Bundespolzei Trojaner

Charlene · 01.09.2012, 08:30

Hallo,

ich habe seit gestern eine Bildschirmsperrung durch einen Trojaner, der behaupetet von der Bundespolizei zu sein. Angezeigt wird die Aufforderung per ucash Geld zu überweisen.

Die Sperrung tritt nur auf, wenn der Rechner eine Verbindung zum Internet hat. Ansonsten funktioniert er normal. im Abgesicherten Modus mit Netzwerktreibern kann ich sogar ins Netz, ohne dass es zur Sperrung kommt.

Ich habe als erstes einen OTL-Scan gemacht:

Code:

ATTFilter

OTL logfile created on: 01.09.2012 09:10:46 - Run 3
OTL by OldTimer - Version 3.2.58.1     Folder = C:\Users\XXX\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,79 Gb Total Physical Memory | 2,32 Gb Available Physical Memory | 61,16% Memory free
7,59 Gb Paging File | 6,15 Gb Available in Paging File | 81,06% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 116,44 Gb Total Space | 21,91 Gb Free Space | 18,81% Space Free | Partition Type: NTFS
Drive D: | 329,79 Gb Total Space | 53,53 Gb Free Space | 16,23% Space Free | Partition Type: NTFS
Drive E: | 3,95 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
Drive G: | 465,76 Gb Total Space | 91,18 Gb Free Space | 19,58% Space Free | Partition Type: NTFS
Drive I: | 931,51 Gb Total Space | 189,23 Gb Free Space | 20,31% Space Free | Partition Type: NTFS
 
Computer Name: XXX-PC | User Name: XXX | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.08.31 19:15:28 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2012.08.21 11:51:56 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\XXX\Desktop\OTL.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.08.31 19:15:27 | 002,242,528 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - [2011.09.27 21:04:08 | 000,359,192 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe -- (LBTServ)
SRV:64bit: - [2010.03.05 19:26:38 | 001,425,168 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV:64bit: - [2010.03.05 19:07:58 | 000,340,240 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe -- (MyWiFiDHCPDNS)
SRV:64bit: - [2010.03.05 19:06:22 | 000,831,760 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV:64bit: - [2009.09.17 20:36:34 | 000,359,552 | ---- | M] (ASUSTeK Computer Inc.) [Auto | Stopped] -- C:\Windows\SysNative\FBAgent.exe -- (AFBAgent)
SRV:64bit: - [2009.08.06 23:17:46 | 000,118,672 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\TurboBoost\TurboBoost.exe -- (TurboBoost)
SRV:64bit: - [2009.07.14 03:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)
SRV - [2012.08.31 19:15:28 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.08.25 14:04:43 | 000,529,744 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012.08.15 23:38:15 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.07.13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012.04.24 12:53:32 | 000,215,688 | ---- | M] (SPAMfighter ApS) [Auto | Stopped] -- C:\Program Files (x86)\Fighters\SPAMfighter\sfus.exe -- (SPAMfighter Update Service)
SRV - [2012.03.27 00:45:44 | 000,077,520 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE -- (HssTrayService)
SRV - [2012.03.27 00:38:46 | 000,542,040 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe -- (hshld)
SRV - [2012.03.26 23:45:22 | 000,329,544 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2012.03.26 23:45:18 | 000,363,336 | ---- | M] (AnchorFree Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe -- (HssSrv)
SRV - [2012.01.23 13:40:12 | 001,324,680 | ---- | M] (SPAMfighter ApS) [Auto | Stopped] -- C:\Program Files (x86)\Fighters\FighterSuiteService.exe -- (Suite Service)
SRV - [2011.06.28 22:53:02 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011.06.05 07:22:00 | 001,997,416 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011.04.28 08:34:02 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010.03.18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010.02.18 14:01:06 | 000,462,632 | ---- | M] (Nero AG) [Auto | Stopped] -- C:\Program Files (x86)\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2009.12.15 19:39:38 | 000,096,896 | ---- | M] (ASUS) [Auto | Stopped] -- C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe -- (ATKGFNEXSrv)
SRV - [2009.10.01 04:34:22 | 002,314,240 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2009.10.01 04:33:08 | 000,262,144 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2009.06.16 02:30:42 | 000,084,536 | ---- | M] (ASUS) [Auto | Stopped] -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe -- (ASLDRService)
SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012.02.15 11:01:50 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2011.09.02 08:30:24 | 000,076,056 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LEqdUsb.sys -- (LEqdUsb)
DRV:64bit: - [2011.09.02 08:30:24 | 000,066,840 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - [2011.09.02 08:30:24 | 000,015,128 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidEqd.sys -- (LHidEqd)
DRV:64bit: - [2011.06.28 22:53:03 | 000,123,784 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2011.06.28 22:53:03 | 000,088,288 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2011.06.05 07:22:00 | 000,025,960 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\nvpciflt.sys -- (nvpciflt)
DRV:64bit: - [2011.05.18 08:08:32 | 000,047,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d)
DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010.11.25 07:59:16 | 000,694,888 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RTL8192su.sys -- (RTL8192su)
DRV:64bit: - [2010.11.20 15:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010.11.20 13:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010.08.25 20:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010.04.16 20:45:50 | 000,039,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WDKMD.sys -- (wdkmd)
DRV:64bit: - [2010.03.18 07:21:58 | 007,680,512 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64)
DRV:64bit: - [2010.02.27 01:32:11 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2010.02.03 15:38:30 | 000,271,872 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:64bit: - [2009.12.17 04:42:07 | 000,538,136 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009.10.15 11:23:19 | 000,117,760 | ---- | M] (ELAN Microelectronic Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ETD.sys -- (ETD)
DRV:64bit: - [2009.09.17 21:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)
DRV:64bit: - [2009.09.04 07:39:07 | 000,062,464 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2009.08.21 08:48:17 | 000,044,032 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AmUStor.sys -- (AmUStor)
DRV:64bit: - [2009.08.20 20:41:37 | 001,800,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\snp2uvc.sys -- (SNP2UVC)
DRV:64bit: - [2009.08.06 23:17:34 | 000,013,784 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\TurboB.sys -- (TurboB)
DRV:64bit: - [2009.07.21 03:29:39 | 000,015,416 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\kbfiltr.sys -- (kbfiltr)
DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.06.20 04:09:57 | 001,394,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009.06.18 21:18:10 | 000,015,928 | ---- | M] (Windows (R) Win 7 DDK provider) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\lullaby.sys -- (lullaby)
DRV:64bit: - [2009.06.10 22:35:57 | 000,056,832 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SiSG664.sys -- (SiSGbeLH)
DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009.05.18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009.05.13 18:07:20 | 000,015,928 | ---- | M] (ASUS) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ATK64AMD.sys -- (MTsensor)
DRV:64bit: - [2008.12.08 17:35:52 | 000,061,792 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2008.05.24 02:27:28 | 000,154,168 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2009.07.03 02:36:14 | 000,015,416 | ---- | M] (ASUS) [Kernel | Auto | Stopped] -- C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys -- (ASMMAP64)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=MAAU&src=IE-SearchBox
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=MAAU&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ASUT
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-1764841805-649058455-644050874-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus.msn.com
IE - HKU\S-1-5-21-1764841805-649058455-644050874-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1764841805-649058455-644050874-1001\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKU\S-1-5-21-1764841805-649058455-644050874-1001\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-1764841805-649058455-644050874-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1764841805-649058455-644050874-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.useDBForOrder: ""
FF - prefs.js..keyword.URL: "hxxp://search.sweetim.com/search.asp?src=2&crg=3.1030000.103003&q="
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "hxxp://search.sweetim.com/search.asp?src=2&q="
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.6.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.08.31 19:15:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.08.23 20:13:47 | 000,000,000 | ---D | M]
 
[2010.10.29 18:36:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXX\AppData\Roaming\mozilla\Extensions
[2012.08.30 21:58:11 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\rl45wb5x.default\extensions
[2012.08.30 21:58:11 | 000,000,000 | ---D | M] (FireShot) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\rl45wb5x.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2012.08.25 20:10:55 | 000,000,000 | ---D | M] (FT DeepDark) -- C:\Users\XXX\AppData\Roaming\mozilla\Firefox\Profiles\rl45wb5x.default\extensions\{77d2ed30-4cd2-11e0-b8af-0800200c9a66}
[2012.08.24 19:30:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.05.01 20:34:40 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011.09.19 08:50:01 | 000,000,000 | ---D | M] (Babylon OCR) -- C:\Program Files (x86)\mozilla firefox\extensions\ocr@babylon.com
[2012.08.24 23:57:37 | 000,169,792 | ---- | M] () (No name found) -- C:\USERS\XXX\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\RL45WB5X.DEFAULT\EXTENSIONS\{EEE6C361-6118-11DC-9C72-001320C79847}.XPI
[2012.08.31 19:15:28 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012.07.22 09:41:02 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.08.31 19:15:27 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012.07.22 09:41:02 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2012.07.22 09:41:02 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.07.22 09:41:02 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.07.22 09:41:02 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2 - BHO: (My Personal Homepage) - {0538CF1C-8419-4800-ADBB-0C00C799FDA2} - C:\Users\XXX\AppData\Roaming\Genieo\Application\IEPlugins\bin\IEWrapper.dll ()
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SweetPacks Browser Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3:64bit: - HKLM\..\Toolbar: (FireShot) - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin64-0.98.dll File not found
O3 - HKLM\..\Toolbar: (FireShot) - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.98.dll File not found
O3 - HKLM\..\Toolbar: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKU\S-1-5-21-1764841805-649058455-644050874-1001\..\Toolbar\WebBrowser: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4:64bit: - HKLM..\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe (AlcorMicro Co., Ltd.)
O4:64bit: - HKLM..\Run: [ASUS WebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe ()
O4:64bit: - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronic Corp.)
O4:64bit: - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
O4:64bit: - HKLM..\Run: [Logitech Download Assistant] C:\Windows\SysNative\LogiLDA.dll (Logitech, Inc.)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe (Marvell Semiconductor, Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe (ASUS)
O4 - HKLM..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe (ASUS)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Boingo Wi-Fi] C:\Program Files (x86)\Boingo\Boingo Wi-Fi\Boingo.lnk ()
O4 - HKLM..\Run: [CommonToolkitTray] C:\Program Files (x86)\Fighters\Tray\FightersTray.exe (SPAMfighter ApS)
O4 - HKLM..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe (ASUS)
O4 - HKLM..\Run: [HPUsageTracking] C:\Program Files (x86)\Hewlett-Packard\HP UT\bin\hppusg.exe ()
O4 - HKLM..\Run: [NBAgent] C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe (Nero AG)
O4 - HKLM..\Run: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 File not found
O4 - HKLM..\Run: [sfagent] C:\Program Files (x86)\Fighters\SPAMfighter\sfagent.exe (SPAMfighter ApS)
O4 - HKLM..\Run: [Sweetpacks Communicator] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files (x86)\Cyberlink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1764841805-649058455-644050874-1001..\Run: [] C:\Users\XXX\AppData\Local\Temp\xosnacrmwe.exe ()
O4 - HKU\S-1-5-21-1764841805-649058455-644050874-1001..\Run: [GenieoSystemTray] C:\Users\XXX\AppData\Roaming\Genieo\Application\TrayUi\bin\gentray.exe ()
O4 - HKU\S-1-5-21-1764841805-649058455-644050874-1001..\Run: [GenieoUpdaterService] C:\Users\XXX\AppData\Roaming\Genieo\Application\Updater\bin\genupdater.exe ()
O4 - HKU\S-1-5-21-1764841805-649058455-644050874-1001..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKU\S-1-5-21-1764841805-649058455-644050874-1001..\Run: [smsems] C:\Users\XXX\AppData\Roaming\smsems.dll ()
O4 - HKU\S-1-5-21-1764841805-649058455-644050874-1001..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\XXX\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\XXX\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab (Java Plug-in 10.6.2)
O16 - DPF: {CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab (Java Plug-in 1.7.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_06-windows-i586.cab (Java Plug-in 1.7.0_06)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3F4AA978-173C-429A-A3E3-4BA569375A93}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\nvinit.dll) - C:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004.11.18 22:59:22 | 000,000,000 | R--D | M] - E:\AutoRun -- [ UDF ]
O32 - AutoRun File - [2004.11.18 22:25:54 | 000,684,032 | R--- | M] (Electronic Arts Inc.) - E:\AutoRun.exe -- [ UDF ]
O32 - AutoRun File - [2004.11.18 22:58:27 | 000,000,103 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O32 - AutoRun File - [2004.11.14 16:08:54 | 000,929,792 | R--- | M] (Electronic Arts Inc.) - E:\AutoRunGUI.dll -- [ UDF ]
O32 - AutoRun File - [2009.12.14 11:00:22 | 000,008,192 | ---- | M] (Microsoft) - I:\AutoOff.exe -- [ NTFS ]
O32 - AutoRun File - [2010.11.02 15:29:16 | 000,000,073 | ---- | M] () - I:\Autorun.inf -- [ NTFS ]
O33 - MountPoints2\{ac64562a-c0c4-11df-a5de-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{ac64562a-c0c4-11df-a5de-806e6f6e6963}\Shell\AutoRun\command - "" = E:\setup.exe -- [2004.10.29 12:22:40 | 000,110,592 | R--- | M] (Electronic Arts Inc.)
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.08.30 21:24:59 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Roaming\Meine Die Schlacht um Mittelerde-Dateien
[2012.08.30 21:24:19 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
[2012.08.30 21:19:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES
[2012.08.30 21:10:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\EA GAMES
[2012.08.27 08:07:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012.08.27 08:06:53 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2012.08.27 08:06:39 | 000,095,208 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2012.08.25 14:04:35 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Roaming\Google
[2012.08.25 13:53:58 | 000,000,000 | ---D | C] -- C:\Users\XXX\Documents\Decrypt Output
[2012.08.25 13:53:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ePUBee
[2012.08.25 13:53:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ePUBee DRM Removal
[2012.08.25 02:21:33 | 000,000,000 | ---D | C] -- C:\Windows\rescache
[2012.08.24 23:02:31 | 000,000,000 | ---D | C] -- C:\ProgramData\SweetIM
[2012.08.24 23:02:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SweetIM
[2012.08.24 21:07:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Emsisoft Anti-Malware
[2012.08.24 21:07:12 | 000,000,000 | ---D | C] -- C:\Users\XXX\Documents\Anti-Malware
[2012.08.24 20:03:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Live Add-in
[2012.08.24 19:44:27 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SPReview
[2012.08.24 19:41:22 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\EventProviders
[2012.08.23 20:13:47 | 000,821,736 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\npdeployJava1.dll
[2012.08.23 20:13:47 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012.08.23 20:13:47 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012.08.23 07:51:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2012.08.22 08:47:19 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\XXX\Desktop\OTL.exe
[2012.08.22 07:54:31 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Roaming\Malwarebytes
[2012.08.22 07:54:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.08.22 07:54:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.08.22 07:54:03 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012.08.22 07:54:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012.08.17 18:46:51 | 000,000,000 | ---D | C] -- C:\Users\XXX\Documents\Anvsoft
[2012.08.15 09:00:29 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2012.08.15 09:00:29 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rstrui.exe
[2012.08.15 09:00:23 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
[2012.08.15 09:00:23 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
[2012.08.15 09:00:23 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\splwow64.exe
[2012.08.15 09:00:22 | 000,911,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012.08.15 09:00:21 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012.08.15 09:00:21 | 000,609,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2012.08.15 09:00:19 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netapi32.dll
[2012.08.15 09:00:19 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\browcli.dll
[2012.08.15 09:00:19 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\browcli.dll
[2012.08.15 09:00:02 | 000,735,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2012.08.15 09:00:01 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012.08.15 09:00:01 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012.08.15 09:00:01 | 000,097,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012.08.15 09:00:01 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012.08.15 09:00:00 | 000,134,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012.08.15 09:00:00 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012.08.15 08:59:53 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\localspl.dll
[2012.08.13 19:54:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012.08.13 19:53:22 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012.08.13 19:53:21 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012.08.13 19:53:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2012.08.13 19:48:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012.08.06 06:02:49 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Roaming\AnvsoftPdfTools
[2012.08.06 06:02:44 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PDFMate
[2012.08.06 06:02:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PDFMate
[2012.08.05 12:22:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Hotspot Shield
[2012.08.05 12:22:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF to ePub Converter
[2012.08.05 12:22:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PDF to ePub Converter
[2012.08.05 12:22:18 | 000,000,000 | ---D | C] -- C:\Hotspot Shield
[2012.08.05 12:22:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotspot Shield
[2012.08.05 12:22:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Hotspot Shield
[2012.08.03 18:24:44 | 000,000,000 | ---D | C] -- C:\Users\XXX\Documents\Calibre Bibliothek
[2012.08.03 18:24:42 | 000,000,000 | ---D | C] -- C:\Users\XXX\AppData\Roaming\calibre
[2012.08.03 18:24:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Calibre2
[2012.08.03 18:24:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
[2012.08.03 18:19:03 | 000,000,000 | ---D | C] -- C:\Users\XXX\Documents\My Digital Editions
[2012.08.03 18:18:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe
[2008.08.12 06:45:20 | 000,155,648 | ---- | C] (ASUS) -- C:\Program Files (x86)\Common Files\MSIactionall.dll
 
========== Files - Modified Within 30 Days ==========
 
[2012.09.01 09:07:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.09.01 09:07:12 | 3055,706,112 | -HS- | M] () -- C:\hiberfil.sys
[2012.09.01 08:38:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.09.01 08:10:38 | 000,010,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.09.01 08:10:38 | 000,010,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.09.01 08:08:31 | 001,507,342 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012.09.01 08:08:31 | 000,657,910 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat
[2012.09.01 08:08:31 | 000,619,146 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012.09.01 08:08:31 | 000,131,250 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat
[2012.09.01 08:08:31 | 000,107,466 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012.09.01 08:08:11 | 000,001,124 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012.09.01 08:02:35 | 000,045,056 | ---- | M] () -- C:\Windows\SysNative\acovcnt.exe
[2012.09.01 08:02:34 | 000,001,120 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012.08.31 15:50:54 | 000,155,648 | ---- | M] () -- C:\Users\XXX\AppData\Roaming\smsems.dll
[2012.08.30 21:19:30 | 000,002,234 | ---- | M] () -- C:\Users\Public\Desktop\Die Schlacht um Mittelerde(tm).lnk
[2012.08.27 08:06:28 | 000,095,208 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2012.08.27 08:06:27 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\npdeployJava1.dll
[2012.08.27 08:06:27 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\deployJava1.dll
[2012.08.27 08:06:27 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2012.08.27 08:06:27 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012.08.27 08:06:27 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012.08.26 03:20:46 | 000,002,406 | ---- | M] () -- C:\Windows\SysNative\AutoRunFilter.ini
[2012.08.25 03:21:49 | 000,002,025 | ---- | M] () -- C:\Windows\SysNative\ServiceFilter.ini
[2012.08.25 03:20:04 | 000,489,344 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012.08.24 20:00:04 | 000,175,616 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msclmd.dll
[2012.08.24 20:00:04 | 000,152,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msclmd.dll
[2012.08.24 07:22:39 | 000,618,227 | ---- | M] () -- C:\Users\XXX\Desktop\adwcleaner.exe
[2012.08.22 07:54:05 | 000,001,111 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.08.21 11:51:56 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\XXX\Desktop\OTL.exe
[2012.08.16 03:27:17 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\cd.dat
[2012.08.15 23:38:15 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012.08.15 23:38:15 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012.08.13 19:54:10 | 000,001,785 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012.08.13 19:48:16 | 000,001,847 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012.08.11 21:42:01 | 564,213,232 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012.08.06 12:58:52 | 000,065,853 | ---- | M] () -- C:\Users\XXX\ESt2011_Seipp_XXX.elfo
[2012.08.05 12:22:32 | 000,001,035 | ---- | M] () -- C:\Users\XXX\Desktop\PDF to ePub Converter.lnk
[2012.08.03 18:24:28 | 000,000,962 | ---- | M] () -- C:\Users\Public\Desktop\calibre - E-book management.lnk
 
========== Files Created - No Company Name ==========
 
[2012.08.31 15:50:55 | 000,155,648 | ---- | C] () -- C:\Users\XXX\AppData\Roaming\smsems.dll
[2012.08.30 21:19:30 | 000,002,234 | ---- | C] () -- C:\Users\Public\Desktop\Die Schlacht um Mittelerde(tm).lnk
[2012.08.24 07:22:49 | 000,618,227 | ---- | C] () -- C:\Users\XXX\Desktop\adwcleaner.exe
[2012.08.22 07:54:05 | 000,001,111 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.08.16 03:27:17 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2012.08.13 19:54:10 | 000,001,785 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012.08.13 19:48:16 | 000,001,847 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012.08.06 12:58:10 | 000,065,853 | ---- | C] () -- C:\Users\XXX\ESt2011_Seipp_XXX.elfo
[2012.08.05 12:22:32 | 000,001,035 | ---- | C] () -- C:\Users\XXX\Desktop\PDF to ePub Converter.lnk
[2012.08.03 18:24:28 | 000,000,962 | ---- | C] () -- C:\Users\Public\Desktop\calibre - E-book management.lnk
[2012.08.03 18:19:00 | 000,002,192 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Digital Editions.lnk
[2011.09.19 08:53:03 | 000,032,256 | ---- | C] () -- C:\Windows\SysWow64\AVSredirect.dll
[2011.09.19 08:50:07 | 000,107,520 | RHS- | C] () -- C:\Windows\SysWow64\TAKDSDecoder.dll
[2011.08.25 21:10:31 | 000,066,861 | ---- | C] () -- C:\Users\XXX\ESt2010_Seipp_XXX_Jörg.elfo
[2011.07.19 08:52:06 | 000,000,600 | ---- | C] () -- C:\Users\XXX\AppData\Roaming\winscp.rnd
[2011.03.19 18:37:35 | 001,526,948 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011.03.11 13:05:42 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011.03.07 20:45:01 | 000,160,936 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2010.10.30 20:44:53 | 000,000,432 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2010.10.30 20:44:53 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\BD7030.DAT
[2010.10.29 19:44:05 | 000,000,034 | -H-- | C] () -- C:\Windows\SysWow64\Converter_sysquict.dat
[2010.10.29 19:43:55 | 000,164,352 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2010.10.29 19:43:53 | 003,596,288 | ---- | C] () -- C:\Windows\SysWow64\qt-dx331.dll
[2010.10.29 19:43:53 | 000,755,027 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2010.10.29 19:43:53 | 000,159,839 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2010.10.29 19:43:53 | 000,007,680 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2010.09.15 14:29:47 | 000,053,248 | ---- | C] () -- C:\Windows\SysWow64\LogonStart.dll
[2010.09.15 14:04:19 | 000,131,368 | ---- | C] () -- C:\ProgramData\FullRemove.exe
[2009.04.08 19:31:56 | 000,106,496 | ---- | C] () -- C:\Program Files (x86)\Common Files\CPInstallAction.dll
[2008.05.22 17:35:54 | 000,051,962 | ---- | C] () -- C:\Program Files (x86)\Common Files\banner.jpg
 
========== LOP Check ==========
 
[2011.12.29 14:28:24 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Amazon
[2012.08.06 06:02:49 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\AnvsoftPdfTools
[2010.10.29 22:10:00 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Asus WebStorage
[2010.12.25 21:21:44 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Big Fish Games
[2012.08.11 10:46:07 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\BSW
[2012.08.24 22:52:58 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\calibre
[2012.02.18 16:36:20 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\DVDVideoSoft
[2012.02.18 16:35:58 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\DVDVideoSoftIEHelpers
[2012.08.06 12:43:00 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\elsterformular
[2012.05.01 15:54:23 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Fighters
[2012.07.02 08:24:55 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\FireShot
[2011.09.20 06:31:56 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Genieo
[2011.09.18 14:01:47 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\JAM Software
[2011.11.05 09:32:16 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Leadertech
[2012.08.30 21:54:24 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Meine Die Schlacht um Mittelerde-Dateien
[2012.05.03 20:52:37 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Sports Interactive
[2012.08.05 10:48:58 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Vyry
[2012.08.04 18:29:42 | 000,000,000 | ---D | M] -- C:\Users\XXX\AppData\Roaming\Yqxoho
[2011.12.15 09:27:48 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 

< End of report >

Sonst habe ich noch nichts unternommen. Ich wäre euch für Hilfe sehr dankbar.

cosinus · 01.09.2012, 14:09

Zitat:

Boot Mode: SafeMode with Networking |

Wenn dieser Modus funktioniert, kannst du erstmal routinemäßig einen Vollscan mit Malwarebytes machen und Log posten. =>ALLE lokalen Datenträger (außer CD/DVD) überprüfen lassen!
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Die Funde mit Malwarebytes bitte alle entfernen, sodass sie in der Quarantäne von Malwarebytes aufgehoben werden! NICHTS voreilig aus der Quarantäne entfernen!

Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten!

ESET Online Scanner

Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
Lade und starte Eset Online Scanner
Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
Klicke auf Starten.
Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
Klicke am Ende des Suchlaufs auf Fertig stellen.
Schließe das Fenster von ESET.
Explorer öffnen.
C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
Logfile hier posten.
Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

Bitte alles nach Möglichkeit hier in CODE-Tags posten.

Wird so gemacht:

[code] hier steht das Log [/code]

Und das ganze sieht dann so aus:

Code:

ATTFilter

 hier steht das Log

Charlene · 02.09.2012, 13:25

So. Das wäre erldigt. Hier die beiden log-Files. Zunächst Malwarebytes

Code:

ATTFilter

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.09.01.02

Windows 7 Service Pack 1 x64 NTFS (Abgesichertenmodus/Netzwerkfähig)
Internet Explorer 8.0.7601.17514
XXX :: XXX-PC [Administrator]

01.09.2012 18:25:06
mbam-log-2012-09-01 (18-25-06).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|F:\|G:\|I:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 561556
Laufzeit: 2 Stunde(n), 4 Minute(n), 38 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run| (Trojan.Agent) -> Daten: C:\Users\XXX\AppData\Local\Temp\xosnacrmwe.exe -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|smsems (Spyware.Password) -> Daten: rundll32.exe "C:\Users\XXX\AppData\Roaming\smsems.dll",AGetReport -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 4
C:\Users\XXX\AppData\Local\Temp\xosnacrmwe.exe (Trojan.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\XXX\AppData\Roaming\smsems.dll (Spyware.Password) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\XXX\AppData\Local\Temp\raeoxnmswc.exe (Spyware.Password) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\XXX\AppData\Local\Temp\raonmswcxe.exe (Rootkit.0Access) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

Ich hatte tatsächlich schon vorher mal einen Malwarebyte-Scan gemacht, kann aber das log-File dazu leider nicht mehr finden

Hier jetzt noch das Ergebnis von ESET:

Code:

ATTFilter

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=009811eb5cb9184887c975ae567df274
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-09-02 12:08:00
# local_time=2012-09-02 02:08:00 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1797 16775166 100 94 223280 83113641 299645 0
# compatibility_mode=5893 16776574 66 85 742747 98206635 0 0
# compatibility_mode=8192 67108863 100 0 394 394 0 0
# scanned=353512
# found=0
# cleaned=0
# scan_time=10916

So, damit wäre ich dann durch. Antivir und die Windows-Firewall sind auch wieder aktiviert.

Nach kurzzeitigem erneuten Zugang zum Internet tauchte wieder der Trojaner auf, den ich davor hatte. siehe hier http://www.trojaner-board.de/122630-...ngefangen.html

Kann mir das nicht erklären. Mein Surfverhalten im Internet hat sich nicht verändert. Warum tauchen jetzt dauernd Trojaner auf, die ich früher nie hatte? Soll ich den Computer komplett neu installieren?

cosinus · 03.09.2012, 19:13

Schau mal nach ob die Logs noch hier zu sehen sind in Form von Textdateien. Damit du die Ordner auch siehst das hier VORHER umsetzen!! => http://www.trojaner-board.de/59624-a...-sichtbar.html

Hauptlogs nach Scans (Quick, Full oder Flash):

XP:
C:\Dokumente und Einstellungen\(USER)\Anwendungsdaten\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd.txt
Vista, Windows 7, 2008:
C:\Users\(USER)\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd.txt

Charlene · 03.09.2012, 19:44

Hat funktionierrt. Hier also zwei 14 Tage alte Scans:

Code:

ATTFilter

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.03.05

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Klaus :: XXX-PC [Administrator]

22.08.2012 07:55:45
mbam-log-2012-08-22 (07-55-45).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 101381
Laufzeit: 22 Minute(n), 8 Sekunde(n) [Abgebrochen]

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

Code:

ATTFilter

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.08.23.07

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Klaus :: XXX-PC [Administrator]

23.08.2012 20:16:53
mbam-log-2012-08-23 (20-16-53).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|G:\|I:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 583886
Laufzeit: 2 Stunde(n), 30 Minute(n), 47 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

und hier noch ein aktueller, den ich jetzt heute durchgeführt habe, nachdem die Sperrung gestern erneut auftrat:

Code:

ATTFilter

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.09.01.02

Windows 7 Service Pack 1 x64 NTFS (Abgesichertenmodus/Netzwerkfähig)
Internet Explorer 8.0.7601.17514
Klaus :: XXX-PC [Administrator]

03.09.2012 08:46:58
mbam-log-2012-09-03 (08-46-58).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|G:\|I:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 566471
Laufzeit: 2 Stunde(n), 1 Minute(n), 53 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 2
C:\Users\XXX\AppData\Local\Temp\roper0dun.exe (Exploit.Drop.GS) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\XXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

cosinus · 03.09.2012, 20:51

adwCleaner - Toolbars und ungewollte Start-/Suchseiten aufspüren

Downloade Dir bitte AdwCleaner auf deinen Desktop.

Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Suche.
Nach Ende des Suchlaufs öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.

Charlene · 03.09.2012, 22:52

hier das Ergebnis:

Code:

ATTFilter

# AdwCleaner v1.801 - Logfile created 09/03/2012 at 23:44:59
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : XXX - XXX-PC
# Boot Mode : Normal
# Running from : C:\Users\XXX\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}
Folder Found : C:\Users\XXX\AppData\LocalLow\SweetIM
Folder Found : C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\SweetPacksToolbarData
Folder Found : C:\ProgramData\SweetIM
Folder Found : C:\Program Files (x86)\SweetIM
File Found : C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi

***** [Registry] *****

Key Found : HKCU\Software\SweetIm
Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn
Key Found : HKLM\SOFTWARE\SweetIM
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Sweetpacks Communicator]
[x64] Key Found : HKCU\Software\SweetIm
[x64] Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
[x64] Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
[x64] Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
[x64] Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
[x64] Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
[x64] Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EEE6C35D-6118-11DC-9C72-001320C79847}]
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
[x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
[x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
[x64] Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
[x64] Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EEE6C35D-6118-11DC-9C72-001320C79847}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0 (de)

Profile name : default 
File : C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\prefs.js

Found : user_pref("keyword.URL", "hxxp://search.sweetim.com/search.asp?src=2&crg=3.1030000.103003&q=");
Found : user_pref("sweetim.toolbar.Visibility.VisibilityGuardLastUnHide", "1346484252304");
Found : user_pref("sweetim.toolbar.Visibility.enable", "true");
Found : user_pref("sweetim.toolbar.Visibility.intervaldays", "7");
Found : user_pref("sweetim.toolbar.cargo", "3.1030000.103003");
Found : user_pref("sweetim.toolbar.cda.DisableOveride.enable", "true");
Found : user_pref("sweetim.toolbar.cda.HideOveride.enable", "true");
Found : user_pref("sweetim.toolbar.cda.RemoveOveride.enable", "true");
Found : user_pref("sweetim.toolbar.cda.returnValue", "hide");
Found : user_pref("sweetim.toolbar.dialogs.0.enable", "true");
Found : user_pref("sweetim.toolbar.dialogs.0.handler", "chrome://sim_toolbar_package/content/optionsdialog-h[...]
Found : user_pref("sweetim.toolbar.dialogs.0.height", "335");
Found : user_pref("sweetim.toolbar.dialogs.0.id", "id_options_dialog");
Found : user_pref("sweetim.toolbar.dialogs.0.title", "$string.config.label;");
Found : user_pref("sweetim.toolbar.dialogs.0.url", "hxxp://www.sweetim.com/simffbar/options_remote_ff_1_6.ht[...]
Found : user_pref("sweetim.toolbar.dialogs.0.width", "761");
Found : user_pref("sweetim.toolbar.dialogs.1.enable", "true");
Found : user_pref("sweetim.toolbar.dialogs.1.handler", "chrome://sim_toolbar_package/content/exampledialog-h[...]
Found : user_pref("sweetim.toolbar.dialogs.1.height", "300");
Found : user_pref("sweetim.toolbar.dialogs.1.id", "id_example_dialog");
Found : user_pref("sweetim.toolbar.dialogs.1.title", "Example (unit-test) dialog");
Found : user_pref("sweetim.toolbar.dialogs.1.url", "chrome://sim_toolbar_package/content/exampledialog.html"[...]
Found : user_pref("sweetim.toolbar.dialogs.1.width", "500");
Found : user_pref("sweetim.toolbar.dialogs.2.enable", "true");
Found : user_pref("sweetim.toolbar.dialogs.2.handler", "chrome://sim_toolbar_package/content/cdadialog-handl[...]
Found : user_pref("sweetim.toolbar.dialogs.2.height", "150");
Found : user_pref("sweetim.toolbar.dialogs.2.id", "id_dialog_hide_disable_remove");
Found : user_pref("sweetim.toolbar.dialogs.2.title", "Option Dialog");
Found : user_pref("sweetim.toolbar.dialogs.2.url", "hxxp://www.sweetim.com/simffbar/simcdadialog.asp");
Found : user_pref("sweetim.toolbar.dialogs.2.width", "530");
Found : user_pref("sweetim.toolbar.dnscatch.domain-blacklist", ".*.sweetim.com/.*|.*.facebook.com/.*|.*.goog[...]
Found : user_pref("sweetim.toolbar.highlight.colors", "#FFFF00,#00FFE4,#5AFF00,#0087FF,#FFCC00,#FF00F0");
Found : user_pref("sweetim.toolbar.logger.ConsoleHandler.MinReportLevel", "7");
Found : user_pref("sweetim.toolbar.logger.FileHandler.FileName", "ff-toolbar.log");
Found : user_pref("sweetim.toolbar.logger.FileHandler.MaxFileSize", "200000");
Found : user_pref("sweetim.toolbar.logger.FileHandler.MinReportLevel", "7");
Found : user_pref("sweetim.toolbar.mode.debug", "false");
Found : user_pref("sweetim.toolbar.previous.keyword.URL", "hxxp://search.sweetim.com/search.asp?src=2&q=");
Found : user_pref("sweetim.toolbar.scripts.0.addcontextdiv", "true");
Found : user_pref("sweetim.toolbar.scripts.0.callback", "simVerification");
Found : user_pref("sweetim.toolbar.scripts.0.domain-blacklist", "");
Found : user_pref("sweetim.toolbar.scripts.0.domain-whitelist", "hxxp://(www.|apps.)?facebook\\.com.*");
Found : user_pref("sweetim.toolbar.scripts.0.elementid", "id_script_sim_fb");
Found : user_pref("sweetim.toolbar.scripts.0.enable", "true");
Found : user_pref("sweetim.toolbar.scripts.0.id", "id_script_fb");
Found : user_pref("sweetim.toolbar.scripts.0.url", "hxxp://sc.sweetim.com/apps/in/fb/infb.js");
Found : user_pref("sweetim.toolbar.scripts.1.addcontextdiv", "true");
Found : user_pref("sweetim.toolbar.scripts.1.callback", "simVerification");
Found : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Found : user_pref("sweetim.toolbar.scripts.1.domain-whitelist", "hxxps://(www.|apps.)?facebook\\.com.*");
Found : user_pref("sweetim.toolbar.scripts.1.elementid", "id_script_sim_fb");
Found : user_pref("sweetim.toolbar.scripts.1.enable", "false");
Found : user_pref("sweetim.toolbar.scripts.1.id", "id_script_fb_hxxpS");
Found : user_pref("sweetim.toolbar.scripts.1.url", "hxxps://sc.sweetim.com/apps/in/fb/infb.js");
Found : user_pref("sweetim.toolbar.scripts.2.addcontextdiv", "false");
Found : user_pref("sweetim.toolbar.scripts.2.callback", "");
Found : user_pref("sweetim.toolbar.scripts.2.domain-blacklist", ".*.google..*|.*.bing..*|.*.live..*|.*.msn..[...]
Found : user_pref("sweetim.toolbar.scripts.2.domain-whitelist", "");
Found : user_pref("sweetim.toolbar.scripts.2.elementid", "id_predict_include_script");
Found : user_pref("sweetim.toolbar.scripts.2.enable", "false");
Found : user_pref("sweetim.toolbar.scripts.2.id", "id_script_prad");
Found : user_pref("sweetim.toolbar.scripts.2.url", "hxxp://cdn1.certified-apps.com/scripts/shared/enable.js?[...]
Found : user_pref("sweetim.toolbar.search.external", "<?xml version=\"1.0\"?><TOOLBAR><EXTERNAL_SEARCH engin[...]
Found : user_pref("sweetim.toolbar.search.history.capacity", "10");
Found : user_pref("sweetim.toolbar.searchguard.enable", "false");
Found : user_pref("sweetim.toolbar.searchguard.initialized_by_rc", "true");
Found : user_pref("sweetim.toolbar.simapp_id", "{1566AB2C-56FB-4F3B-B0AF-1DE006A172AA}");
Found : user_pref("sweetim.toolbar.version", "1.6.0.3");

*************************

AdwCleaner[R1].txt - [43696 octets] - [24/08/2012 07:24:17]
AdwCleaner[S1].txt - [34065 octets] - [24/08/2012 19:30:40]
AdwCleaner[R2].txt - [10809 octets] - [03/09/2012 23:44:59]

########## EOF - C:\AdwCleaner[R2].txt - [10938 octets] ##########

cosinus · 04.09.2012, 13:35

adwCleaner - Toolbars und ungewollte Start-/Suchseiten entfernen

Schließe alle offenen Programme und Browser.
Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Löschen.
Bestätige jeweils mit Ok.
Dein Rechner wird neu gestartet. Nach dem Neustart öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.

Charlene · 04.09.2012, 23:14

hier das Ergebnis:

Code:

ATTFilter

# AdwCleaner v1.801 - Logfile created 09/05/2012 at 00:06:57
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : XXX - XXX-PC
# Boot Mode : Safe mode with networking
# Running from : C:\Users\XXX\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\XXX\AppData\Local\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}
Folder Deleted : C:\Users\XXX\AppData\LocalLow\SweetIM
Folder Deleted : C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\SweetPacksToolbarData
Folder Deleted : C:\ProgramData\SweetIM
Folder Deleted : C:\Program Files (x86)\SweetIM
File Deleted : C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi

***** [Registry] *****

Key Deleted : HKCU\Software\SweetIm
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn
Key Deleted : HKLM\SOFTWARE\SweetIM
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Sweetpacks Communicator]

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EEE6C35D-6118-11DC-9C72-001320C79847}]
[x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
[x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
[x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0 (de)

Profile name : default 
File : C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\prefs.js

Deleted : user_pref("keyword.URL", "hxxp://search.sweetim.com/search.asp?src=2&crg=3.1030000.103003&q=");
Deleted : user_pref("sweetim.toolbar.Visibility.VisibilityGuardLastUnHide", "1346484252304");
Deleted : user_pref("sweetim.toolbar.Visibility.enable", "true");
Deleted : user_pref("sweetim.toolbar.Visibility.intervaldays", "7");
Deleted : user_pref("sweetim.toolbar.cargo", "3.1030000.103003");
Deleted : user_pref("sweetim.toolbar.cda.DisableOveride.enable", "true");
Deleted : user_pref("sweetim.toolbar.cda.HideOveride.enable", "true");
Deleted : user_pref("sweetim.toolbar.cda.RemoveOveride.enable", "true");
Deleted : user_pref("sweetim.toolbar.cda.returnValue", "hide");
Deleted : user_pref("sweetim.toolbar.dialogs.0.enable", "true");
Deleted : user_pref("sweetim.toolbar.dialogs.0.handler", "chrome://sim_toolbar_package/content/optionsdialog-h[...]
Deleted : user_pref("sweetim.toolbar.dialogs.0.height", "335");
Deleted : user_pref("sweetim.toolbar.dialogs.0.id", "id_options_dialog");
Deleted : user_pref("sweetim.toolbar.dialogs.0.title", "$string.config.label;");
Deleted : user_pref("sweetim.toolbar.dialogs.0.url", "hxxp://www.sweetim.com/simffbar/options_remote_ff_1_6.ht[...]
Deleted : user_pref("sweetim.toolbar.dialogs.0.width", "761");
Deleted : user_pref("sweetim.toolbar.dialogs.1.enable", "true");
Deleted : user_pref("sweetim.toolbar.dialogs.1.handler", "chrome://sim_toolbar_package/content/exampledialog-h[...]
Deleted : user_pref("sweetim.toolbar.dialogs.1.height", "300");
Deleted : user_pref("sweetim.toolbar.dialogs.1.id", "id_example_dialog");
Deleted : user_pref("sweetim.toolbar.dialogs.1.title", "Example (unit-test) dialog");
Deleted : user_pref("sweetim.toolbar.dialogs.1.url", "chrome://sim_toolbar_package/content/exampledialog.html"[...]
Deleted : user_pref("sweetim.toolbar.dialogs.1.width", "500");
Deleted : user_pref("sweetim.toolbar.dialogs.2.enable", "true");
Deleted : user_pref("sweetim.toolbar.dialogs.2.handler", "chrome://sim_toolbar_package/content/cdadialog-handl[...]
Deleted : user_pref("sweetim.toolbar.dialogs.2.height", "150");
Deleted : user_pref("sweetim.toolbar.dialogs.2.id", "id_dialog_hide_disable_remove");
Deleted : user_pref("sweetim.toolbar.dialogs.2.title", "Option Dialog");
Deleted : user_pref("sweetim.toolbar.dialogs.2.url", "hxxp://www.sweetim.com/simffbar/simcdadialog.asp");
Deleted : user_pref("sweetim.toolbar.dialogs.2.width", "530");
Deleted : user_pref("sweetim.toolbar.dnscatch.domain-blacklist", ".*.sweetim.com/.*|.*.facebook.com/.*|.*.goog[...]
Deleted : user_pref("sweetim.toolbar.highlight.colors", "#FFFF00,#00FFE4,#5AFF00,#0087FF,#FFCC00,#FF00F0");
Deleted : user_pref("sweetim.toolbar.logger.ConsoleHandler.MinReportLevel", "7");
Deleted : user_pref("sweetim.toolbar.logger.FileHandler.FileName", "ff-toolbar.log");
Deleted : user_pref("sweetim.toolbar.logger.FileHandler.MaxFileSize", "200000");
Deleted : user_pref("sweetim.toolbar.logger.FileHandler.MinReportLevel", "7");
Deleted : user_pref("sweetim.toolbar.mode.debug", "false");
Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "hxxp://search.sweetim.com/search.asp?src=2&q=");
Deleted : user_pref("sweetim.toolbar.scripts.0.addcontextdiv", "true");
Deleted : user_pref("sweetim.toolbar.scripts.0.callback", "simVerification");
Deleted : user_pref("sweetim.toolbar.scripts.0.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.scripts.0.domain-whitelist", "hxxp://(www.|apps.)?facebook\\.com.*");
Deleted : user_pref("sweetim.toolbar.scripts.0.elementid", "id_script_sim_fb");
Deleted : user_pref("sweetim.toolbar.scripts.0.enable", "true");
Deleted : user_pref("sweetim.toolbar.scripts.0.id", "id_script_fb");
Deleted : user_pref("sweetim.toolbar.scripts.0.url", "hxxp://sc.sweetim.com/apps/in/fb/infb.js");
Deleted : user_pref("sweetim.toolbar.scripts.1.addcontextdiv", "true");
Deleted : user_pref("sweetim.toolbar.scripts.1.callback", "simVerification");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Deleted : user_pref("sweetim.toolbar.scripts.1.domain-whitelist", "hxxps://(www.|apps.)?facebook\\.com.*");
Deleted : user_pref("sweetim.toolbar.scripts.1.elementid", "id_script_sim_fb");
Deleted : user_pref("sweetim.toolbar.scripts.1.enable", "false");
Deleted : user_pref("sweetim.toolbar.scripts.1.id", "id_script_fb_hxxpS");
Deleted : user_pref("sweetim.toolbar.scripts.1.url", "hxxps://sc.sweetim.com/apps/in/fb/infb.js");
Deleted : user_pref("sweetim.toolbar.scripts.2.addcontextdiv", "false");
Deleted : user_pref("sweetim.toolbar.scripts.2.callback", "");
Deleted : user_pref("sweetim.toolbar.scripts.2.domain-blacklist", ".*.google..*|.*.bing..*|.*.live..*|.*.msn..[...]
Deleted : user_pref("sweetim.toolbar.scripts.2.domain-whitelist", "");
Deleted : user_pref("sweetim.toolbar.scripts.2.elementid", "id_predict_include_script");
Deleted : user_pref("sweetim.toolbar.scripts.2.enable", "false");
Deleted : user_pref("sweetim.toolbar.scripts.2.id", "id_script_prad");
Deleted : user_pref("sweetim.toolbar.scripts.2.url", "hxxp://cdn1.certified-apps.com/scripts/shared/enable.js?[...]
Deleted : user_pref("sweetim.toolbar.search.external", "<?xml version=\"1.0\"?><TOOLBAR><EXTERNAL_SEARCH engin[...]
Deleted : user_pref("sweetim.toolbar.search.history.capacity", "10");
Deleted : user_pref("sweetim.toolbar.searchguard.enable", "false");
Deleted : user_pref("sweetim.toolbar.searchguard.initialized_by_rc", "true");
Deleted : user_pref("sweetim.toolbar.simapp_id", "{1566AB2C-56FB-4F3B-B0AF-1DE006A172AA}");
Deleted : user_pref("sweetim.toolbar.version", "1.6.0.3");

*************************

AdwCleaner[R1].txt - [43696 octets] - [24/08/2012 07:24:17]
AdwCleaner[S1].txt - [34065 octets] - [24/08/2012 19:30:40]
AdwCleaner[R2].txt - [10904 octets] - [03/09/2012 23:44:59]
AdwCleaner[S2].txt - [9734 octets] - [05/09/2012 00:06:57]

########## EOF - C:\AdwCleaner[S2].txt - [9862 octets] ##########

cosinus · 05.09.2012, 14:12

Warum hast du die alte Version von adwCleaner genutzt ich hatte extra einen Downloadlink dazu angegeben!

Bitte den adwCleaner neu runterladen!

adwCleaner - Toolbars und ungewollte Start-/Suchseiten aufspüren

Downloade Dir bitte AdwCleaner auf deinen Desktop.

Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Suche.
Nach Ende des Suchlaufs öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.

Charlene · 05.09.2012, 20:40

Tut mir leid. Das hatte ich falsch verstanden. Hier also die Datei mit dem neuen Download des Cleaners:

Code:

ATTFilter

# AdwCleaner v2.000 - Datei am 09/05/2012 um 21:37:30 erstellt
# Aktualisiert am 30/08/2012 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzer : XXX - XXX-PC
# Normaler Modus : Abgesicherter Modus mit Netzwerkunterstützung
# Ausgeführt unter : C:\Users\XXX\Desktop\adwcleaner.exe
# Option [Suche]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****

Schlüssel Gefunden : HKLM\SOFTWARE\Classes\AppID\{B16632F1-24E0-4D99-A68D-70BFB6447C48}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\AppID\{C0CEA572-2978-4DFC-A672-8100FF0E276A}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\AppID\BabylonIEPI.DLL
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\AppID\BabylonTC.EXE
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\BabylonIEPI.BabylonIEBho
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\BabylonIEPI.BabylonIEBho.1
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin.1
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\BabylonTC.GingerApplication
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\BabylonTC.GingerApplication.1
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{0C2E529C-A82C-4AC6-8807-0B51F7AD7BB2}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\TypeLib\{F310F027-15CB-4A7F-B10D-3A4AFB5013A5}
Schlüssel Gefunden : HKLM\Software\ilivid
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
Schlüssel Gefunden : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5F339F0B-716F-408F-A627-DEEB5DEB4020}
Schlüssel Gefunden : HKLM\SOFTWARE\Classes\Interface\{5F339F0B-716F-408F-A627-DEEB5DEB4020}

***** [Internet Browser] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v15.0 (de)

Profilname : default 
Datei : C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\prefs.js

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [43696 octets] - [24/08/2012 07:24:17]
AdwCleaner[S1].txt - [34065 octets] - [24/08/2012 19:30:40]
AdwCleaner[R2].txt - [10904 octets] - [03/09/2012 23:44:59]
AdwCleaner[S2].txt - [9857 octets] - [05/09/2012 00:06:57]
AdwCleaner[R3].txt - [2435 octets] - [05/09/2012 21:37:30]

########## EOF - C:\AdwCleaner[R3].txt - [2495 octets] ##########

cosinus · 06.09.2012, 13:54

adwCleaner - Toolbars und ungewollte Start-/Suchseiten entfernen

Schließe alle offenen Programme und Browser.
Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Löschen.
Bestätige jeweils mit Ok.
Dein Rechner wird neu gestartet. Nach dem Neustart öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[Sx].txt. (x=fortlaufende Nummer)

Charlene · 06.09.2012, 20:23

hier das log-File:

Code:

ATTFilter

# AdwCleaner v2.000 - Datei am 09/06/2012 um 21:18:09 erstellt
# Aktualisiert am 30/08/2012 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzer : XXX - XXX-PC
# Normaler Modus : Abgesicherter Modus mit Netzwerkunterstützung
# Ausgeführt unter : C:\Users\XXX\Desktop\adwcleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****


***** [Registrierungsdatenbank] *****

Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{B16632F1-24E0-4D99-A68D-70BFB6447C48}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\{C0CEA572-2978-4DFC-A672-8100FF0E276A}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\BabylonIEPI.DLL
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\AppID\BabylonTC.EXE
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\BabylonIEPI.BabylonIEBho
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\BabylonIEPI.BabylonIEBho.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\BabylonOfficeAddin.OfficeAddin.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\BabylonTC.GingerApplication
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\BabylonTC.GingerApplication.1
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{0C2E529C-A82C-4AC6-8807-0B51F7AD7BB2}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{A1489C85-4F6F-48C4-AC9E-18B63AF4703E}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{F310F027-15CB-4A7F-B10D-3A4AFB5013A5}
Schlüssel Gelöscht : HKLM\Software\ilivid
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
Schlüssel Gelöscht : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5F339F0B-716F-408F-A627-DEEB5DEB4020}
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\Interface\{5F339F0B-716F-408F-A627-DEEB5DEB4020}

***** [Internet Browser] *****

-\\ Internet Explorer v8.0.7601.17514

Wiederhergestellt : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Wiederhergestellt : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Wiederhergestellt : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Wiederhergestellt : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Wiederhergestellt : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (de)

Profilname : default 
Datei : C:\Users\XXX\AppData\Roaming\Mozilla\Firefox\Profiles\rl45wb5x.default\prefs.js

[OK] Die Datei ist sauber.

*************************

AdwCleaner[R1].txt - [43696 octets] - [24/08/2012 07:24:17]
AdwCleaner[S1].txt - [34065 octets] - [24/08/2012 19:30:40]
AdwCleaner[R2].txt - [10904 octets] - [03/09/2012 23:44:59]
AdwCleaner[S2].txt - [9857 octets] - [05/09/2012 00:06:57]
AdwCleaner[R3].txt - [2562 octets] - [05/09/2012 21:37:30]
AdwCleaner[S3].txt - [2954 octets] - [06/09/2012 21:18:09]

########## EOF - C:\AdwCleaner[S3].txt - [3014 octets] ##########

cosinus · 07.09.2012, 08:11

Hätte da mal zwei Fragen bevor es weiter geht

1.) Geht der normale Modus von Windows (wieder) uneingeschränkt?
2.) Vermisst du irgendwas im Startmenü? Sind da leere Ordner unter alle Programme oder ist alles vorhanden?

Charlene · 07.09.2012, 19:21

zu 1.) Ich kann auch im normalen Modus wieder ins Netz gehen. Kann auch keine anderen Beinträchtigungen feststellen
zu 2.) Ich kann nicht sehen, dass irgendwas fehlen würde.

So weit, so gut also. Andererseits dachte ich das beim ersten Versuch den Trojaner los zu werden auch

07.09.2012, 08:11	#14
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Bundespolzei Trojaner Hätte da mal zwei Fragen bevor es weiter geht 1.) Geht der normale Modus von Windows (wieder) uneingeschränkt? 2.) Vermisst du irgendwas im Startmenü? Sind da leere Ordner unter alle Programme oder ist alles vorhanden? __________________ Logfiles bitte immer in CODE-Tags posten

Bundespolzei Trojaner

Plagegeister aller Art und deren Bekämpfung: Bundespolzei Trojaner