://www.dnnd.de/zombie/"
FF - prefs.js..keyword.URL: "hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q="
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_268.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@ngm.nexoneu.com/NxGame: C:\ProgramData\NexonEU\NGM\npNxGameeu.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\PROGRAM FILES\CHECKPOINT\ZAFORCEFIELD\TRUSTCHECKER [2012.03.09 16:32:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker [2012.02.09 08:49:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.06.16 14:22:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.12 07:50:01 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\extensions\\{9A207F60-3F1C-4ED0-972D-0A4CDFBFF803}: C:\Users\Sven\AppData\Roaming\13001.022 [2012.07.12 00:02:15 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.06.16 14:22:16 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.07.12 07:50:01 | 000,000,000 | ---D | M]
 
[2012.01.07 13:23:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sven\AppData\Roaming\mozilla\Extensions
[2012.07.12 08:28:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions
[2012.05.30 23:09:46 | 000,000,000 | ---D | M] (ZoneAlarm-Sicherheit Community Toolbar) -- C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}
[2012.07.12 08:28:36 | 000,000,000 | ---D | M] ("Linkury Smartbar") -- C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\helperbar@helperbar.com
[2012.07.11 22:26:10 | 000,002,474 | ---- | M] () -- C:\Users\Sven\AppData\Roaming\Mozilla\Firefox\Profiles\ak3ecn9e.default\searchplugins\Web Search.xml
[2012.05.09 22:51:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.03.10 08:09:42 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012.07.12 00:02:15 | 000,000,000 | ---D | M] (Java Link Helper) -- C:\USERS\SVEN\APPDATA\ROAMING\13001.022
[2012.06.16 14:22:16 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.04.16 17:07:02 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011.12.09 19:23:32 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll
[2012.05.09 22:51:22 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.05.09 22:51:22 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.05.09 22:51:22 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.05.09 22:51:22 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.05.09 22:51:22 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.05.09 22:51:22 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Programme\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Programme\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (ZoneAlarm-Sicherheit Toolbar) - {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.)
O3:64bit: - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programme\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programme\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (ZoneAlarm-Sicherheit Toolbar) - {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.)
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programme\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programme\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm-Sicherheit Toolbar) - {FC2B76FC-2132-4D80-A9A3-1F5C6E49066B} - C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.)
O4:64bit: - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [TrojanScanner] C:\Program Files (x86)\Trojan Remover\Trjscan.exe (Simply Super Software)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files (x86)\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Browser Infrastructure Helper] C:\Users\Sven\AppData\Local\Smartbar\Application\Linkury.exe (Smartbar)
O4 - HKCU..\Run: [KPeerNexonEU] C:\Nexon\NEXON_EU_Downloader\nxEULauncher.exe (NEXON Inc.)
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O4 - HKCU..\Run: [VaultSysUi] C:\Users\Sven\AppData\Local\Microsoft\Windows\144\VaultSysUi.exe ()
O4 - Startup: C:\Users\Sven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3B0495CA-B9B7-4831-BBDE-3182AF83FAD2}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.08.06 00:55:51 | 000,000,000 | ---D | C] -- C:\Users\Sven\Desktop\Neuer Ordner (2)
[2012.08.06 00:20:18 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\Malwarebytes
[2012.08.06 00:19:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.08.06 00:19:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.08.06 00:19:48 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.08.06 00:19:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012.08.06 00:03:07 | 010,652,120 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Users\Sven\Desktop\mbam-setup-1.62.0.1300.exe
[2012.08.05 23:21:10 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Sven\Desktop\OTL.exe
[2012.08.05 22:00:01 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\hellomoto
[2012.08.03 18:33:27 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\13001.033
[2012.07.30 20:33:08 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\Tropico 3
[2012.07.30 09:36:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AMD APP
[2012.07.30 09:34:06 | 000,000,000 | ---D | C] -- C:\AMD
[2012.07.29 15:53:02 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Local\Macromedia
[2012.07.29 07:46:57 | 000,426,184 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012.07.12 14:50:01 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Local\ElevatedDiagnostics
[2012.07.12 08:19:58 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2012.07.12 08:19:17 | 000,000,000 | ---D | C] -- C:\Users\Sven\Documents\Simply Super Software
[2012.07.12 08:19:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trojan Remover
[2012.07.12 08:19:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trojan Remover
[2012.07.12 08:19:06 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\Simply Super Software
[2012.07.12 08:19:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Simply Super Software
[2012.07.11 22:25:33 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Local\Smartbar
[2012.07.11 14:31:19 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\13001.022
[2012.07.11 12:05:47 | 000,000,000 | ---D | C] -- C:\Users\Sven\Desktop\Bewerbung
[2012.07.11 09:54:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
[2012.07.11 09:54:40 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\pdfforge
[2012.07.11 09:54:38 | 001,071,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCOMCTL.OCX
[2012.07.11 09:54:38 | 000,662,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCOMCT2.OCX
[2012.07.11 09:54:38 | 000,137,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSMAPI32.OCX
[2012.07.11 09:54:38 | 000,095,744 | ---- | C] (pdfforge GbR) -- C:\Windows\SysNative\pdfcmon.dll
[2012.07.11 09:54:37 | 000,158,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCMCDE.DLL
[2012.07.11 09:54:37 | 000,125,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\VB6DE.DLL
[2012.07.11 09:54:37 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCC2DE.DLL
[2012.07.11 09:54:37 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSMPIDE.DLL
[2012.07.11 09:54:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PDFCreator
[2012.07.11 09:54:37 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\OpenCandy
[2012.07.11 08:57:51 | 000,000,000 | ---D | C] -- C:\Users\Sven\Desktop\Zeugnisse
[2012.07.11 03:29:32 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml3r.dll
[2012.07.11 03:29:32 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msxml3r.dll
[2012.07.11 03:29:27 | 000,307,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
[2012.07.11 03:29:24 | 001,462,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
[2012.07.11 03:29:24 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll
[2012.07.11 03:29:17 | 000,805,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cdosys.dll
[2012.07.11 03:29:16 | 001,133,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cdosys.dll
[2012.07.11 03:00:59 | 000,294,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\browserchoice.exe
[2012.07.10 14:42:44 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\13001.021
[2012.07.09 13:02:26 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\13001.020
[2012.07.09 08:52:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
[2012.07.09 08:52:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Steam
[2012.07.08 19:02:03 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\UAs
[2012.07.08 15:03:18 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\13001.019
[2012.07.08 15:03:00 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\xmldm
[2012.07.08 15:02:58 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\kock
[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]
[1 C:\Users\Sven\AppData\Roaming\*.tmp files -> C:\Users\Sven\AppData\Roaming\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012.08.06 00:46:00 | 000,000,355 | ---- | M] () -- C:\Users\Sven\Desktop\Computer - Verknüpfung.lnk
[2012.08.06 00:30:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.08.06 00:30:24 | 2415,169,536 | -HS- | M] () -- C:\hiberfil.sys
[2012.08.06 00:19:49 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.08.06 00:10:28 | 010,652,120 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Users\Sven\Desktop\mbam-setup-1.62.0.1300.exe
[2012.08.05 23:29:46 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Sven\Desktop\OTL.exe
[2012.08.05 23:18:29 | 001,472,002 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.08.05 23:18:29 | 000,643,628 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.08.05 23:18:29 | 000,606,992 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.08.05 23:18:29 | 000,126,188 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.08.05 23:18:29 | 000,103,370 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.08.05 23:18:26 | 000,000,000 | ---- | M] () -- C:\Users\Sven\defogger_reenable
[2012.08.05 23:17:30 | 000,050,477 | ---- | M] () -- C:\Users\Sven\Desktop\Defogger.exe
[2012.08.05 23:02:08 | 000,021,856 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.08.05 23:02:08 | 000,021,856 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.07.29 07:46:57 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012.07.29 07:46:57 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012.07.12 08:19:09 | 000,001,139 | ---- | M] () -- C:\Users\Public\Desktop\Trojan Remover.lnk
[2012.07.12 07:55:31 | 000,000,051 | ---- | M] () -- C:\Users\Sven\AppData\Roaming\blckdom.res
[2012.07.12 07:45:44 | 000,292,872 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.07.11 09:54:41 | 000,001,200 | ---- | M] () -- C:\Users\Public\Desktop\PDFArchitect.lnk
[2012.07.11 09:54:41 | 000,001,031 | ---- | M] () -- C:\Users\Public\Desktop\PDFCreator.lnk
[2012.07.09 08:52:24 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ]
[1 C:\Users\Sven\AppData\Roaming\*.tmp files -> C:\Users\Sven\AppData\Roaming\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012.08.06 00:46:00 | 000,000,355 | ---- | C] () -- C:\Users\Sven\Desktop\Computer - Verknüpfung.lnk
[2012.08.06 00:19:49 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.08.05 23:18:26 | 000,000,000 | ---- | C] () -- C:\Users\Sven\defogger_reenable
[2012.08.05 23:17:40 | 000,050,477 | ---- | C] () -- C:\Users\Sven\Desktop\Defogger.exe
[2012.07.12 08:19:09 | 000,001,139 | ---- | C] () -- C:\Users\Public\Desktop\Trojan Remover.lnk
[2012.07.12 08:19:07 | 000,153,088 | ---- | C] () -- C:\Windows\SysWow64\UNRAR3.dll
[2012.07.12 08:19:07 | 000,075,264 | ---- | C] () -- C:\Windows\SysWow64\unacev2.dll
[2012.07.11 09:54:41 | 000,001,200 | ---- | C] () -- C:\Users\Public\Desktop\PDFArchitect.lnk
[2012.07.11 09:54:41 | 000,001,031 | ---- | C] () -- C:\Users\Public\Desktop\PDFCreator.lnk
[2012.07.09 08:52:24 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
[2012.07.08 15:03:10 | 000,000,051 | ---- | C] () -- C:\Users\Sven\AppData\Roaming\blckdom.res
[2012.01.07 02:15:18 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011.11.10 04:36:06 | 000,204,960 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2011.11.10 04:36:06 | 000,157,152 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2011.09.13 01:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011.05.31 08:39:50 | 000,058,368 | ---- | C] () -- C:\Windows\SysWow64\bdmpegv.dll
[2011.05.31 08:38:18 | 000,015,360 | ---- | C] () -- C:\Windows\SysWow64\bdmjpeg.dll
 
========== LOP Check ==========
 
[2012.07.08 15:03:18 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\13001.019
[2012.07.09 13:02:26 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\13001.020
[2012.07.10 14:42:44 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\13001.021
[2012.07.12 00:02:15 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\13001.022
[2012.08.03 18:33:27 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\13001.033
[2012.01.07 13:29:45 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\CheckPoint
[2012.08.05 22:00:17 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\hellomoto
[2012.07.08 15:02:58 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\kock
[2012.02.12 10:36:46 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\Might & Magic Heroes VI
[2012.07.11 09:54:37 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\OpenCandy
[2012.04.10 10:37:15 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\OpenOffice.org
[2012.07.11 09:58:21 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\pdfforge
[2012.07.12 08:19:06 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\Simply Super Software
[2012.07.31 13:30:14 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\Tropico 3
[2012.07.09 08:34:28 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\UAs
[2012.01.07 17:13:57 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\wargaming.net
[2012.07.09 08:35:30 | 000,000,000 | ---D | M] -- C:\Users\Sven\AppData\Roaming\xmldm
[2012.05.27 10:43:49 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:CB0AACC9

< End of report >
         

--- --- ---

Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

• Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
• Starte die OTL.exe.
  Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
• Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:

Code: Alles auswählenAufklappen

ATTFilter

:OTL
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC 
IE - HKLM\..\URLSearchHook: {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.) 
IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5} 
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms} 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC 
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2613550 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms} 
IE - HKCU\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5} 
IE - HKCU\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q={searchTerms} 
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC 
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2613550 
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
FF - prefs.js..browser.search.update: false 
FF - prefs.js..browser.startup.homepage: "http://www.dnnd.de/zombie/" 
FF - prefs.js..keyword.URL: "http://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q=" 
FF - user.js - File not found 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_268.dll File not found 
O2:64bit: - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Programme\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) 
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Programme\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) 
O2 - BHO: (ZoneAlarm-Sicherheit Toolbar) - {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.) 
O3:64bit: - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programme\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) 
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programme\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) 
O3 - HKLM\..\Toolbar: (ZoneAlarm-Sicherheit Toolbar) - {fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} - C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.) 
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programme\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) 
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Programme\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies) 
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm-Sicherheit Toolbar) - {FC2B76FC-2132-4D80-A9A3-1F5C6E49066B} - C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll (Conduit Ltd.) 
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD) 
O4 - HKCU..\Run: [Browser Infrastructure Helper] C:\Users\Sven\AppData\Local\Smartbar\Application\Linkury.exe (Smartbar) 
O4 - HKCU..\Run: [VaultSysUi] C:\Users\Sven\AppData\Local\Microsoft\Windows\144\VaultSysUi.exe () 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites) 
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites) 
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites) 
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites) 
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) 
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) 
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) 
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found 
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found 
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. 
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. 
O32 - HKLM CDRom: AutoRun - 1 

[2012.07.12 08:19:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Temp 
 
[1 C:\Windows\SysNative\drivers\*.tmp files -> C:\Windows\SysNative\drivers\*.tmp -> ] 

@Alternate Data Stream - 146 bytes -> C:\ProgramData\Temp:CB0AACC9 
[2012.05.30 23:09:46 | 000,000,000 | ---D | M] (ZoneAlarm-Sicherheit Community Toolbar) -- C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} 

[2012.08.05 22:00:01 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\hellomoto 

[2012.07.11 09:54:37 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\OpenCandy 

[2012.07.08 19:02:03 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\UAs 
[2012.07.08 15:02:58 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\kock 
[2012.07.08 15:03:18 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\13001.019 
[2012.07.08 15:03:00 | 000,000,000 | ---D | C] -- C:\Users\Sven\AppData\Roaming\xmldm 
[2012.07.08 15:03:10 | 000,000,051 | ---- | C] () -- C:\Users\Sven\AppData\Roaming\blckdom.res 

:Files

ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[emptyflash]
         

• Schließe alle Programme.
• Klicke auf den Fix Button.
• Wenn OTL einen Neustart verlangt, bitte zulassen.
• Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
  Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Super, Vielen Dank für die schnelle Hilfe. Rechner funktioniert soweit wieder. Warte auf weitere Anweisungen. Anbei gewünschtes Logfile:

Code: Alles auswählenAufklappen

ATTFilter

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\ deleted successfully.
C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Prefs.js: false removed from browser.search.update
Prefs.js: "hxxp://www.dnnd.de/zombie/" removed from browser.startup.homepage
Prefs.js: "hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=ds&babsrc=lnkry&q=" removed from keyword.URL
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}\ deleted successfully.
C:\Programme\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}\ deleted successfully.
C:\Programme\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\ not found.
File C:\Program Files (x86)\ZoneAlarm-Sicherheit\prxtbZone.dll not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ deleted successfully.
File C:\Programme\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ deleted successfully.
File C:\Programme\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\ not found.
File Sicherheit\prxtbZone.dll not found.
64bit-Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ not found.
File C:\Programme\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ not found.
File C:\Programme\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{FC2B76FC-2132-4D80-A9A3-1F5C6E49066B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC2B76FC-2132-4D80-A9A3-1F5C6E49066B}\ not found.
File Sicherheit\prxtbZone.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ZoneAlarm Client deleted successfully.
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Browser Infrastructure Helper deleted successfully.
C:\Users\Sven\AppData\Local\Smartbar\Application\Linkury.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\VaultSysUi deleted successfully.
C:\Users\Sven\AppData\Local\Microsoft\Windows\144\VaultSysUi.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\ProgramData\Temp folder moved successfully.
C:\Windows\SysNative\drivers\~GLH0023.TMP deleted successfully.
Unable to delete ADS C:\ProgramData\Temp:CB0AACC9 .
C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\searchplugin folder moved successfully.
C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\Plugins folder moved successfully.
C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\modules folder moved successfully.
C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\META-INF folder moved successfully.
C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\defaults folder moved successfully.
C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\components folder moved successfully.
C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b}\chrome folder moved successfully.
C:\Users\Sven\AppData\Roaming\mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\{fc2b76fc-2132-4d80-a9a3-1f5c6e49066b} folder moved successfully.
C:\Users\Sven\AppData\Roaming\hellomoto folder moved successfully.
C:\Users\Sven\AppData\Roaming\OpenCandy\83CFEC690F0F437099AC37E9202120AA folder moved successfully.
C:\Users\Sven\AppData\Roaming\OpenCandy folder moved successfully.
C:\Users\Sven\AppData\Roaming\UAs folder moved successfully.
C:\Users\Sven\AppData\Roaming\kock folder moved successfully.
C:\Users\Sven\AppData\Roaming\13001.019\components folder moved successfully.
C:\Users\Sven\AppData\Roaming\13001.019 folder moved successfully.
C:\Users\Sven\AppData\Roaming\xmldm folder moved successfully.
C:\Users\Sven\AppData\Roaming\blckdom.res moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache konnte nicht geleert werden: Beim Ausf�hren der Funktion ist ein Fehler aufgetreten.
C:\Users\Sven\Desktop\cmd.bat deleted successfully.
C:\Users\Sven\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: Sven
->Temp folder emptied: 2974808 bytes
->Temporary Internet Files folder emptied: 1879537 bytes
->Java cache emptied: 15113 bytes
->FireFox cache emptied: 60342715 bytes
->Flash cache emptied: 756 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1218152 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50568 bytes
RecycleBin emptied: 2786984378 bytes
 
Total Files Cleaned = 2.721,00 mb
 
 
[EMPTYFLASH]
 
User: Administrator
 
User: All Users
 
User: Default
 
User: Default User
 
User: Public
 
User: Sven
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0,00 mb
 
 
OTL by OldTimer - Version 3.2.56.0 log created on 08062012_172149

Files\Folders moved on Reboot...
C:\Users\Sven\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Sven\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...
         

Sehr gut!

Wie laeuft der Rechner?

1. Schritt

Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Malwarebytes Anti-Malware
- Anwendbar auf Windows 2000, XP, Vista und 7.
- Installiere das Programm in den vorgegebenen Pfad.
- Aktualisiere die Datenbank!
- Aktiviere "Komplett Scan durchführen" => Scan.
- Wähle alle verfügbaren Laufwerke (ausser CD/DVD) aus und starte den Scan.
- Funde bitte löschen lassen oder in Quarantäne.
- Wenn der Scan beendet ist, klicke auf "Zeige Resultate".

danach:

2. Schritt

Downloade Dir bitte AdwCleaner auf deinen Desktop.

• Starte die adwcleaner.exe mit einem Doppelklick.
• Klicke auf Search.
• Nach Ende des Suchlaufs öffnet sich eine Textdatei.
• Poste mir den Inhalt mit deiner nächsten Antwort.
• Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.

Hallo,

Cpu läuft soweit normal. Antivir hat sich gerade gemeldet mit einem TR-Fund in moved files von OTL, schätz mal das geht in Ordnung, wollte es dennoch mal erwähnen insbesondere weil der Malwarebytes-scan nichts gefunden hat.
Vielen Dank für deine Hilfe. Anbei gewünschte Textdatei (und Malwarebytes-resultat):

Code: Alles auswählenAufklappen

ATTFilter

# AdwCleaner v1.800 - Logfile created 08/07/2012 at 18:38:58
# Updated 01/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Sven - SVEN-PC
# Running from : C:\Users\Sven\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Sven\AppData\Local\Conduit
Folder Found : C:\Users\Sven\AppData\Local\Smartbar
Folder Found : C:\Users\Sven\AppData\LocalLow\Conduit
Folder Found : C:\Users\Sven\AppData\LocalLow\ZoneAlarm-Sicherheit
Folder Found : C:\Users\Sven\AppData\Roaming\pdfforge
Folder Found : C:\Users\Sven\AppData\Roaming\Mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\helperbar@helperbar.com
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Program Files (x86)\ZoneAlarm-Sicherheit

***** [Registry] *****
[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2613550
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\Smartbar
Key Found : HKCU\Software\SmartbarBackup
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\ZoneAlarm-Sicherheit
[x64] Key Found : HKCU\Software\AppDataLow\Software\Conduit
[x64] Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
[x64] Key Found : HKCU\Software\AppDataLow\Toolbar
[x64] Key Found : HKCU\Software\Smartbar
[x64] Key Found : HKCU\Software\SmartbarBackup

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A29413B9-7926-423A-9D8E-ADEEA0C91CD9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{40C22E8C-1EB5-4FC5-BAAF-7BE1F62BBC0D}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D8A76A3B-6102-41B0-B515-AFB7F0F472EB}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A29413B9-7926-423A-9D8E-ADEEA0C91CD9}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FC2B76FC-2132-4D80-A9A3-1F5C6E49066B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC2B76FC-2132-4D80-A9A3-1F5C6E49066B}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
[x64] Key Found : HKLM\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
[x64] Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
[x64] Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FC2B76FC-2132-4D80-A9A3-1F5C6E49066B}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC2B76FC-2132-4D80-A9A3-1F5C6E49066B}
[x64] Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v13.0.1 (de)

Profile name : default 
File : C:\Users\Sven\AppData\Roaming\Mozilla\Firefox\Profiles\ak3ecn9e.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3782 octets] - [07/08/2012 18:38:58]

########## EOF - C:\AdwCleaner[R1].txt - [3910 octets] ##########
         

Code: Alles auswählenAufklappen

ATTFilter

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.08.07.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Sven :: SVEN-PC [Administrator]

07.08.2012 17:56:21
mbam-log-2012-08-07 (17-56-21).txt

Art des Suchlaufs: Vollständiger Suchlauf (A:\|C:\|D:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 290596
Laufzeit: 39 Minute(n), 12 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)
         

Sehr gut!

• Schließe alle offenen Programme und Browser.
• Starte die adwcleaner.exe mit einem Doppelklick.
• Klicke auf Delete.
• Bestätige jeweils mit Ok.
• Dein Rechner wird neu gestartet. Nach dem Neustart öffnet sich eine Textdatei.
• Poste mir den Inhalt mit deiner nächsten Antwort.
• Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.

danach:


Malware-Scan mit Emsisoft Anti-Malware

Lade die Gratisversion von => Emsisoft Anti-Malware herunter und installiere das Programm.
Lade über Jetzt Updaten die aktuellen Signaturen herunter.
Wähle den Freeware-Modus aus.

Wähle Detail Scan und starte über den Button Scan die Überprüfung des Computers.
Am Ende des Scans nichts loeschen lassen!. Mit Klick auf Bericht speichern das Logfile auf dem Desktop speichern und hier in den Thread posten.

Anleitung: http://www.trojaner-board.de/103809-...i-malware.html

Hallo,

leider updated sich Emisoft Malware nicht (findet kein Zugang zum Internet, allerdings kann ich ansonsten ohne Probleme ins Internet.) Ich scan jetzt trotzdem mal ohne update (macht eigentlich nicht viel Sinn, oder?) und poste es dann hier. Anbei schicke ich schon mal das Logfile von AdwCleaner:

Code: Alles auswählenAufklappen

ATTFilter

# AdwCleaner v1.800 - Logfile created 08/07/2012 at 20:35:46
# Updated 01/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Sven - SVEN-PC
# Running from : C:\Users\Sven\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Sven\AppData\Local\Conduit
Folder Deleted : C:\Users\Sven\AppData\Local\Smartbar
Folder Deleted : C:\Users\Sven\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Sven\AppData\LocalLow\ZoneAlarm-Sicherheit
Folder Deleted : C:\Users\Sven\AppData\Roaming\pdfforge
Folder Deleted : C:\Users\Sven\AppData\Roaming\Mozilla\Firefox\Profiles\ak3ecn9e.default\extensions\helperbar@helperbar.com
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\ZoneAlarm-Sicherheit

***** [Registry] *****
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2613550
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Smartbar
Key Deleted : HKCU\Software\SmartbarBackup
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\ZoneAlarm-Sicherheit

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A29413B9-7926-423A-9D8E-ADEEA0C91CD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{40C22E8C-1EB5-4FC5-BAAF-7BE1F62BBC0D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D8A76A3B-6102-41B0-B515-AFB7F0F472EB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A29413B9-7926-423A-9D8E-ADEEA0C91CD9}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FC2B76FC-2132-4D80-A9A3-1F5C6E49066B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC2B76FC-2132-4D80-A9A3-1F5C6E49066B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
[x64] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
[x64] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
[x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
[x64] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
[x64] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v13.0.1 (de)

Profile name : default 
File : C:\Users\Sven\AppData\Roaming\Mozilla\Firefox\Profiles\ak3ecn9e.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3887 octets] - [07/08/2012 18:38:58]
AdwCleaner[S1].txt - [3383 octets] - [07/08/2012 20:35:46]

########## EOF - C:\AdwCleaner[S1].txt - [3511 octets] ##########
         

Deaktiviere mal die Firewall.

Hallo,

hab ich ausprobiert (Windows-Firewall), updated leider trotzdem nicht.

Deinstalliere Zonealarm das ist schwachsinniger Muell.

Hab Müll entfernt, hat geklappt (Upgedated). Hier ist das Resultat vom Detailscan:

Code: Alles auswählenAufklappen

ATTFilter

Emsisoft Anti-Malware - Version 6.6
Letztes Update: 08.08.2012 14:48:23

Scan Einstellungen:

Scan Methode: Detail Scan
Objekte: Rootkits, Speicher, Traces, C:\
Archiv Scan: An
ADS Scan: An

Scan Beginn:	08.08.2012 14:49:29


Gescannt	537978
Gefunden	0

Scan Ende:	08.08.2012 15:26:33
Scan Zeit:	0:37:04
         

Sehr gut!


Deinstalliere:
Emsisoft Anti-Malware


ESET Online Scanner

Vorbereitung

• Schließe evtl. vorhandene externe Festplatten und/oder sonstigen Wechselmedien (z. B. evtl. vorhandene USB-Sticks) an den Rechner an.
• Bitte während des Online-Scans Anti-Virus-Programm und Firewall deaktivieren.
• Vista/Win7-User: Bitte den Browser unbedingt als Administrator starten.

Los geht's

• Lade und starte Eset Smartinstaller
• Haken setzen bei YES, I accept the Terms of Use.
• Klick auf Start.
• Haken setzen bei Remove found threads und Scan archives.
• Klick auf Start.
• Signaturen werden heruntergeladen, der Scan beginnt automatisch.
• Finish drücken.
• Browser schließen.
• Explorer öffnen.
• C:\Programme\Eset\EsetOnlineScanner\log.txt (manchmal auch C:\Programme\Eset\log.txt) suchen und mit Deinem Editor öffnen.
• Logfile hier posten.
• Deinstallation: Systemsteuerung => Software => Eset Online Scanner V3 entfernen.
• Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

Hier ist das angeforderte Logfile:

Code: Alles auswählenAufklappen

ATTFilter

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=eb53c054a45a9c4abb7c305214208c64
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-08 03:28:07
# local_time=2012-08-08 05:28:07 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1792 16777215 100 0 18504491 18504491 0 0
# compatibility_mode=5893 16776573 100 94 91572 96067114 0 0
# compatibility_mode=8192 67108863 100 0 200 200 0 0
# scanned=97626
# found=1
# cleaned=1
# scan_time=2422
C:\Users\Sven\AppData\Roaming\13001.033\components\AcroFF033.dll	probably a variant of Win32/Spy.Banker.YCR trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
         

Malware mit Combofix beseitigen

Lade Combofix von einem der folgenden Download-Spiegel herunter:

BleepingComputer.com - ForoSpyware.com

und speichere das Programm auf den Desktop, nicht woanders hin, das ist wichtig!
Beachte die ausführliche Original-Anleitung.

Zurzeit ist Combofix auf folgenden Windows-Versionen lauffähig:

• Windows XP (nur 32-bit)
• Windows Vista (32-bit/64-bit)
• Windows 7 (32-bit/64-bit)

Vorbereitung und wichtige Hinweise

• Bitte während des Scans mit Combofix Antiviren- sowie Antispy-Programme, die Firewall und evtl. vorhandenes Skript-Blocking (Norton) deaktivieren.
• Liste der zu deaktivierenden Programme.
  Bei Unklarheiten bitte fragen.

• ComboFix wird Deine Einstellungen in Bezug auf den Bildschirmschoner zurücksetzen.
• Diese Einstellungen kannst Du nach Beendigung unserer Bereinigung wieder ändern.
• Mache nichts anderes, wenn es Dir nicht gelungen ist, Combofix laufen zu lassen.
• Teile uns das mit und warte auf unsere Anweisungen.

• Starte die Combofix.exe mit Rechtsklick => Als Administrator ausführen und folge den Anweisungen.
• Während des Laufs von Combofix nichts anderes am Computer machen!
• Akzeptiere die Bedingungen (Disclaimer) mit "Ja".

• Sollte Combofix eine aktuellere Version anbieten, Downlaod erlauben.
• Klicke "Ja", um mit dem Suchlauf nach Malware fortzufahren.
• Es erscheint eine blaue Eingabeaufforderung, Combofix wird für den Suchlauf vorbereitet.
• Bitte nicht in dieses Combofix-Fenster klicken.
• Das könnte Dein System einfrieren oder hängen bleiben lassen.
• Es wird ein Backup Deiner Registry erstellt.
• Nun werden die einzelnen Stufen des Programms abgearbeitet, das kann eine Weile dauern.

• Wenn ComboFix fertig ist, wird es ein Log erstellen (bitte warten, das dauert einen Moment).
• Unbedingt warten, bis sich das Combofix-Fenster geschlossen hat und das Logfile im Editor erscheint.
• Bitte poste die Log-Dateien C:\ComboFix.txt und C:\Qoobox\Add-Remove Programs.txt in Code-Tags hier in den Thread.

• Hinweis: Combofix macht aus verschiedenen Gründen den Internet Explorer zum Standard-Browser und erstellt ein IE-Icon auf dem Desktop.
• Das IE-Desktop-Icon kannst Du nach der Bereinigung wieder löschen und Deinen bevorzugten Browser wieder als Standard-Browser einstellen.

Combofix nicht auf eigene Faust einsetzen. Wenn keine entsprechende Infektion vorliegt, kann das den Rechner lahmlegen und/oder nachhaltig schädigen!

Sry, jetzt hab ich Mist gebaut, dachte ich kann combo-fix vom Download-ordner auf den Desktop installieren, und dann hat es sich gleich gestartet (vom Downloadordner), hab dann noch versucht schnell die windows-firewall auszuschalten (avira und defender war schon aus) also den haken hab ich noch gesetzt... seufz, mea culpa. Ich kann die angeforderten .txt. dateien nicht öffnen, da heisst es " Es wurde versucht, ein Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen der zum löschen markiert wurde". Kann nur das Logfile, das sich nach beenden von Combo-fix von selbst geöffnet hat anbieten. Hier das Logfile:

Code: Alles auswählenAufklappen

ATTFilter

ComboFix 12-08-07.05 - Sven 08.08.2012  18:20:33.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.3071.1692 [GMT 2:00]
ausgeführt von:: c:\users\Sven\Downloads\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Sven\AppData\Roaming\AcroIEHelpe.txt
c:\users\Sven\AppData\Roaming\srvblck5.tmp
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-07-08 bis 2012-08-08  ))))))))))))))))))))))))))))))
.
.
2012-08-08 04:50 . 2012-08-08 04:50	--------	d-----w-	c:\windows\Internet Logs
2012-08-07 15:09 . 2012-08-08 15:56	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2012-08-07 13:21 . 2012-06-29 10:04	9133488	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{5DAA11FA-DB4D-4912-BF95-99FC6C08E3E4}\mpengine.dll
2012-08-06 15:21 . 2012-08-06 15:21	--------	d-----w-	C:\_OTL
2012-08-05 23:00 . 2012-08-05 23:00	--------	d-----w-	c:\program files (x86)\7-Zip
2012-08-05 22:20 . 2012-08-05 22:20	--------	d-----w-	c:\users\Sven\AppData\Roaming\Malwarebytes
2012-08-05 22:19 . 2012-08-05 22:19	--------	d-----w-	c:\programdata\Malwarebytes
2012-08-03 16:33 . 2012-08-03 16:33	--------	d-----w-	c:\users\Sven\AppData\Roaming\13001.033
2012-07-30 18:33 . 2012-07-31 11:30	--------	d-----w-	c:\users\Sven\AppData\Roaming\Tropico 3
2012-07-30 07:36 . 2012-07-30 07:36	--------	d-----w-	c:\program files (x86)\AMD APP
2012-07-30 07:34 . 2012-07-30 07:34	--------	d-----w-	C:\AMD
2012-07-29 13:53 . 2012-07-29 13:53	--------	d-----w-	c:\users\Sven\AppData\Local\Macromedia
2012-07-29 05:46 . 2012-07-29 05:46	426184	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 12:50 . 2012-08-05 20:13	--------	d-----w-	c:\users\Sven\AppData\Local\ElevatedDiagnostics
2012-07-11 22:15 . 2012-06-12 03:08	3148800	----a-w-	c:\windows\system32\win32k.sys
2012-07-11 12:31 . 2012-07-11 22:02	--------	d-----w-	c:\users\Sven\AppData\Roaming\13001.022
2012-07-11 07:54 . 2012-07-05 11:02	95744	----a-w-	c:\windows\system32\pdfcmon.dll
2012-07-11 07:54 . 2005-04-15 18:58	1071088	----a-w-	c:\windows\SysWow64\MSCOMCTL.OCX
2012-07-11 07:54 . 2004-03-08 23:00	662288	----a-w-	c:\windows\SysWow64\MSCOMCT2.OCX
2012-07-11 07:54 . 1998-06-23 23:00	137000	----a-w-	c:\windows\SysWow64\MSMAPI32.OCX
2012-07-11 07:54 . 2012-07-11 07:55	--------	d-----w-	c:\program files (x86)\PDFCreator
2012-07-11 07:54 . 1998-07-06 16:56	125712	----a-w-	c:\windows\SysWow64\VB6DE.DLL
2012-07-11 07:54 . 1998-07-06 16:55	158208	----a-w-	c:\windows\SysWow64\MSCMCDE.DLL
2012-07-11 07:54 . 1998-07-06 16:55	64512	----a-w-	c:\windows\SysWow64\MSCC2DE.DLL
2012-07-11 07:54 . 1998-07-05 23:00	23552	----a-w-	c:\windows\SysWow64\MSMPIDE.DLL
2012-07-11 01:00 . 2010-02-23 08:16	294912	----a-w-	c:\windows\system32\browserchoice.exe
2012-07-10 12:42 . 2012-07-10 12:42	--------	d-----w-	c:\users\Sven\AppData\Roaming\13001.021
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-29 05:46 . 2012-01-07 12:08	70344	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 22:12 . 2012-01-07 11:28	59701280	----a-w-	c:\windows\system32\MRT.exe
2012-06-11 11:50 . 2012-06-11 11:50	187392	----a-w-	c:\windows\system32\clinfo.exe
2012-06-11 11:50 . 2012-06-11 11:50	75264	----a-w-	c:\windows\system32\OpenVideo64.dll
2012-06-11 11:50 . 2012-06-11 11:50	65024	----a-w-	c:\windows\SysWow64\OpenVideo.dll
2012-06-11 11:50 . 2012-06-11 11:50	63488	----a-w-	c:\windows\system32\OVDecode64.dll
2012-06-11 11:50 . 2012-06-11 11:50	56320	----a-w-	c:\windows\SysWow64\OVDecode.dll
2012-06-11 11:50 . 2012-06-11 11:50	16457728	----a-w-	c:\windows\system32\amdocl64.dll
2012-06-11 11:49 . 2012-06-11 11:49	13008896	----a-w-	c:\windows\SysWow64\amdocl.dll
2012-06-11 11:48 . 2012-06-11 11:48	54784	----a-w-	c:\windows\system32\OpenCL.dll
2012-06-11 11:48 . 2012-06-11 11:48	50176	----a-w-	c:\windows\SysWow64\OpenCL.dll
2012-06-02 22:19 . 2012-06-21 05:10	38424	----a-w-	c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 05:10	2428952	----a-w-	c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 05:10	57880	----a-w-	c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 05:10	44056	----a-w-	c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 05:10	701976	----a-w-	c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 05:10	2622464	----a-w-	c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 05:10	99840	----a-w-	c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-21 05:09	186752	----a-w-	c:\windows\system32\wuwebv.dll
2012-06-02 13:15 . 2012-06-21 05:09	36864	----a-w-	c:\windows\system32\wuapp.exe
2012-05-31 10:25 . 2010-11-21 03:27	279656	------w-	c:\windows\system32\MpSigStub.exe
2012-05-15 04:01 . 2012-06-12 20:53	1188864	----a-w-	c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-12 20:53	64512	----a-w-	c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-12 20:53	981504	----a-w-	c:\windows\SysWow64\wininet.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KPeerNexonEU"="c:\nexon\NEXON_EU_Downloader\nxEULauncher.exe" [2012-01-07 438272]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-29 17148552]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-08-04 1353080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-09 343168]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-12-09 74752]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Sven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 29720]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-16 113120]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-12-15 27760]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-10 204288]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-05-08 86224]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-11-10 10567680]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-11-10 325632]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]
S3 yukonw7;NDIS6.2-Miniporttreiber für Marvell Yukon-Ethernet-Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://feed.helperbar.com/?publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=bd644b47-58ed-4b7b-bc74-bf24ec626530&affid=110774&searchtype=hp&babsrc=lnkry_nt
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = 
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Sven\AppData\Roaming\Mozilla\Firefox\Profiles\ak3ecn9e.default\
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-08-08  18:29:44 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2012-08-08 16:29
.
Vor Suchlauf: 13 Verzeichnis(se), 231.276.748.800 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 230.872.600.576 Bytes frei
.
- - End Of File - - DA0ED50A27DE9AF8BA08DB41235464A6