Probleme durch 'Bundesministerium'-Trojaner - OTL startet nicht (abges. Modus)

sandsonne · 13.12.2012, 14:24

Verehrte Forengemeinde,

es ist mein Netbook offenbar mit einem Virus oder Trojaner infiziert worden:

Es erscheint eine Seite des Bundesministerium mit Inhalten wegen urheberrechtlichen Angelegenheiten. Ausschalten und Neustart des Systems bringt dann eine weiße blanke Seite.

Ich kann zwar im abgesicherten Modus starten aber die hier im Forum empfohlene Anwendung OTL startet nur das erste Fenster. Nach klick auf Scan tut sich nichts.

Damit kann ich hier keinen Logfile posten.

Aktuell lasse ich gerade Spybot durchlaufen habe aber Zweifel ob dieses Programm hier wirklich hilfreich ist.

Ist meine Hoffnung hier auf Hilfe zu hoffen berechtigt?

Ich danke allen Lesern für die genommene Zeit und allen Tippgeber oder Helfern aurichtig für jeden Hinweis.

ryder · 13.12.2012, 14:32

Ich werde dir bei deinem Problem helfen. Eine Bereinigung ist mitunter mit viel Arbeit für Dich (und mich) verbunden. Bevor es los geht, habe ich etwas Lesestoff für dich.

Zitat:

Lesestoff:
Regeln für die Bereinigung
Damit die Bereinigung funktioniert bitte ich dich, die folgenden Punkte aufmerksam zu lesen:
Bitte arbeite alle Schritte der Reihe nach ab. Gib mir bitte zu jedem Schritt Rückmeldung (Logfile oder Antwort) und zwar gesammelt, wenn du alles erledigt hast.

Nur Scanns durchführen zu denen Du aufgefordert wirst.

Bitte kein Crossposting (posten in mehreren Foren).

Installiere oder Deinstalliere während der Bereinigung keine Software, ausser Du wurdest dazu aufgefordert.

Lese Dir die Anleitung zuerst vollständig durch. Sollte etwas unklar sein, frage bevor Du beginnst.

Poste die Logfiles direkt in deinen Thread (möglichst in Code-Tags - #-Symbol im Editor). Nicht anhängen ausser ich fordere Dich dazu auf, oder das Logfile wäre zu gross. Erschwert mir nämlich das Auswerten.

Mache deinen Namen nur dann unkenntlich, wenn es unbedingt sein muss.

Beim ersten Anzeichen illegal genutzer Software (Cracks, Patches und Co) wird der Support ohne Diskussion eingestellt.

Sollte ich nicht nach 3 Tagen geantwortet haben, dann (und nur dann) schicke mir bitte eine PM.

Ich werde dir ganz deutlich mitteilen, dass du "sauber" bist. Bis dahin arbeite bitte gut mit.

Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der schnellere und immer der sicherste Weg.

Wenn du das alles gelesen und verstanden hast, kannst du loslegen!

Gelesen und verstanden?

Schritt 1:
Deinstalliere Spybot!

Schritt 2:
Scan mit Combofix

Zitat:

WARNUNG:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
WICHTIG: Speichere Combofix auf deinem Desktop

Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Combofix wird überprüfen, ob die Microsoft Windows Wiederherstellungskonsole installiert ist.
Ist diese nicht installiert, erlaube Combofix diese herunter zu laden und zu installieren. Folge dazu einfach den Anweisungen und aktzeptiere die Endbenutzer-Lizenz.
Bei heutiger Malware ist dies sehr empfehlenswert, da diese uns eine Möglichkeit bietet, dein System zu reparieren, falls etwas schief geht.
Bestätige die Information, dass die Wiederherstellungskonsole installiert wurde mit Ja.
Hinweis: Ist diese bereits installiert, wird Combofix mit der Malwareentfernung fortfahren.

Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!

Wenn Combofix fertig ist, wird es eine Logfile erstellen.

Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

ryder · 15.12.2012, 16:14

Fehlende Rückmeldung
Dieses Thema wurde aus den Abos gelöscht. Somit bekomm ich keine Benachrichtigung über neue Antworten.
PM an mich falls Du denoch weiter machen willst.

Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner schon sauber ist.

Jeder andere bitte hier klicken und einen eigenen Thread erstellen

sandsonne · 21.12.2012, 15:53

Frohe Weihnachten, ryder,

Hier nun also das log und: Mein Dank:

1. ABFRAGE WIEDERHERSTELLUNGSKONSOLE - ZUGELASSEN.

MELDUNG:
DU SCHEINST NICHT MIT DEM INTERNET VERBUNDEN ZU SEIN....

INTERNETVERBINDUNG HERSTELLEN BEVOR DU AUF OK KLICKST.

ANMERKUNG
DEFINITIV: FALSCH. INTERNETVERBINDUNG VORHANDEN - ÜBERTRAGUNGSSTÄRKE: HERVORRAGEND

2. HERUNTERLADEN DER BENÖTIGTEN DATEIEN FEHLGESCHLAGEN. BRECHE AB ... WERDE MIT DEM SUCHLAUF NACH MALEWARE FORTFAHREN.

OK
> OK GEKLICKT

3.Combofix Logfile:

Code:

ATTFilter

ComboFix 12-12-20.02 - Daniel 12/21/2012  15:29:18.1.2 - x86
ausgeführt von:: E:\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt
.
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Daniel\Application Data\convert\convert.exe
c:\documents and settings\Stef\Application Data\Raqab
c:\documents and settings\Stef\Application Data\Raqab\emin.zog
c:\documents and settings\Stef\Application Data\Utipi
c:\documents and settings\Stef\Application Data\Utipi\zyqi.etn
c:\documents and settings\Stef\Application Data\Utipi\zyqi.tmp
c:\windows\system32\SET25E.tmp
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-11-21 bis 2012-12-21  ))))))))))))))))))))))))))))))
.
.
2012-12-21 14:19 . 2012-12-21 14:38	--------	d-----w-	c:\windows\LastGood
2012-12-13 15:32 . 2012-12-13 15:32	--------	d-----w-	c:\documents and settings\nbfa\Local Settings\Application Data\Mozilla
2012-12-13 15:20 . 2012-12-13 15:20	--------	d-----w-	c:\documents and settings\nbfa\Application Data\AVG2013
2012-12-13 15:20 . 2012-12-13 15:20	--------	d-----w-	c:\documents and settings\nbfa\Bluetooth Software
2012-12-13 15:20 . 2012-12-13 15:20	--------	d-----w-	c:\documents and settings\nbfa\Local Settings\Application Data\Avg2013
2012-12-13 15:19 . 2012-12-13 15:19	--------	d-----w-	c:\documents and settings\nbfa\Local Settings\Application Data\Scansoft
2012-12-13 14:39 . 2012-12-13 14:39	--------	d-----w-	c:\documents and settings\Administrator\Application Data\AVG2013
2012-12-13 14:29 . 2012-12-13 14:29	--------	d-----w-	c:\documents and settings\Administrator\Application Data\TuneUp Software
2012-12-13 14:23 . 2012-12-13 14:23	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\MFAData
2012-12-13 14:23 . 2012-12-13 14:23	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\Avg2013
2012-11-30 15:20 . 2012-11-30 15:22	--------	d-----w-	c:\documents and settings\Stef\Application Data\PhotoScape
2012-11-28 18:49 . 2012-11-28 18:56	--------	d-----w-	c:\documents and settings\Daniel\Application Data\PhotoScape
2012-11-28 18:39 . 2012-11-28 18:40	--------	d-----w-	c:\program files\PhotoScape
2012-11-28 18:27 . 2012-11-28 18:27	--------	d-----w-	c:\documents and settings\Daniel\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-11-28 18:27 . 2012-11-28 18:27	--------	d-----w-	c:\program files\Adobe Download Assistant
2012-11-28 18:27 . 2012-11-28 18:27	--------	d-----w-	c:\program files\Common Files\Adobe AIR
2012-11-28 18:25 . 2012-12-21 14:43	--------	d-----w-	c:\documents and settings\Daniel\Application Data\convert
2012-11-28 18:24 . 2012-11-28 18:25	--------	d-----w-	c:\documents and settings\Daniel\Application Data\loadtbs
2012-11-28 18:24 . 2012-11-28 18:24	--------	d-----w-	c:\program files\WEB.DE MailCheck
2012-11-28 18:18 . 2012-11-28 18:19	--------	d-----w-	c:\program files\Protected Search
2012-11-28 18:18 . 2012-08-30 02:01	15432	----a-w-	c:\windows\Launcher.exe
2012-11-28 18:14 . 2012-11-28 18:19	--------	d-----w-	c:\documents and settings\Daniel\Local Settings\Application Data\DownTango
2012-11-28 18:13 . 2012-11-28 18:13	--------	d-----w-	c:\program files\Red Sky
2012-11-27 17:30 . 2012-11-27 17:30	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\{E648CD4D-3307-4213-89B2-9C0E20C77202}
2012-11-27 17:07 . 2012-11-27 17:07	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}
2012-11-27 17:05 . 2012-11-27 17:10	--------	d-----w-	c:\program files\Common Files\Native Instruments
2012-11-27 17:01 . 2012-11-27 17:01	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\{C78336EC-F2EB-4640-99A4-DFE96581B90B}
2012-11-27 16:59 . 2012-11-27 17:09	--------	d-----w-	c:\program files\Native Instruments
2012-11-27 16:59 . 2012-11-27 17:09	--------	d-----w-	c:\documents and settings\All Users\Application Data\Native Instruments
2012-11-26 22:28 . 2012-12-21 14:26	--------	d-----w-	c:\documents and settings\Daniel\Application Data\vlc
2012-11-26 18:32 . 2007-01-26 00:00	4352	----a-w-	c:\windows\system32\drivers\avmeject.sys
2012-11-26 18:30 . 2007-01-26 00:00	74752	----a-w-	c:\windows\system32\fwlanci.dll
2012-11-26 18:30 . 2012-11-26 18:30	--------	d-----w-	c:\documents and settings\Daniel\AVM_Driver
2012-11-26 17:41 . 2012-11-26 18:12	--------	d-----w-	c:\program files\Common Files\DVDVideoSoft
2012-11-26 17:41 . 2012-11-26 18:11	--------	d-----w-	c:\program files\DVDVideoSoft
2012-11-26 17:40 . 2012-11-26 20:35	--------	d-----w-	c:\documents and settings\Daniel\Application Data\DVDVideoSoft
2012-11-25 11:42 . 2012-11-25 11:42	--------	d-----w-	c:\documents and settings\Daniel\Local Settings\Application Data\MFAData
2012-11-25 11:34 . 2012-11-25 11:34	--------	d-----w-	c:\program files\Common Files\Symantec Shared
2012-11-25 11:30 . 2012-11-25 11:30	--------	d-----w-	c:\windows\system32\drivers\NSS
2012-11-25 11:30 . 2012-11-25 11:30	--------	d-----w-	c:\program files\Norton Security Scan
2012-11-25 11:30 . 2012-11-25 11:30	--------	d-----w-	c:\documents and settings\All Users\Application Data\Norton
2012-11-25 11:29 . 2012-11-25 11:29	--------	d-----w-	c:\program files\NortonInstaller
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-13 16:01 . 2012-08-08 18:49	697272	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-12-13 16:01 . 2012-08-08 18:49	73656	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2009-05-13 22:57	1866368	----a-w-	c:\windows\system32\win32k.sys
2012-11-08 16:37 . 2012-10-06 15:19	26984	----a-w-	c:\windows\system32\drivers\avgtpx86.sys
2012-11-06 00:41 . 2009-05-13 22:57	290560	------w-	c:\windows\system32\atmfd.dll
2012-11-02 02:02 . 2009-05-13 22:57	375296	----a-w-	c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2009-05-13 22:57	916992	----a-w-	c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2009-05-13 22:57	43520	------w-	c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2009-05-13 22:57	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2009-05-13 22:57	385024	------w-	c:\windows\system32\html.iec
2012-10-02 18:04 . 2009-05-13 22:57	58368	----a-w-	c:\windows\system32\synceng.dll
2012-12-06 23:53 . 2012-12-06 23:52	262112	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [BU]
"{DFEFCDEE-CF1A-4FC8-88AD-129872198372}"= "c:\documents and settings\Daniel\Application Data\loadtbs\toolbar.dll" [2012-11-28 616448]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CLASSES_ROOT\clsid\{dfefcdee-cf1a-4fc8-88ad-129872198372}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DFEFCDEE-CF1A-4FC8-88AD-129872198372}"= "c:\documents and settings\Daniel\Application Data\loadtbs\toolbar.dll" [2012-11-28 616448]
.
[HKEY_CLASSES_ROOT\clsid\{dfefcdee-cf1a-4fc8-88ad-129872198372}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BatteryLifeExtender"="c:\program files\Samsung\BatteryLifeExtender\BatteryLifeExtender.exe" [2009-03-13 550912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-11 149280]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-12-03 298664]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [BU]
"AVMWlanClient"="c:\program files\avmwlanstick\FRITZWLANMini.exe" [2007-02-02 283136]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-08-02 296096]
"YouCam Service"="c:\program files\CyberLink\YouCam\YouCamService.exe" [2012-03-23 255208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [x]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [x]
R3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\DRIVERS\fwlanusb.sys [x]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [x]
S2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [x]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [x]
S2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller2.exe [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\Drivers\VMC326.sys [x]
S3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\wowfilter.sys [x]
S4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]
S4 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]
S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*Deregistered* - Avgldx86
*Deregistered* - Avglogx
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs	REG_MULTI_SZ   	yksvc
.
Inhalt des "geplante Tasks" Ordners
.
2012-12-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-08 16:01]
.
2012-12-02 c:\windows\Tasks\Norton Security Scan for Daniel.job
- c:\progra~1\NORTON~2\Engine\372~1.5\Nss.exe [2012-11-25 09:45]
.
2012-12-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2859748474-667080921-3980430596-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]
.
2012-12-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2859748474-667080921-3980430596-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937
uDefault_Search_URL = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
mStart Page = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937
mSearch Bar = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Free YouTube to MP3 Converter - c:\documents and settings\Daniel\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\
FF - prefs.js: browser.search.selectedEngine - WEB.DE Suche
FF - prefs.js: browser.startup.homepage - hxxp://go.web.de/tb/mff_startpage
FF - prefs.js: keyword.URL - hxxp://go.web.de/tb/mff_keyurl_search/?su=
FF - ExtSQL: 2012-10-24 20:26; crossriderapp5060@crossrider.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\crossriderapp5060@crossrider.com
FF - ExtSQL: 2012-11-26 18:43; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi
FF - ExtSQL: 2012-11-28 19:25; sparpilot@sparpilot.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\sparpilot@sparpilot.com
FF - ExtSQL: 2012-11-28 19:25; software@loadtubes.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\software@loadtubes.com
FF - ExtSQL: 2012-11-28 19:26; toolbar@web.de; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\toolbar@web.de.xpi
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-12-21 15:44
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse... 
.
Scanne versteckte Autostarteinträge... 
.
Scanne versteckte Dateien... 
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'winlogon.exe'(1588)
c:\windows\system32\igfxdev.dll
.
Zeit der Fertigstellung: 2012-12-21  15:48:34
ComboFix-quarantined-files.txt  2012-12-21 14:48
ComboFix2.txt  2012-12-13 15:11
.
Vor Suchlauf: 54,336,827,392 bytes free
Nach Suchlauf: 55,480,283,136 bytes free
.
- - End Of File - - 38BBA229FCBB6DBBD932A9D106DAD2E8

--- --- ---

ryder · 21.12.2012, 15:55

Dann haben wir eine Alternative:

Gehe auf die Mircosoft Seite => http://support.microsoft.com/?scid=kb%3Bde%3B310994&x=21&y=12

Wähle den Download, der für dein Betriebssystem bestimmt ist:
Hinweis: Für WinXP Sp3 wähle die Sp2 Version.

Lade die Datei herunter und speichere diese mit dem original Namen, neben ComboFix.exe ab.

Nun schließe alle offenen Programme und Fenster, inklusive der Antiviren und Antimalware Programme. Dies ist notwendig, damit kein Program den Suchlauf von ComboFix behindert.

Ziehe die Setupdatei auf ComboFix.exe und lasse es los.
Folge den Aufforderungen um ComboFix zu starten und wenn Du dazu aufgefordert wirst, stimme den Nutzungsbedingungen zu um die Wiederherstellungskonsole zu installieren.
Bei der nächsten Eingabeaufforderung, klicke auf "Yes" um den vollständigen Suchlauf von ComboFix zu starten.
Bitte poste mir den Inhalt von C:\ComboFix.txt hier in de Thread.

sandsonne · 21.12.2012, 17:31

ryder,

nun folgende Meldung:

ComboFix hat festgestellt ....

antivirus: Avira Desktop
Antivirus: avast! Antivirus

Ich: Alles abgesucht:

START > Programme
systemsteuerung > Programme > installieren/deinstalliere
START > Suche

nix, nirgendwo eines der angemahnten Programme zu finden.

Taskleiste: negativ
Desktop: negativ

und nun???

Den step, das SP auf dem Desktop abzugespeichert und in den Katzenicon zu ziehen haben ich absolviert.

mensch, Trojaner aufs netbook, Hackerattacken, Weihnachtsstress und nun soll ich auch noch die Hilfsbereitschaft eines Fremden kurz vor Weihnachten über Gebühr strapazieren....

Tut mir leid.

CF fragt mich nun auf eigene verantwortung weiterzu machen. Mache ich nun. Auf eigene Verantwortung.

LOG folgt also.

Combofix Logfile:

Code:

ATTFilter

ComboFix 12-12-20.02 - Daniel 12/21/2012  17:38:25.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.49.1033.18.1014.528 [GMT 1:00]
ausgeführt von:: c:\documents and settings\Daniel\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\documents and settings\Daniel\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-11-21 bis 2012-12-21  ))))))))))))))))))))))))))))))
.
.
2012-12-13 15:32 . 2012-12-13 15:32	--------	d-----w-	c:\documents and settings\nbfa\Local Settings\Application Data\Mozilla
2012-12-13 15:20 . 2012-12-13 15:20	--------	d-----w-	c:\documents and settings\nbfa\Application Data\AVG2013
2012-12-13 15:20 . 2012-12-13 15:20	--------	d-----w-	c:\documents and settings\nbfa\Bluetooth Software
2012-12-13 15:20 . 2012-12-13 15:20	--------	d-----w-	c:\documents and settings\nbfa\Local Settings\Application Data\Avg2013
2012-12-13 15:19 . 2012-12-13 15:19	--------	d-----w-	c:\documents and settings\nbfa\Local Settings\Application Data\Scansoft
2012-12-13 14:39 . 2012-12-13 14:39	--------	d-----w-	c:\documents and settings\Administrator\Application Data\AVG2013
2012-12-13 14:29 . 2012-12-13 14:29	--------	d-----w-	c:\documents and settings\Administrator\Application Data\TuneUp Software
2012-12-13 14:23 . 2012-12-13 14:23	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\MFAData
2012-12-13 14:23 . 2012-12-13 14:23	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\Avg2013
2012-11-30 15:20 . 2012-11-30 15:22	--------	d-----w-	c:\documents and settings\Stef\Application Data\PhotoScape
2012-11-28 18:49 . 2012-11-28 18:56	--------	d-----w-	c:\documents and settings\Daniel\Application Data\PhotoScape
2012-11-28 18:39 . 2012-11-28 18:40	--------	d-----w-	c:\program files\PhotoScape
2012-11-28 18:27 . 2012-11-28 18:27	--------	d-----w-	c:\documents and settings\Daniel\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-11-28 18:27 . 2012-11-28 18:27	--------	d-----w-	c:\program files\Adobe Download Assistant
2012-11-28 18:27 . 2012-11-28 18:27	--------	d-----w-	c:\program files\Common Files\Adobe AIR
2012-11-28 18:25 . 2012-12-21 14:43	--------	d-----w-	c:\documents and settings\Daniel\Application Data\convert
2012-11-28 18:24 . 2012-11-28 18:25	--------	d-----w-	c:\documents and settings\Daniel\Application Data\loadtbs
2012-11-28 18:24 . 2012-11-28 18:24	--------	d-----w-	c:\program files\WEB.DE MailCheck
2012-11-28 18:18 . 2012-11-28 18:19	--------	d-----w-	c:\program files\Protected Search
2012-11-28 18:18 . 2012-08-30 02:01	15432	----a-w-	c:\windows\Launcher.exe
2012-11-28 18:14 . 2012-11-28 18:19	--------	d-----w-	c:\documents and settings\Daniel\Local Settings\Application Data\DownTango
2012-11-28 18:13 . 2012-11-28 18:13	--------	d-----w-	c:\program files\Red Sky
2012-11-27 17:30 . 2012-11-27 17:30	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\{E648CD4D-3307-4213-89B2-9C0E20C77202}
2012-11-27 17:07 . 2012-11-27 17:07	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}
2012-11-27 17:05 . 2012-11-27 17:10	--------	d-----w-	c:\program files\Common Files\Native Instruments
2012-11-27 17:01 . 2012-11-27 17:01	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\{C78336EC-F2EB-4640-99A4-DFE96581B90B}
2012-11-27 16:59 . 2012-11-27 17:09	--------	d-----w-	c:\program files\Native Instruments
2012-11-27 16:59 . 2012-11-27 17:09	--------	d-----w-	c:\documents and settings\All Users\Application Data\Native Instruments
2012-11-26 22:28 . 2012-12-21 14:26	--------	d-----w-	c:\documents and settings\Daniel\Application Data\vlc
2012-11-26 18:32 . 2007-01-26 00:00	4352	----a-w-	c:\windows\system32\drivers\avmeject.sys
2012-11-26 18:30 . 2007-01-26 00:00	74752	----a-w-	c:\windows\system32\fwlanci.dll
2012-11-26 18:30 . 2012-11-26 18:30	--------	d-----w-	c:\documents and settings\Daniel\AVM_Driver
2012-11-26 17:41 . 2012-11-26 18:12	--------	d-----w-	c:\program files\Common Files\DVDVideoSoft
2012-11-26 17:41 . 2012-11-26 18:11	--------	d-----w-	c:\program files\DVDVideoSoft
2012-11-26 17:40 . 2012-11-26 20:35	--------	d-----w-	c:\documents and settings\Daniel\Application Data\DVDVideoSoft
2012-11-25 11:42 . 2012-11-25 11:42	--------	d-----w-	c:\documents and settings\Daniel\Local Settings\Application Data\MFAData
2012-11-25 11:34 . 2012-11-25 11:34	--------	d-----w-	c:\program files\Common Files\Symantec Shared
2012-11-25 11:30 . 2012-12-21 15:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\Norton
2012-11-25 11:29 . 2012-11-25 11:29	--------	d-----w-	c:\program files\NortonInstaller
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-13 16:01 . 2012-08-08 18:49	697272	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-12-13 16:01 . 2012-08-08 18:49	73656	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2009-05-13 22:57	1866368	----a-w-	c:\windows\system32\win32k.sys
2012-11-08 16:37 . 2012-10-06 15:19	26984	----a-w-	c:\windows\system32\drivers\avgtpx86.sys
2012-11-06 00:41 . 2009-05-13 22:57	290560	------w-	c:\windows\system32\atmfd.dll
2012-11-02 02:02 . 2009-05-13 22:57	375296	----a-w-	c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2009-05-13 22:57	916992	----a-w-	c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2009-05-13 22:57	43520	------w-	c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2009-05-13 22:57	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2009-05-13 22:57	385024	------w-	c:\windows\system32\html.iec
2012-10-02 18:04 . 2009-05-13 22:57	58368	----a-w-	c:\windows\system32\synceng.dll
2012-12-06 23:53 . 2012-12-06 23:52	262112	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [BU]
"{DFEFCDEE-CF1A-4FC8-88AD-129872198372}"= "c:\documents and settings\Daniel\Application Data\loadtbs\toolbar.dll" [2012-11-28 616448]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CLASSES_ROOT\clsid\{dfefcdee-cf1a-4fc8-88ad-129872198372}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DFEFCDEE-CF1A-4FC8-88AD-129872198372}"= "c:\documents and settings\Daniel\Application Data\loadtbs\toolbar.dll" [2012-11-28 616448]
.
[HKEY_CLASSES_ROOT\clsid\{dfefcdee-cf1a-4fc8-88ad-129872198372}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BatteryLifeExtender"="c:\program files\Samsung\BatteryLifeExtender\BatteryLifeExtender.exe" [2009-03-13 550912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-11 149280]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-12-03 298664]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [BU]
"AVMWlanClient"="c:\program files\avmwlanstick\FRITZWLANMini.exe" [2007-02-02 283136]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-08-02 296096]
"YouCam Service"="c:\program files\CyberLink\YouCam\YouCamService.exe" [2012-03-23 255208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [10/6/2012 4:19 PM 26984]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [5/14/2009 1:51 AM 4300]
R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [10/12/2011 10:50 AM 4176896]
R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller2.exe [2/19/2009 4:08 AM 74992]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [5/13/2009 11:57 PM 14336]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\drivers\clwvd.sys [9/7/2012 1:44 PM 27760]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [5/14/2009 1:55 AM 238464]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2/19/2009 4:08 AM 25560]
S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/14/2009 1:52 AM 1684736]
S3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [11/26/2012 7:32 PM 4352]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [1/22/2010 9:07 PM 112640]
S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [8/2/2012 4:15 PM 265088]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [1/23/2010 8:05 AM 102656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs	REG_MULTI_SZ   	yksvc
.
Inhalt des "geplante Tasks" Ordners
.
2012-12-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-08 16:01]
.
2012-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2859748474-667080921-3980430596-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]
.
2012-12-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2859748474-667080921-3980430596-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937
uDefault_Search_URL = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
mStart Page = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937
mSearch Bar = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Free YouTube to MP3 Converter - c:\documents and settings\Daniel\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\
FF - prefs.js: browser.search.selectedEngine - WEB.DE Suche
FF - prefs.js: browser.startup.homepage - hxxp://go.web.de/tb/mff_startpage
FF - prefs.js: keyword.URL - hxxp://go.web.de/tb/mff_keyurl_search/?su=
FF - ExtSQL: 2012-10-24 20:26; crossriderapp5060@crossrider.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\crossriderapp5060@crossrider.com
FF - ExtSQL: 2012-11-26 18:43; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi
FF - ExtSQL: 2012-11-28 19:25; sparpilot@sparpilot.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\sparpilot@sparpilot.com
FF - ExtSQL: 2012-11-28 19:25; software@loadtubes.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\software@loadtubes.com
FF - ExtSQL: 2012-11-28 19:26; toolbar@web.de; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\toolbar@web.de.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2012-12-21 17:47
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse... 
.
Scanne versteckte Autostarteinträge... 
.
Scanne versteckte Dateien... 
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'winlogon.exe'(1476)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(2524)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Zeit der Fertigstellung: 2012-12-21  17:50:09
ComboFix-quarantined-files.txt  2012-12-21 16:50
ComboFix2.txt  2012-12-21 14:48
ComboFix3.txt  2012-12-13 15:11
.
Vor Suchlauf: 55,500,668,928 bytes free
Nach Suchlauf: 55,478,972,416 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 0C266DD85D2557C557D7C85B8E998742

--- --- ---

ryder · 21.12.2012, 18:18

Du musst nur richtig lesen. CF meckert manchmal auch wenn alles deaktiviert ist.

So, dann wollen wir mal sehen ....

Schritt 1:
AdwCleaner: Werbeprogramme suchen und löschen

Downloade Dir bitte AdwCleaner auf deinen Desktop.
Starte die adwcleaner.exe mit einem Doppelklick.

Klicke auf Löschen.

Bestätige jeweils mit Ok.

Dein Rechner wird neu gestartet, je nach Schwere der Infektion auch mehrmals - das ist normal. Nach dem Neustart öffnet sich eine Textdatei.

Poste mir den Inhalt mit deiner nächsten Antwort.

Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.

Schritt 2:
Temporäre Dateien löschen mit TFC

Bitte lade dir TFC auf deinen Desktop und starte es. Es wird automatisch alle temporären Dateien entfernen.

Schritt 3:
Noch mal Combofix bitte.

sandsonne · 21.12.2012, 18:47

aha, okee. Das klingt beruhigend. Prima.

Morgen werde ich dazukommen Deinen Anweisungen Adw, Tfc und nochmal CF zu folgen.

Steht einem eine derart sachliche und umgehende Hilfe zu Seite, fühlt sich das gut gut.

Für heute einen angenehmen Abend und vielen Dank.

(Thread bitte noch nicht schließen)

ryder · 23.12.2012, 14:52

Hallo, benötigst Du noch weiterhin Hilfe ?

Sollte ich innerhalb der nächsten 24 Stunden keine Antwort von dir erhalten, werde ich dein Thema aus meinen Abos nehmen und bekomme dadurch keine Nachricht über neue Antworten.

Das Verschwinden der Symptome bedeutet nicht, dass dein System schon sauber ist

sandsonne · 24.12.2012, 13:01

Entschuldige die Verzögerung: Empfehlung angewendet wie folgt:

1. ADW CLEANER (logfile nachstehend)
2. TF (System wurde einmal neugestartet)
3. NOCHMAL CF (log untenstehend)

Adwcleaner-Inhalt:
# AdwCleaner v2.102 - Logfile created 12/24/2012 at 12:31:41
# Updated 23/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Daniel - STEFANIE
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Daniel\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\whxrf7qe.default\searchplugins\11-suche.xml
File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\whxrf7qe.default\searchplugins\Web Search.xml
File Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\bprotector_extensions.sqlite
File Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\searchplugins\11-suche.xml
File Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\searchplugins\Web Search.xml
File Deleted : C:\Documents and Settings\nbfa\Application Data\Mozilla\Firefox\Profiles\87f7fvnj.default\searchplugins\11-suche.xml
File Deleted : C:\Documents and Settings\nimo\Application Data\Mozilla\Firefox\Profiles\a01pgjyw.default\bprotector_extensions.sqlite
File Deleted : C:\Documents and Settings\nimo\Application Data\Mozilla\Firefox\Profiles\a01pgjyw.default\searchplugins\Web Search.xml
File Deleted : C:\Documents and Settings\Stef\Application Data\Mozilla\Firefox\Profiles\xl4rikme.default-1348241791359\searchplugins\11-suche.xml
File Deleted : C:\Documents and Settings\Stef\Application Data\Mozilla\Firefox\Profiles\xl4rikme.default-1348241791359\searchplugins\Web Search.xml
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\whxrf7qe.default\extensions\crossriderapp5060@crossrider.com
Folder Deleted : C:\Documents and Settings\Daniel\Application Data\loadtbs
Folder Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\crossriderapp5060@crossrider.com
Folder Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\software@loadtubes.com
Folder Deleted : C:\Documents and Settings\nbfa\Application Data\Mozilla\Firefox\Profiles\87f7fvnj.default\extensions\staged
Folder Deleted : C:\Documents and Settings\nimo\Application Data\Mozilla\Firefox\Profiles\a01pgjyw.default\extensions\crossriderapp5060@crossrider.com
Folder Deleted : C:\Documents and Settings\Stef\Application Data\Mozilla\Firefox\Profiles\xl4rikme.default-1348241791359\extensions\crossriderapp5060@crossrider.com

***** [Registry] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Claro LTD
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{835315FC-1BF6-4CA9-80CD-F6C158D40692}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DFEFCDEE-CF1A-4FC8-88AD-129872198372}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055505560}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066506660}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044504460}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{DFEFCDEE-CF1A-4FC8-88AD-129872198372}]
Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{b64982b1-d112-42b5-b1e4-d3867c4533f8}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{DFEFCDEE-CF1A-4FC8-88AD-129872198372}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://newtab.certified-toolbar.com/nie?si=41460&tid=2937&new=true --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com

-\\ Mozilla Firefox v17.0.1 (de)

File : C:\Documents and Settings\Stef\Application Data\Mozilla\Firefox\Profiles\xl4rikme.default-1348241791359\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Web Search");
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.order.1", "Web Search");
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationTime", 1355413092);
Deleted : user_pref("extensions.crossriderapp5060.5060.active", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.addressbar", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundjs", "\n\n\"undefined\"!=typeof _GPL_BG_NEW&&[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.can_run_bg_code", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.value", "1355413092");
Deleted : user_pref("extensions.crossriderapp5060.5060.description", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.domain", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.group", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.homepage", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.iframe", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.value", "40");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.value", "0");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.expiration", "Thu Dec 13[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.value", "true");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _GP[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.name", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.newtab", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.opensearch", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.code", "appAPI._cr_config={appID:funct[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.name", "base");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.code", "Array.prototype.indexOf|[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.name", "GPL Plugin (Loader)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.ver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.code", "var _GPL_BG={vars:{},rul[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.name", "GPL Background (BG)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.name", "FacebookFFIE");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.code", "if((typeof isBackground===\"u[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.code", "if(typeof window!==\"undefine[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.code", "var CrossriderDebugManager=(f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.name", "debug");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.code", "(function(a){appAPI.queueMana[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.name", "resources");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.code", "var CrossriderInitializerPlug[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.name", "initializer");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.code", "/*! jQuery v1.7.1 jquery.com |[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.name", "jquery_1_7_1");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.code", "(function(){appAPI.ready=func[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.name", "resources_background");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_0", "17,14,16,47,1000015");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_1", "17,14,13,16,15,4,1,21,22,100[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsversion", 16);
Deleted : user_pref("extensions.crossriderapp5060.5060.publisher", "215 Apps");
Deleted : user_pref("extensions.crossriderapp5060.5060.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.thankyou", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp5060.5060.ver", 40);
Deleted : user_pref("extensions.crossriderapp5060.apps", "5060");
Deleted : user_pref("extensions.crossriderapp5060.bic", "13ab35e2f2a7f290832f97b2eac5b6e9");
Deleted : user_pref("extensions.crossriderapp5060.cid", 5060);
Deleted : user_pref("extensions.crossriderapp5060.firstrun", false);
Deleted : user_pref("extensions.crossriderapp5060.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp5060.installationdate", 1355413088);
Deleted : user_pref("extensions.crossriderapp5060.lastcheck", 22590218);
Deleted : user_pref("extensions.crossriderapp5060.lastcheckitem", 22590222);
Deleted : user_pref("extensions.crossriderapp5060.modetype", "production");
Deleted : user_pref("extensions.crossriderapp5060.reportInstall", true);
Deleted : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=");

File : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Web Search");
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.order.1", "Web Search");
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationThankYouPage", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationTime", 1351103191);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.searchUserConifrmation", false[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.setHomepage", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.setNewTab", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.setSearch", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.active", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.addressbar", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundjs", "\n\n\"undefined\"!=typeof _GPL_BG_NEW&&[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.can_run_bg_code", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.value", "1351103191");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_aoi.value", "1351103191");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_blocklist.expiration", "Fri Nov 30 2012 18:[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_blocklist.value", "%22nonexistantdomain.com[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_country_code.expiration", "Sun Dec 02 2012 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_country_code.value", "%22DE%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_crr.value", "1354295571");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 01 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_hotfix20111102645.value", "%221%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_installer_params.expiration", "Fri Feb 01 2[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_installer_params.value", "%7B%22source_id%2[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_parent_zoneid.value", "%2214019%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_pc_20120828.value", "1353852501763");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 00[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_product_id.value", "%221224%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_zoneid.value", "%2297646%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.dbtest.value", "1353852487519");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.lastrequest.expiration", "Fri Feb 01 2030 00:00:[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.lastrequest.value", "%7B%22path%22%3A%22/raylene[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.description", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.domain", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.group", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.homepage", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.iframe", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.InstallerIdentifiers.expiration", "Fri Feb 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.InstallerIdentifiers.value", "%7B%22installe[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.value", "38");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.value", "0");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.expiration", "Sat Dec 01[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.value", "true");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_remote_resources.expiration", "Fri[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_remote_resources.value", "%7B%22re[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.SoftwareDetected.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.SoftwareDetected.value", "%7B%22AnySoftware%[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _GP[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.name", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.newtab", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.opensearch", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.code", "appAPI._cr_config={appID:funct[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.name", "base");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.code", "Array.prototype.indexOf|[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.name", "GPL Plugin (Loader)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.ver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.code", "var _GPL_BG={vars:{},rul[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.name", "GPL Background (BG)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.name", "FacebookFFIE");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.code", "if((typeof isBackground===\"u[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.code", "if(typeof window!==\"undefine[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.code", "var CrossriderDebugManager=(f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.name", "debug");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.code", "(function(a){appAPI.queueMana[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.name", "resources");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.code", "var CrossriderInitializerPlug[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.name", "initializer");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.code", "/*! jQuery v1.7.1 jquery.com |[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.name", "jquery_1_7_1");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.code", "(function(){appAPI.ready=func[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.name", "resources_background");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_0", "17,14,16,47,1000015");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_1", "17,14,13,16,15,4,1,21,22,100[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsversion", 16);
Deleted : user_pref("extensions.crossriderapp5060.5060.publisher", "215 Apps");
Deleted : user_pref("extensions.crossriderapp5060.5060.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.thankyou", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp5060.5060.ver", 38);
Deleted : user_pref("extensions.crossriderapp5060.apps", "5060");
Deleted : user_pref("extensions.crossriderapp5060.bic", "13a94072196fa53aa47a365095f8a893");
Deleted : user_pref("extensions.crossriderapp5060.cid", 5060);
Deleted : user_pref("extensions.crossriderapp5060.firstrun", false);
Deleted : user_pref("extensions.crossriderapp5060.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp5060.installationdate", 1353843272);
Deleted : user_pref("extensions.crossriderapp5060.lastcheck", 22571591);
Deleted : user_pref("extensions.crossriderapp5060.lastcheckitem", 22571600);
Deleted : user_pref("extensions.crossriderapp5060.modetype", "production");
Deleted : user_pref("extensions.crossriderapp5060.reportInstall", true);

File : C:\Documents and Settings\nimo\Application Data\Mozilla\Firefox\Profiles\a01pgjyw.default\prefs.js

Deleted : user_pref("browser.startup.homepage", "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=29[...]
Deleted : user_pref("extensions.crossriderapp5060.bic", "13ab8232c104b729506742f49b32eeb7");
Deleted : user_pref("extensions.crossriderapp5060.firstrun", false);
Deleted : user_pref("extensions.crossriderapp5060.installationdate", 1353953300);
Deleted : user_pref("extensions.enabledAddons", "crossriderapp5060@crossrider.com:0.86.38,{972ce4c6-7e08-4474-[...]
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.defaultengine", "Web Search");
Deleted : user_pref("browser.search.selectedEngine", "Web Search");
Deleted : user_pref("browser.newtab.url", "hxxp://newtab.certified-toolbar.com/nff?si=41460&tid=2937&new=true"[...]
Deleted : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=");
Deleted : user_pref("browser.search.order.1", "Web Search");

File : C:\Documents and Settings\nbfa\Application Data\Mozilla\Firefox\Profiles\87f7fvnj.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\whxrf7qe.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Web Search");
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.order.1", "Web Search");
Deleted : user_pref("browser.startup.homepage", "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=29[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationTime", 1355409230);
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.value", "1355409230");
Deleted : user_pref("extensions.crossriderapp5060.bic", "13b94af87c9b745277314ee9e545a29a");
Deleted : user_pref("extensions.crossriderapp5060.firstrun", false);
Deleted : user_pref("extensions.crossriderapp5060.installationdate", 1355409230);
Deleted : user_pref("extensions.crossriderapp5060.lastcheck", 22590154);
Deleted : user_pref("extensions.crossriderapp5060.lastcheckitem", 22590154);
Deleted : user_pref("extensions.crossriderapp5060.reportInstall", true);
Deleted : user_pref("extensions.enabledAddons", "crossriderapp5060%40crossrider.com:0.85.36,%7B411beae9-8c58-4[...]
Deleted : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=");

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Stef\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.4] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937",
Deleted [l.5] : homepage =rowser":{"show_home_button":true,"window_placement":{"bottom":568,"left":2,"maximized":false,"right"[...]

File : C:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.4] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937",

*************************

AdwCleaner[R1].txt - [46703 octets] - [25/11/2012 12:09:16]
AdwCleaner[S1].txt - [47092 octets] - [25/11/2012 12:21:46]
AdwCleaner[S2].txt - [34510 octets] - [24/12/2012 12:31:41]

########## EOF - C:\AdwCleaner[S2].txt - [34571 octets] ##########

ABSCHLIESSEND NOCHMAL CF WIE EMPFOHLEN _ INHALT NACHFOLGEND

Combofix Logfile:

Code:

ATTFilter

ComboFix 12-12-20.02 - Daniel 12/24/2012  12:45:29.3.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.49.1033.18.1014.638 [GMT 1:00]
ausgeführt von:: c:\documents and settings\Daniel\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-11-24 bis 2012-12-24  ))))))))))))))))))))))))))))))
.
.
2012-12-13 15:32 . 2012-12-13 15:32	--------	d-----w-	c:\documents and settings\nbfa\Local Settings\Application Data\Mozilla
2012-12-13 15:20 . 2012-12-13 15:20	--------	d-----w-	c:\documents and settings\nbfa\Application Data\AVG2013
2012-12-13 15:20 . 2012-12-13 15:20	--------	d-----w-	c:\documents and settings\nbfa\Bluetooth Software
2012-12-13 15:20 . 2012-12-13 15:20	--------	d-----w-	c:\documents and settings\nbfa\Local Settings\Application Data\Avg2013
2012-12-13 15:19 . 2012-12-13 15:19	--------	d-----w-	c:\documents and settings\nbfa\Local Settings\Application Data\Scansoft
2012-12-13 14:39 . 2012-12-13 14:39	--------	d-----w-	c:\documents and settings\Administrator\Application Data\AVG2013
2012-12-13 14:29 . 2012-12-13 14:29	--------	d-----w-	c:\documents and settings\Administrator\Application Data\TuneUp Software
2012-12-13 14:23 . 2012-12-13 14:23	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\MFAData
2012-12-13 14:23 . 2012-12-13 14:23	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\Avg2013
2012-11-30 15:20 . 2012-11-30 15:22	--------	d-----w-	c:\documents and settings\Stef\Application Data\PhotoScape
2012-11-28 18:49 . 2012-11-28 18:56	--------	d-----w-	c:\documents and settings\Daniel\Application Data\PhotoScape
2012-11-28 18:39 . 2012-11-28 18:40	--------	d-----w-	c:\program files\PhotoScape
2012-11-28 18:27 . 2012-11-28 18:27	--------	d-----w-	c:\documents and settings\Daniel\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
2012-11-28 18:27 . 2012-11-28 18:27	--------	d-----w-	c:\program files\Adobe Download Assistant
2012-11-28 18:27 . 2012-11-28 18:27	--------	d-----w-	c:\program files\Common Files\Adobe AIR
2012-11-28 18:25 . 2012-12-21 14:43	--------	d-----w-	c:\documents and settings\Daniel\Application Data\convert
2012-11-28 18:24 . 2012-11-28 18:24	--------	d-----w-	c:\program files\WEB.DE MailCheck
2012-11-28 18:18 . 2012-11-28 18:19	--------	d-----w-	c:\program files\Protected Search
2012-11-28 18:18 . 2012-08-30 02:01	15432	----a-w-	c:\windows\Launcher.exe
2012-11-28 18:14 . 2012-11-28 18:19	--------	d-----w-	c:\documents and settings\Daniel\Local Settings\Application Data\DownTango
2012-11-28 18:13 . 2012-11-28 18:13	--------	d-----w-	c:\program files\Red Sky
2012-11-27 17:30 . 2012-11-27 17:30	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\{E648CD4D-3307-4213-89B2-9C0E20C77202}
2012-11-27 17:07 . 2012-11-27 17:07	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}
2012-11-27 17:05 . 2012-11-27 17:10	--------	d-----w-	c:\program files\Common Files\Native Instruments
2012-11-27 17:01 . 2012-11-27 17:01	--------	dc-h--w-	c:\documents and settings\All Users\Application Data\{C78336EC-F2EB-4640-99A4-DFE96581B90B}
2012-11-27 16:59 . 2012-11-27 17:09	--------	d-----w-	c:\program files\Native Instruments
2012-11-27 16:59 . 2012-11-27 17:09	--------	d-----w-	c:\documents and settings\All Users\Application Data\Native Instruments
2012-11-26 22:28 . 2012-12-21 14:26	--------	d-----w-	c:\documents and settings\Daniel\Application Data\vlc
2012-11-26 18:32 . 2007-01-26 00:00	4352	----a-w-	c:\windows\system32\drivers\avmeject.sys
2012-11-26 18:30 . 2007-01-26 00:00	74752	----a-w-	c:\windows\system32\fwlanci.dll
2012-11-26 18:30 . 2012-11-26 18:30	--------	d-----w-	c:\documents and settings\Daniel\AVM_Driver
2012-11-26 17:41 . 2012-11-26 18:12	--------	d-----w-	c:\program files\Common Files\DVDVideoSoft
2012-11-26 17:41 . 2012-11-26 18:11	--------	d-----w-	c:\program files\DVDVideoSoft
2012-11-26 17:40 . 2012-11-26 20:35	--------	d-----w-	c:\documents and settings\Daniel\Application Data\DVDVideoSoft
2012-11-25 11:42 . 2012-11-25 11:42	--------	d-----w-	c:\documents and settings\Daniel\Local Settings\Application Data\MFAData
2012-11-25 11:34 . 2012-11-25 11:34	--------	d-----w-	c:\program files\Common Files\Symantec Shared
2012-11-25 11:30 . 2012-12-21 15:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\Norton
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2009-05-13 22:57	290560	----a-w-	c:\windows\system32\atmfd.dll
2012-12-13 16:01 . 2012-08-08 18:49	697272	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-12-13 16:01 . 2012-08-08 18:49	73656	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2009-05-13 22:57	1866368	----a-w-	c:\windows\system32\win32k.sys
2012-11-08 16:37 . 2012-10-06 15:19	26984	----a-w-	c:\windows\system32\drivers\avgtpx86.sys
2012-11-02 02:02 . 2009-05-13 22:57	375296	----a-w-	c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2009-05-13 22:57	916992	----a-w-	c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2009-05-13 22:57	43520	------w-	c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2009-05-13 22:57	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2009-05-13 22:57	385024	------w-	c:\windows\system32\html.iec
2012-10-02 18:04 . 2009-05-13 22:57	58368	----a-w-	c:\windows\system32\synceng.dll
2012-12-06 23:53 . 2012-12-06 23:52	262112	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BatteryLifeExtender"="c:\program files\Samsung\BatteryLifeExtender\BatteryLifeExtender.exe" [2009-03-13 550912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-11 149280]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-12-03 298664]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [BU]
"AVMWlanClient"="c:\program files\avmwlanstick\FRITZWLANMini.exe" [2007-02-02 283136]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-08-02 296096]
"YouCam Service"="c:\program files\CyberLink\YouCam\YouCamService.exe" [2012-03-23 255208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [10/6/2012 4:19 PM 26984]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [5/14/2009 1:51 AM 4300]
R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [10/12/2011 10:50 AM 4176896]
R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller2.exe [2/19/2009 4:08 AM 74992]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [5/13/2009 11:57 PM 14336]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\drivers\clwvd.sys [9/7/2012 1:44 PM 27760]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [5/14/2009 1:55 AM 238464]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2/19/2009 4:08 AM 25560]
S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/14/2009 1:52 AM 1684736]
S3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [11/26/2012 7:32 PM 4352]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [1/22/2010 9:07 PM 112640]
S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [8/2/2012 4:15 PM 265088]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [1/23/2010 8:05 AM 102656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
yksvcs	REG_MULTI_SZ   	yksvc
.
Inhalt des "geplante Tasks" Ordners
.
2012-12-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-08 16:01]
.
2012-12-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2859748474-667080921-3980430596-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]
.
2012-12-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2859748474-667080921-3980430596-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Free YouTube to MP3 Converter - c:\documents and settings\Daniel\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\
FF - prefs.js: browser.search.selectedEngine - WEB.DE Suche
FF - prefs.js: browser.startup.homepage - hxxp://go.web.de/tb/mff_startpage
FF - prefs.js: keyword.URL - hxxp://go.web.de/tb/mff_keyurl_search/?su=
FF - ExtSQL: 2012-10-24 20:26; crossriderapp5060@crossrider.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\crossriderapp5060@crossrider.com
FF - ExtSQL: 2012-11-26 18:43; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi
FF - ExtSQL: 2012-11-28 19:25; sparpilot@sparpilot.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\sparpilot@sparpilot.com
FF - ExtSQL: 2012-11-28 19:25; software@loadtubes.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\software@loadtubes.com
FF - ExtSQL: 2012-11-28 19:26; toolbar@web.de; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\toolbar@web.de.xpi
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
AddRemove-loadtbs-3.0 - c:\documents and settings\Daniel\Application Data\loadtbs\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2012-12-24 12:52
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse... 
.
Scanne versteckte Autostarteinträge... 
.
Scanne versteckte Dateien... 
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Zeit der Fertigstellung: 2012-12-24  12:55:21
ComboFix-quarantined-files.txt  2012-12-24 11:55
ComboFix2.txt  2012-12-21 16:50
ComboFix3.txt  2012-12-21 14:48
ComboFix4.txt  2012-12-13 15:11
.
Vor Suchlauf: 56,868,270,080 bytes free
Nach Suchlauf: 56,845,783,040 bytes free
.
- - End Of File - - 0C175BC72A94707A4E84399402F4CD3F

--- --- ---

ryder · 24.12.2012, 13:12

Schritt 1:
Warnung: Mehrere Anti-Virus-Programme

Zitat:

Lesestoff:
Mehrere Anti-Virus-Programme
Auch wenn dieser Zustand besser ist als keine solche Software installiert zu haben, so ist er dennoch schlecht. Diese Programme haben einen Hintergrundwächter, der Dateizugriffe überwacht. Zwei solche Hintergrundwächter können und werden sich gegenseitig behindern, dein System ausbremsen und mit hoher Wahrscheinlichkeit im entscheidenen Moment eine Infektion eben nicht verhindern. Eine gute Absicherung besteht aus:
Einem Virenscanner mit Hintergrundwächter. Ich persönlich empfehle derzeit: Avast Free Antivirus

Einem Malwarescanner wie Malwarebytes

ggf. einem Browserschutz (ist bei Avast dabei)

Entscheide dich bitte für eines der folgenden Programme und deinstalliere den Rest über die Systemsteuerung => Software bzw. Programme & Funktionen:
Code:
ATTFilter
Avira
Avast
         
Um die Überreste des alten Virenscanner zu entfernen gibt es auf dieser Webseite passende Tools.

Ich würde Avira entfernen.

Schritt 2:
Combofix nochmal laufen lassen und mir dann ALLE Logfiles posten die du unter c:\qoobox findest.

sandsonne · 24.12.2012, 15:11

Anhang 47767

Anhang 47768

Anhang 47769

Anhang 47770

Anhang 47771

Anhang 47772

Lieber ryder,

unter Start Systemsteuerung > Programme+Funktionen > ist nach wie vor kein Avira und kein anderes Sicherheitsprogramm mehr.

Die Schritte unter dem empfohlenen Link empfehlen
Start - Control Panel - Uninstall a program
Remove
Press Yes, to confirm the removal and then OK.
Click Next until Finish. The software is removed.

Das hatte ich bereits diese Woche getan daher auch unter dem o.g. Schritt kein Programm mehr.

aswclear.exe (AVAST) folgendes Problem:

Fährt sich herunter (auto), startet neu, meldet das das programm im abges. gestartet wird fragt nach ok, bei ok fährt herunter, startet neu, meldet wieder die safetymodus frage, bestätigt man mit ok das gleiche Spiel von vorne.

Files und ein screenshot anbei.

Zwischendurch: Schöne Weihnachten.

ryder · 24.12.2012, 15:31

Okay, dann deinstalliere noch Spybot.

Welchen Virenscanner hast du denn jetzt installiert? Avast? AVG?

ryder · 24.12.2012, 15:34

Ausserdem:

Weißt du zufällig was das hier sein könnte ich finde dazu nichts ...

Zitat:

R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller2.exe [2/19/2009 4:08 AM 74992]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2/19/2009 4:08 AM 25560]

Hat das irgendwas mit deiner DJ-SOftware zu tun?

sandsonne · 24.12.2012, 15:44

Zitat:

Zitat von ryder

Okay, dann deinstalliere noch Spybot.

Welchen Virenscanner hast du denn jetzt installiert? Avast? AVG?

Ist ebenfalls nicht mehr da, schon diese Woche weg gemacht = deinstall.

Zitat:

Zitat von ryder

Ausserdem:

Weißt du zufällig was das hier sein könnte ich finde dazu nichts ...

Hat das irgendwas mit deiner DJ-SOftware zu tun?

das ist gut möglich. Die Software heisst 'traktor'.

Deinstallieren?

24.12.2012, 15:31	#13
ryder /// TB-Ausbilder	Probleme durch 'Bundesministerium'-Trojaner - OTL startet nicht (abges. Modus) Okay, dann deinstalliere noch Spybot. Welchen Virenscanner hast du denn jetzt installiert? Avast? AVG? __________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM!

Probleme durch 'Bundesministerium'-Trojaner - OTL startet nicht (abges. Modus)

Plagegeister aller Art und deren Bekämpfung: Probleme durch 'Bundesministerium'-Trojaner - OTL startet nicht (abges. Modus)