GVU Trojaner

Nanni-5 · 08.01.2013, 19:02

Hallo zusammen,
Ich habe wohl seit gestern, nachdem ich mich mehrere Stunden informiert habe einen GVU Trojaner auf meinem Rechner.
Mein Rechner ein win7 64 kann ich im Hauptbenutzer (Admin) zwar hochfahren werden aber es erscheint immer das Standbild. Im Nebenbenutzer fährt er ganz normal hoch und es scheint so als könnte ich alles benutzen außer das Internet, dieses ist ausgeschaltet. Also kann ich auch auf dem Rechner nichts herunterladen.
Ich habe bereits den HitmanPro und den Malwarebytes durchlaufen lassen und diese haben nichts angezeigt. Nun muss ich zu meiner Schande gestehen, dass ich lediglich ein reiner Anwender bin und auch keine weitere Ahnung habe und ich immer davon ausgegangen bin das ich davon verschont bleibe, leider nur bis gestern. Ich benutze Avira AntiVirus bislang war dies kein Problem.
Auf dem Standbild wird mir gesagt, dass nach 48h all meine Dateien gelöscht werden sollen. Ist dies so muss ich schnellstens Sicherungen herstellen?

Ich bitte um Hilfe, vielen Dank!

ryder · 08.01.2013, 19:13

Das ist alles nur unnötige Panikmache. Keine Sorge und bloss nichts bezahlen!

Das Hitman und das MBAM Logfile würden wir aber gerne noch sehen, bevor es los geht:

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:

Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.

Nanni-5 · 08.01.2013, 20:19

Hallo ryder,
zunächst vielen Dank für die schnelle Antwort. Hier meine Lokfile:

Code:

ATTFilter


	Code: 

 ATTFilter

  
	HitmanPro 3.7.0.185
www.hitmanpro.com

   Computer name . . . . : RAINER-PC
   Windows . . . . . . . : 6.1.1.7601.X64/8
   User name . . . . . . : Rainer-PC\Rainer
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2013-01-07 14:47:43
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 36s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : Yes

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 157

   Objects scanned . . . : 1.400.703
   Files scanned . . . . : 24.257
   Remnants scanned  . . : 427.587 files / 948.859 keys

Potential Unwanted Programs _________________________________________________

   C:\Program Files (x86)\Ask.com\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\BadgeManager.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\common.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\config.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\css\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\css\popup.css (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\events.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\btn-bg.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\footer.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\header-top-plain.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\header-top.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\like.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\linkedin.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\on-off-knob.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\on-off.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\plus-minus.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\plusone.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\settings.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\images\tweet.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\notificationManager.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\optout.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\reports\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\reports\logger.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\reports\view_report.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\rules.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\socialButtons.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\template.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\templates\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\templates\all.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\view.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\view_alert.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\view_allowed_sites.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\chrome\content\view_global.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\autoUpdate.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\background.html (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\bg.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\blank.html (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\common.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\config.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\config.xml (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\content.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\ContentPolicy.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\css\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\css\popup-ie.css (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\demo.html (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\demoRestricted.html (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\dntp.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\DNTPAddon.dll (AskBar) -> Deleted
      Size . . . . . . . : 470.976 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : FC338B27D65C57330BCF611B87C66ED46881C4DD766FE7B99B8394A757EBC795
      Product  . . . . . : Avira Do Not Track
      Publisher  . . . . : Abine
      Description  . . . : ScriptHost
      Version  . . . . . : 2.2.1.921
      Copyright  . . . . : Abine Inc.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\AbineSDK\IE\DNTPButton.dll (AskBar) -> Deleted
      Size . . . . . . . : 245.696 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : 2FC13CADD383B20CF47883318AA4CBF6CED368985E4E4616AD55570017F89898
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -9.0

   C:\Program Files (x86)\Ask.com\AbineSDK\IE\DNTPContentFilter.dll (AskBar) -> Deleted
      Size . . . . . . . : 925.120 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : A2E81FF4D5C5AAD8287A06AC267AD64C2E2E7E7453A4A0A3857F12248FC074C7
      Product  . . . . . : Avira Do Not Track
      Description  . . . : DNTP ContentFilter Module
      Version  . . . . . : 2.2.1.921
      Copyright  . . . . : Abine Inc. Copyright 2012
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -14.0

   C:\Program Files (x86)\Ask.com\AbineSDK\IE\DNTPService.exe (AskBar) -> Deleted
      Size . . . . . . . : 300.480 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 5432AEF914EA963BF63277837A30B82B59008BCA2B3E79D82A3FDB87C7386BDA
      Product  . . . . . : Avira Do Not Track
      Publisher  . . . . : Abine Inc.
      Description  . . . : Avira Do Not Track Service
      Version  . . . . . : 2.2.1.921
      Copyright  . . . . : Abine Inc.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\AbineSDK\IE\DNTPServicePS.dll (AskBar) -> Deleted
      Size . . . . . . . : 51.136 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : 79B321A17B6E4508921A90620F315FED39BA03F00D4FA2C848F62B89EAB837F8
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -9.0

   C:\Program Files (x86)\Ask.com\AbineSDK\IE\DNTPTypes.dll (AskBar) -> Deleted
      Size . . . . . . . : 90.048 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.2
      SHA-256  . . . . . : E1ECF35417E57AD8860CE5E99468F9B3D806F8C171EB6DBD5E06D2D41BE8160A
      Product  . . . . . : Avira Do Not Track
      Publisher  . . . . : Abine Inc.
      Description  . . . : Avira Do Not Track Shared Types
      Version  . . . . . : 2.2.1.921
      Copyright  . . . . : Abine Inc. All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\AbineSDK\IE\images\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\images\demoRestricted.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\json2.min.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\license.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\de\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\de\messages.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\en\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\en\messages.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\es\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\es\messages.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\fr\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\fr\messages.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\it\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\it\messages.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\nl\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\nl\messages.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\pt\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\locale\pt\messages.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\popup.html (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\socialButtons.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\view.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AbineSDK\IE\view_alert.js (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\b.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\bl.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\br.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\l.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\pointer.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\r.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\t.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\tl.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\assets\oobe\tr.png (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\AviraBrowserSecurity.exe (AskBar) -> Deleted
      Size . . . . . . . : 238.288 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.2
      SHA-256  . . . . . : 065735286539FFFAFDFC6E3EEDED40E02A0F7A785E86C7A72361F880EBA7B40B
      Product  . . . . . : AviraBrowserSecurity
      Publisher  . . . . : APN LLC.
      Description  . . . : AviraBrowserSecurity
      Version  . . . . . : 1.0.0.1
      Copyright  . . . . : (c) APN LLC.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\AviraCallingIDhelper.dll (AskBar) -> Deleted
      Size . . . . . . . : 146.128 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : 1B692AE7D1E5273D15664DA724F3EE363EA5D22755AD897B5268ADF775A62FB5
      Product  . . . . . : AviraHelper
      Publisher  . . . . : APN LLC
      Description  . . . : Avira COM API Helper
      Version  . . . . . : 1.0.0.1
      Copyright  . . . . : (c) APN LLC.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\CallingIDSDK\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\CallingIDSDK\CIDCoreLight.dll (AskBar) -> Deleted
      Size . . . . . . . : 1.591.376 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : CF7CF232205A1A57E6DC0CEEADB1B6F21B4A5F86A39A0A64DF28FC3BF5B5F873
      Product  . . . . . : CallingID
      Publisher  . . . . : CallingID Ltd.
      Version  . . . . . : 2.0.0.246
      Copyright  . . . . : CallingID (c). All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\CallingIDSDK\CIDGlobalLight.exe (AskBar) -> Deleted
      Size . . . . . . . : 1.534.032 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : 1BB5D054D42DB938342616A582B015D6224AD474F46C1E3273592B8FDFCE48C7
      Product  . . . . . : CallingID
      Publisher  . . . . : CallingID Ltd.
      Version  . . . . . : 2.0.0.246
      Copyright  . . . . : CallingID (c). All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\CallingIDSDK\CIDGlobalLightPS.dll (AskBar) -> Deleted
      Size . . . . . . . : 71.760 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 5.5
      SHA-256  . . . . . : 8F8C3C54DBBE18D0E2E7BFA404B4DC0D5C6D2C57AD90B99FA9FF420411E01008
      Product  . . . . . : CallingID
      Publisher  . . . . : CallingID Ltd.
      Version  . . . . . : 2.0.0.246
      Copyright  . . . . : CallingID (c). All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\CallingIDSDK\CIDWPADLight.exe (AskBar) -> Deleted
      Size . . . . . . . : 145.488 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.1
      SHA-256  . . . . . : 3CAABBCF93D07409CD3E1269471EAB812DAA70949F111782820C48FBEB0520BE
      Product  . . . . . : CallingID
      Publisher  . . . . : CallingID Ltd.
      Version  . . . . . : 2.0.0.246
      Copyright  . . . . : CallingID (c). All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\CallingIDSDK\CIDWPADLightPS.dll (AskBar) -> Deleted
      Size . . . . . . . : 71.760 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 5.4
      SHA-256  . . . . . : 4723E189EB477F2131BB219F1D44E905EE052C096B168327FE0F0E38F4ABFE75
      Product  . . . . . : CallingID
      Publisher  . . . . : CallingID Ltd.
      Version  . . . . . : 2.0.0.246
      Copyright  . . . . : CallingID (c). All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -15.0

   C:\Program Files (x86)\Ask.com\cb_c4f4.ico (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\cobrand.ico (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\config.xml (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\favicon.ico (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\fv_c090.ico (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (AskBar) -> Deleted
      Size . . . . . . . : 1.521.872 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.8
      SHA-256  . . . . . : AB66399FDA62556BC57182476134F70A906755724EA46E714E4D7B05185833F0
      Product  . . . . . : Toolbar
      Publisher  . . . . : Ask
      Description  . . . : Avira SearchFree Toolbar
      Version  . . . . . : 5.15.5.26921
      Copyright  . . . . : (c) Ask.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -17.0
      Startup
         HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\
         HKU\S-1-5-21-1761086220-915579873-3192690886-1002\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{00000000-6E41-4FD3-8538-502F5495E5FC}
         HKU\S-1-5-21-1761086220-915579873-3192690886-1004\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{D4027C7F-154A-4066-A1AD-4243D8127440}
      References
         HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\
         HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\
         HKLM\SOFTWARE\Wow6432Node\Classes\GenericAskToolbar.ToolbarWnd.1\
         HKLM\SOFTWARE\Wow6432Node\Classes\GenericAskToolbar.ToolbarWnd\
         HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}\
         HKU\S-1-5-21-1761086220-915579873-3192690886-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}\
         HKU\S-1-5-21-1761086220-915579873-3192690886-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}\

   C:\Program Files (x86)\Ask.com\mupcfg.xml (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\precache.exe (AskBar) -> Deleted
      Size . . . . . . . : 70.864 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 2B98509E0352F38B933BA0DED710D81BDBFC9B0D2588227D7E69AE9B9D912A84
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -9.0

   C:\Program Files (x86)\Ask.com\SaUpdate.exe (AskBar) -> Deleted
      Size . . . . . . . : 197.840 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.6
      SHA-256  . . . . . : 0372D3949070B33CAEDBFE45536DB7EB08B249AAF222DD00FDD629B860A32A2C
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -9.0

   C:\Program Files (x86)\Ask.com\Updater\ (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\Updater\config.xml (AskBar) -> Deleted
   C:\Program Files (x86)\Ask.com\Updater\Updater.exe (AskBar) -> Deleted
      Size . . . . . . . : 1.573.584 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.1
      SHA-256  . . . . . : C77B34E73750B1DC1F495B37A1AFEED1627F5380490CC73AAD0F8E6D252AD613
      Product  . . . . . : Updater
      Publisher  . . . . : Ask
      Description  . . . : Ask Updater
      Version  . . . . . : 1.2.2.26921
      Copyright  . . . . : (c) Ask.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Running processes  : 3792
      Fuzzy  . . . . . . : -17.0

   C:\Program Files (x86)\Ask.com\UpdateTask.exe (AskBar) -> Deleted
      Size . . . . . . . : 136.400 bytes
      Age  . . . . . . . : 99.2 days (2012-09-30 10:20:10)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : 24376D695E2C12109E25882BC7AE2D97C5B6C2B9801A6AD1F861CFEF10729653
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -13.0

   C:\Users\Anna Lena\AppData\Local\AskToolbar\ (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\Local\AskToolbar\Downloaded Program Files\ (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\Local\AskToolbar\Downloaded Program Files\AviraBrowserSecurity.dll (AskBar) -> Deleted
      Size . . . . . . . : 1.084.920 bytes
      Age  . . . . . . . : 102.8 days (2012-09-26 20:20:30)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : CAA5FF447D8D4CAC0718E1F8C36015D8B0515D78707CE23B3C74D275A8D61EAF
      Product  . . . . . : Avira Addon
      Publisher  . . . . : Ask.com
      Description  . . . : Avira Addon
      Version  . . . . . : 3.0.0.1000
      Copyright  . . . . : (c) APN LLC.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -7.0

   C:\Users\Anna Lena\AppData\Local\AskToolbar\Downloaded Program Files\avr-4.inf (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\LocalLow\AskToolbar\ (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\LocalLow\AskToolbar\APNU\ (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\LocalLow\AskToolbar\APNU\config.xml (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\LocalLow\AskToolbar\Avira.install-bubble.config (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\LocalLow\AskToolbar\Avira.status.config (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\LocalLow\AskToolbar\avr-4.cab (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\LocalLow\AskToolbar\cache.dat (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\LocalLow\AskToolbar\config.xml (AskBar) -> Deleted
   C:\Users\Anna Lena\AppData\LocalLow\AskToolbar\osearch.xml (AskBar) -> Deleted
   C:\Users\Rainer\AppData\Local\AskToolbar\ (AskBar) -> Deleted
   C:\Users\Rainer\AppData\Local\AskToolbar\Downloaded Program Files\ (AskBar) -> Deleted
   C:\Users\Rainer\AppData\Local\AskToolbar\Downloaded Program Files\AviraBrowserSecurity.dll (AskBar) -> Deleted
      Size . . . . . . . : 1.084.920 bytes
      Age  . . . . . . . : 102.8 days (2012-09-26 20:20:30)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : CAA5FF447D8D4CAC0718E1F8C36015D8B0515D78707CE23B3C74D275A8D61EAF
      Product  . . . . . : Avira Addon
      Publisher  . . . . : Ask.com
      Description  . . . : Avira Addon
      Version  . . . . . : 3.0.0.1000
      Copyright  . . . . : (c) APN LLC.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : -7.0

   C:\Users\Rainer\AppData\Local\AskToolbar\Downloaded Program Files\avr-4.inf (AskBar) -> Deleted
   C:\Users\Rainer\AppData\LocalLow\AskToolbar\ (AskBar) -> Deleted
   C:\Users\Rainer\AppData\LocalLow\AskToolbar\almost.xml (AskBar) -> Deleted
   C:\Users\Rainer\AppData\LocalLow\AskToolbar\APNU\ (AskBar) -> Deleted
   C:\Users\Rainer\AppData\LocalLow\AskToolbar\APNU\config.xml (AskBar) -> Deleted
   C:\Users\Rainer\AppData\LocalLow\AskToolbar\avr-4.cab (AskBar) -> Deleted
   C:\Users\Rainer\AppData\LocalLow\AskToolbar\cache.dat (AskBar) -> Deleted
   C:\Users\Rainer\AppData\LocalLow\AskToolbar\osearch.xml (AskBar) -> Deleted
   C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ (AskBar) -> Deleted
   C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\1031.MST (AskBar) -> Deleted
   HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar) -> Deleted
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{D4027C7F-154A-4066-A1AD-4243D8127440} (AskBar) -> Deleted
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ (AskBar) -> Deleted
   HKU\S-1-5-21-1761086220-915579873-3192690886-1002\Software\Ask.com\ (AskBar) -> Deleted
   HKU\S-1-5-21-1761086220-915579873-3192690886-1002\Software\AskToolbar\ (AskBar) -> Deleted
   HKU\S-1-5-21-1761086220-915579873-3192690886-1002\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar) -> Deleted
   HKU\S-1-5-21-1761086220-915579873-3192690886-1004\Software\AskToolbar\ (AskBar) -> Deleted

Cookies _____________________________________________________________________

   C:\Users\Rainer\AppData\Roaming\Microsoft\Windows\Cookies\88SDTSLV.txt
   C:\Users\Rainer\AppData\Roaming\Microsoft\Windows\Cookies\FAJWYG42.txt
   C:\Users\Rainer\AppData\Roaming\Microsoft\Windows\Cookies\L4PL9SW7.txt
   C:\Users\Rainer\AppData\Roaming\Microsoft\Windows\Cookies\QTKJ0TVS.txt

Code:

ATTFilter

 Malwarebytes Anti-Malware  (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.07.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Anna Lena :: RAINER-PC [limited]

Protection: Enabled

07.01.2013 18:11:35
mbam-log-2013-01-07 (18-11-35).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 311363
Time elapsed: 14 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ryder · 08.01.2013, 20:25

Okay, machen wir es uns einfach:

Ich werde dir bei deinem Problem helfen. Eine Bereinigung ist mitunter mit viel Arbeit für Dich (und mich) verbunden. Bevor es los geht, habe ich etwas Lesestoff für dich.

Bitte Lesen:
Regeln für die Bereinigung
Damit die Bereinigung funktioniert bitte ich dich, die folgenden Punkte aufmerksam zu lesen:

Bitte arbeite alle Schritte der Reihe nach ab. Gib mir bitte zu jedem Schritt Rückmeldung (Logfile oder Antwort) und zwar gesammelt, wenn du alles erledigt hast, in einer Antwort.
Nur Scanns durchführen zu denen Du aufgefordert wirst.
Bitte kein Crossposting (posten in mehreren Foren).
Installiere oder Deinstalliere während der Bereinigung keine Software, ausser Du wurdest dazu aufgefordert.
Lese Dir die Anleitung zuerst vollständig durch. Sollte etwas unklar sein, frage bevor Du beginnst.
Poste die Logfiles direkt in deinen Thread (möglichst in Code-Tags - #-Symbol im Editor anklicken). Nicht anhängen oder zippen, außer ich fordere Dich dazu auf, oder das Logfile wäre zu gross. Erschwert mir nämlich das Auswerten.
Mache deinen Namen nur dann unkenntlich, wenn es unbedingt sein muss.
Beim ersten Anzeichen illegal genutzer Software (Cracks, Patches und Co) wird der Support ohne Diskussion eingestellt.
Sollte ich nicht nach 3 Tagen geantwortet haben, dann (und nur dann) schicke mir bitte eine PM.
Ich werde dir ganz deutlich mitteilen, dass du "sauber" bist. Bis dahin arbeite bitte gut mit.
Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der schnellere und immer der sicherste Weg.

Gelesen und verstanden?

Scan mit Farbar's Recovery Scan Tool

Downloade dir bitte die passende Version des Tools und speichere diese auf einen USB Stick:
Farbar Recovery Scan Tool 32-Bit-Version
Farbar Recovery Scan Tool 64-Bit-Version

Schließe den USB Stick an das infizierte System an

Du musst das System nun in die System Reparatur Option booten.

Über den Boot Manager
Starte den Rechner neu auf.

Während dem Hochfahren drücke mehrmals die F8 Taste

Wähle nun Computer reparieren.

Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Mit Windows CD/DVD
Lege die Windows CD in dein Laufwerk.

Starte den Rechner neu auf und starte von der CD

Wähle die Spracheinstellungen und klicke "Weiter".

Klicke auf Computerreparaturoptionen !!

Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Wähle in den Reparaturoptionen Eingabeaufforderung
Gib nun bitte notepad ein und drücke Enter.

Im öffnenden Textdokument: Datei > Speichern unter... und wähle Computer
Hier wird dir der Laufwerksbuchstabe deines USB Sticks angezeigt.

Schließe Notepad wieder

Gib nun bitte folgenden Befehl ein.
e:\frst.exe bzw. e:\frst64.exe
Hinweis: e steht für den Laufwerksbuchstaben deines USB Sticks. Gegebenfalls anpassen.

Akzeptiere den Disclaimer mit Yes und klicke Scan

Das Tool erstellt eine FRST.txt auf deinem USB Stick. Poste den Inhalt bitte hier.

Nanni-5 · 08.01.2013, 20:45

Hallo ryder,
Nach der F8 Taste und Computer reparieren kommt System Recovery Options ist das richtig?

ryder · 08.01.2013, 20:46

So stehts in der Anleitung

Nanni-5 · 08.01.2013, 21:03

Im notepad wird der USB nicht dargestellt.

ryder · 08.01.2013, 21:12

manchmal muss man ein wenig warten.

Alternativ kannst du auch ausprobieren ob du den richtigen Stick raten kannst - fang bei d: an und arbeite dich hoch.

Nanni-5 · 08.01.2013, 21:52

Hier der FRST.txt:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-12-2012 (ATTENTION: FRST version is 8 days old)
Ran by SYSTEM at 08-01-2013 21:45:47
Running from I:\
Windows 7 Home Premium  Service Pack 1 (X64) OS Language: English(US) 
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12673128 2011-08-16] (Realtek Semiconductor)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2011-04-14] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [107816 2010-08-03] (CyberLink)
HKLM-x32\...\Run: [Inno Tilt] "C:\Program Files (x86)\Mouse Driver\Tilt.exe" /hide [729088 2009-07-30] ()
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [x]
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [384800 2012-12-19] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start [1996200 2012-08-29] (LogMeIn Inc.)
HKLM-x32\...\Run: [emsisoft anti-malware] "c:\program files (x86)\emsisoft anti-malware\a2guard.exe" /d=60 [3364264 2012-10-17] (Emsisoft GmbH)
HKU\Anna Lena\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-09-29] (Google Inc.)
HKU\Default\...\RunOnce: [HKCU] C:\Windows\System32\oobe\info\HKCU.vbs [126 2009-11-12] ()
HKU\Default User\...\RunOnce: [HKCU] C:\Windows\System32\oobe\info\HKCU.vbs [126 2009-11-12] ()
HKU\Rainer\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-09-29] (Google Inc.)
HKU\Rainer\...\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent [x]
HKU\Rainer\...\Run: [svñhîst] %USERPROFILE%\6132281.exe [x]
HKU\UpdatusUser\...\RunOnce: [HKCU] C:\Windows\System32\oobe\info\HKCU.vbs [126 2009-11-12] ()
Startup: C:\Users\All Users\Start Menu\Programs\Startup\watchmi tray.lnk
ShortcutTarget: watchmi tray.lnk -> C:\Windows\Installer\{409DC300-28AF-468F-9624-1F3309701881}\SHCT_TRAY_PROGRAMG_A10D8603999C4E9488776EF2533C58C9.exe (Acresso Software Inc.)

==================== Services (Whitelisted) ===================

2 a2AntiMalware; "C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe" [3084688 2012-12-12] (Emsisoft GmbH)
2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [85280 2012-12-19] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [109344 2012-12-19] (Avira Operations GmbH & Co. KG)
2 AntiVirWebService; "C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE" [565024 2012-12-19] (Avira Operations GmbH & Co. KG)
2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [108904 2013-01-07] (SurfRight B.V.)
2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 watchmi; "C:\Program Files (x86)\watchmi\TvdService.exe" [70144 2011-10-07] ()

==================== Drivers (Whitelisted) =====================

3 a2acc; \??\C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [66320 2012-04-30] (Emsisoft GmbH)
1 A2DDA; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [23208 2011-05-19] (Emsi Software GmbH)
1 a2injectiondriver; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [44688 2012-04-30] (Emsisoft GmbH)
1 a2util; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [14720 2010-05-04] (Emsi Software GmbH)
2 atksgt; C:\Windows\System32\Drivers\atksgt.sys [314016 2012-12-02] ()
2 avgntflt; C:\Windows\System32\Drivers\avgntflt.sys [99912 2012-12-19] (Avira Operations GmbH & Co. KG)
1 avipbb; C:\Windows\System32\Drivers\avipbb.sys [129216 2012-12-19] (Avira Operations GmbH & Co. KG)
1 avkmgr; C:\Windows\System32\Drivers\avkmgr.sys [27800 2012-09-23] (Avira Operations GmbH & Co. KG)
2 lirsgt; C:\Windows\System32\Drivers\lirsgt.sys [43680 2012-12-02] ()
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-01-08 08:59 - 2013-01-08 08:59 - 00001095 ____A C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2013-01-08 08:58 - 2013-01-08 12:24 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2013-01-08 08:58 - 2013-01-08 12:23 - 00000000 ____D C:\Users\Rainer\Documents\Anti-Malware
2013-01-07 11:30 - 2013-01-07 11:30 - 00000119 ____A C:\Users\Anna Lena\AppData\Roaming\mbam.context.scan
2013-01-07 10:10 - 2013-01-08 12:17 - 00000672 ____A C:\Windows\setupact.log
2013-01-07 10:10 - 2013-01-07 10:10 - 00000000 ____A C:\Windows\setuperr.log
2013-01-07 09:59 - 2013-01-07 10:00 - 00000826 ____A C:\Users\Public\Desktop\CCleaner.lnk
2013-01-07 09:59 - 2013-01-07 10:00 - 00000000 ____D C:\Program Files\CCleaner
2013-01-07 08:26 - 2013-01-07 08:26 - 00000000 ____D C:\Users\Anna Lena\AppData\Roaming\Malwarebytes
2013-01-07 08:05 - 2013-01-07 08:05 - 00001113 ____A C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-01-07 08:05 - 2013-01-07 08:05 - 00000000 ____D C:\Users\Rainer\AppData\Roaming\Malwarebytes
2013-01-07 08:05 - 2013-01-07 08:05 - 00000000 ____D C:\Users\All Users\Malwarebytes
2013-01-07 08:05 - 2013-01-07 08:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-07 08:05 - 2012-12-14 07:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-01-07 05:51 - 2013-01-07 05:51 - 00027468 ____A C:\Windows\System32\.crusader
2013-01-07 05:47 - 2013-01-07 09:29 - 00000000 ____D C:\Program Files\HitmanPro
2013-01-07 05:47 - 2013-01-07 05:47 - 00001909 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2013-01-07 05:43 - 2013-01-07 08:27 - 00000000 ____D C:\Users\All Users\HitmanPro
2013-01-07 01:03 - 2013-01-07 01:03 - 00033280 __RSH (Softspecialists) C:\Users\Rainer\6132281.exe
2012-12-23 02:15 - 2012-12-23 02:16 - 00000000 ____D C:\Users\Anna Lena\Documents\Weihnachten
2012-12-20 11:40 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-20 11:40 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-20 11:40 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-20 11:40 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-17 08:05 - 2012-12-17 08:05 - 00003956 ____A C:\Users\Rainer\Downloads\Ihre_Gmail-Adresse,_omegakramps@gmail.com,_wurde_erstellt..txt
2012-12-14 15:01 - 2012-11-13 23:06 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-14 15:01 - 2012-11-13 22:32 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-12-14 15:01 - 2012-11-13 22:11 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-12-14 15:01 - 2012-11-13 22:04 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-14 15:01 - 2012-11-13 22:04 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-14 15:01 - 2012-11-13 22:02 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-12-14 15:01 - 2012-11-13 22:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-12-14 15:01 - 2012-11-13 21:59 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-12-14 15:01 - 2012-11-13 21:58 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-12-14 15:01 - 2012-11-13 21:57 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-14 15:01 - 2012-11-13 21:57 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-14 15:01 - 2012-11-13 21:55 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-14 15:01 - 2012-11-13 21:55 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-12-14 15:01 - 2012-11-13 21:53 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-12-14 15:01 - 2012-11-13 21:52 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-12-14 15:01 - 2012-11-13 21:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-14 15:01 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-12-14 15:01 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-12-14 15:01 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-12-14 15:01 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-12-14 15:01 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-12-14 15:01 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-12-14 15:01 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-12-14 15:01 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-12-14 15:01 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-12-14 15:01 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-12-14 15:01 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-12-14 15:01 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-12-14 15:01 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-12-14 15:01 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-12-14 15:01 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-12-14 15:01 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-12-14 11:34 - 2012-11-21 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-12-14 11:34 - 2012-11-08 21:45 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-12-14 11:34 - 2012-11-08 20:42 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2012-12-14 11:34 - 2012-11-01 21:59 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2012-12-14 11:34 - 2012-11-01 21:11 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll
2012-12-14 11:34 - 2012-10-04 09:46 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2012-12-14 11:34 - 2012-10-04 09:46 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2012-12-14 11:34 - 2012-10-04 09:46 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2012-12-14 11:34 - 2012-10-04 09:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-12-14 11:34 - 2012-10-04 09:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2012-12-14 11:34 - 2012-10-04 09:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-12-14 11:34 - 2012-10-04 09:41 - 00424960 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 09:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:47 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2012-12-14 11:34 - 2012-10-04 08:47 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2012-12-14 11:34 - 2012-10-04 08:47 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 08:40 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 07:21 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-12-14 11:34 - 2012-10-04 06:46 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2012-12-14 11:34 - 2012-10-04 06:46 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2012-12-14 11:34 - 2012-10-04 06:46 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2012-12-14 11:34 - 2012-10-04 06:46 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2012-12-14 11:34 - 2012-10-04 06:41 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 06:41 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 06:41 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-12-14 11:34 - 2012-10-04 06:41 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll


==================== One Month Modified Files and Folders =======

2013-01-08 12:24 - 2013-01-08 08:58 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2013-01-08 12:24 - 2012-09-29 07:17 - 01099282 ____A C:\Windows\WindowsUpdate.log
2013-01-08 12:24 - 2009-07-13 20:45 - 00017152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-08 12:24 - 2009-07-13 20:45 - 00017152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-08 12:23 - 2013-01-08 08:58 - 00000000 ____D C:\Users\Rainer\Documents\Anti-Malware
2013-01-08 12:21 - 2011-05-16 06:04 - 00654006 ____A C:\Windows\System32\perfh007.dat
2013-01-08 12:21 - 2011-05-16 06:04 - 00129878 ____A C:\Windows\System32\perfc007.dat
2013-01-08 12:21 - 2009-07-13 21:13 - 01498506 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-08 12:17 - 2013-01-07 10:10 - 00000672 ____A C:\Windows\setupact.log
2013-01-08 12:17 - 2012-10-30 11:57 - 00000000 ____D C:\Users\Rainer\AppData\Local\LogMeIn Hamachi
2013-01-08 12:17 - 2012-09-29 07:21 - 00000000 ____D C:\users\Rainer
2013-01-08 12:17 - 2012-09-29 07:18 - 00001106 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-08 12:17 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-08 11:37 - 2012-09-29 07:18 - 00001110 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-08 10:42 - 2012-11-02 01:56 - 00000000 ____D C:\Users\Anna Lena\AppData\Local\LogMeIn Hamachi
2013-01-08 09:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-01-08 08:59 - 2013-01-08 08:59 - 00001095 ____A C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2013-01-07 11:30 - 2013-01-07 11:30 - 00000119 ____A C:\Users\Anna Lena\AppData\Roaming\mbam.context.scan
2013-01-07 10:44 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-01-07 10:10 - 2013-01-07 10:10 - 00000000 ____A C:\Windows\setuperr.log
2013-01-07 10:02 - 2011-07-18 12:54 - 00000000 ____D C:\Windows\Panther
2013-01-07 10:00 - 2013-01-07 09:59 - 00000826 ____A C:\Users\Public\Desktop\CCleaner.lnk
2013-01-07 10:00 - 2013-01-07 09:59 - 00000000 ____D C:\Program Files\CCleaner
2013-01-07 09:29 - 2013-01-07 05:47 - 00000000 ____D C:\Program Files\HitmanPro
2013-01-07 08:27 - 2013-01-07 05:43 - 00000000 ____D C:\Users\All Users\HitmanPro
2013-01-07 08:26 - 2013-01-07 08:26 - 00000000 ____D C:\Users\Anna Lena\AppData\Roaming\Malwarebytes
2013-01-07 08:05 - 2013-01-07 08:05 - 00001113 ____A C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-01-07 08:05 - 2013-01-07 08:05 - 00000000 ____D C:\Users\Rainer\AppData\Roaming\Malwarebytes
2013-01-07 08:05 - 2013-01-07 08:05 - 00000000 ____D C:\Users\All Users\Malwarebytes
2013-01-07 08:05 - 2013-01-07 08:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-07 05:51 - 2013-01-07 05:51 - 00027468 ____A C:\Windows\System32\.crusader
2013-01-07 05:47 - 2013-01-07 05:47 - 00001909 ____A C:\Users\Public\Desktop\HitmanPro.lnk
2013-01-07 01:03 - 2013-01-07 01:03 - 00033280 __RSH (Softspecialists) C:\Users\Rainer\6132281.exe
2012-12-23 02:16 - 2012-12-23 02:15 - 00000000 ____D C:\Users\Anna Lena\Documents\Weihnachten
2012-12-23 01:41 - 2009-07-13 21:08 - 00032612 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-12-21 01:27 - 2009-07-13 20:45 - 00362960 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-20 10:22 - 2012-09-30 07:43 - 00000000 ____D C:\Users\Rainer\Documents\Anke
2012-12-20 10:14 - 2012-09-30 07:39 - 00000000 ____D C:\Users\Rainer\Documents\Rainer
2012-12-19 07:49 - 2012-09-30 01:19 - 00129216 ____A (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
2012-12-19 07:49 - 2012-09-30 01:19 - 00099912 ____A (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys
2012-12-17 08:05 - 2012-12-17 08:05 - 00003956 ____A C:\Users\Rainer\Downloads\Ihre_Gmail-Adresse,_omegakramps@gmail.com,_wurde_erstellt..txt
2012-12-16 09:11 - 2012-12-20 11:40 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-16 06:45 - 2012-12-20 11:40 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-16 06:13 - 2012-12-20 11:40 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-16 06:13 - 2012-12-20 11:40 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2012-12-14 15:02 - 2011-07-18 12:31 - 67413224 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-12-14 11:37 - 2012-09-29 07:18 - 00002712 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-12-14 07:49 - 2013-01-07 08:05 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-01-08 11:31:22

==================== Memory info =========================== 

Percentage of memory in use: 8%
Total physical RAM: 12264.17 MB
Available physical RAM: 11253.51 MB
Total Pagefile: 12262.37 MB
Available Pagefile: 11283.9 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: (Boot) (Fixed) (Total:58.53 GB) (Free:1 GB) NTFS
2 Drive d: (Data) (Fixed) (Total:1813.01 GB) (Free:1784.09 GB) NTFS
3 Drive f: (Recover) (Fixed) (Total:50 GB) (Free:30.69 GB) NTFS
6 Drive i: () (Removable) (Total:7.47 GB) (Free:6.5 GB) FAT32
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online           59 GB      0 B         
  Disk 1    Online         1863 GB      0 B         
  Disk 2    No Media           0 B      0 B         
  Disk 3    Online         7711 MB      0 B         

Partitions of Disk 0:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            100 MB  1024 KB
  Partition 2    Primary             58 GB   101 MB
  Partition 3    OEM               1024 MB    58 GB

==================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y                NTFS   Partition    100 MB  Healthy            

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   Boot         NTFS   Partition     58 GB  Healthy            

=========================================================

Disk: 0
Partition 3
Type  : 12
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 7                      NTFS   Partition   1024 MB  Healthy    Hidden  

=========================================================

Partitions of Disk 1:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1813 GB  1024 KB
  Partition 2    Primary             50 GB  1813 GB

==================================================================================

Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   Data         NTFS   Partition   1813 GB  Healthy            

=========================================================

Disk: 1
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     F   Recover      NTFS   Partition     50 GB  Healthy            

=========================================================

Partitions of Disk 3:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7655 MB    22 KB

==================================================================================

Disk: 3
Partition 1
Type  : 0B
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 6     I                FAT32  Removable   7655 MB  Healthy            

=========================================================

Last Boot: 2013-01-08 11:24

==================== End Of Log =============================

ryder · 09.01.2013, 14:20

Dann entsperren wir mal:

Fix mit FRST

Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument
Code:
ATTFilter
HKU\Rainer\...\Run: [svñhîst] %USERPROFILE%\6132281.exe [x]
%USERPROFILE%\6132281.exe
HKU\UpdatusUser\...\RunOnce: [HKCU] C:\Windows\System32\oobe\info\HKCU.vbs [126 2009-11-12] ()
         
Speichere diese bitte als Fixlist.txt auf deinem USB Stick.
Starte deinen Rechner erneut in die Reparaturoptionen

Starte nun die FRST.exe erneut und klicke den Fix Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.

Berichte ob du normal booten kannst.

Nanni-5 · 09.01.2013, 17:16

Nach drücken der Tasten erscheint:
"Rnotepad is not recognized as an........."

Drücke ich die falsche Tastenreihenfolge

ryder · 09.01.2013, 17:18

Rnotepad sollst du ja auch nicht schreiben.

Nanni-5 · 09.01.2013, 17:55

Hier der FixLog:

Code:

ATTFilter

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-12-2012
Ran by SYSTEM at 2013-01-09 17:49:55 Run:1
Running from I:\

==============================================

HKEY_USERS\Rainer\Software\Microsoft\Windows\CurrentVersion\Run\\svñhîst Value deleted successfully.
HKEY_USERS\UpdatusUser\Software\Microsoft\Windows\CurrentVersion\RunOnce\\HKCU Value deleted successfully.

==== End of Fixlog ====

Der Rechner ist normal hochgefahren.

ryder · 09.01.2013, 18:18

Sehr gut, dann müssen wir mal weiter machen:

Schritt 1:
Deinstallation von Programmen

Windows XP: Start > Systemsteuerung > Software > [Programmname] > Deinstallieren

Windows Vista / 7: Start > Systemsteuerung > Programme und Funktionen > [Programmname] > Deinstallieren

ggf. Neustart zulassen

Deinstalliere - falls du es nicht absichtlich installiert hast - alles was den Zusatz "Toolbar" enthält.

Gehe bitte die folgende Liste durch und deinstalliere die genannten Programme, falls vorhanden:
CCleaner oder andere Registry-Cleaner, TuneUp Utilities (inkl. Language Pack), Glary Utilities, Spybot S & D (inklusive Teatimer), Zonealarm Firewall, McAfee Security Scan, Spyware Hunter, Spyware Terminator, Java 6 (alle), Pokersoftware, xp-Antispy

Schritt 2:
AdwCleaner: Werbeprogramme suchen und löschen

Downloade Dir bitte AdwCleaner auf deinen Desktop.
Starte die adwcleaner.exe mit einem Doppelklick.

Klicke auf Löschen.

Bestätige jeweils mit Ok.

Dein Rechner wird neu gestartet, je nach Schwere der Infektion auch mehrmals - das ist normal. Nach dem Neustart öffnet sich eine Textdatei.

Poste mir den Inhalt mit deiner nächsten Antwort.

Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.

Schritt 3:
Temporäre Dateien löschen mit TFC

Bitte lade dir TFC auf deinen Desktop und starte es. Es wird automatisch alle temporären Dateien entfernen.

Schritt 4:
Scan mit Combofix

WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
WICHTIG: Speichere Combofix auf deinem Desktop.

Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!

Wenn Combofix fertig ist, wird es ein Logfile erstellen.

Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

Nanni-5 · 09.01.2013, 19:01

Habe Schritt 1 - 4 durchgeführt.
Hier die Logdatei von AdwCleaner:

Code:

ATTFilter

# AdwCleaner v2.105 - Datei am 09/01/2013 um 18:31:03 erstellt
# Aktualisiert am 08/01/2013 von Xplode
# Betriebssystem : Windows 7 Home Premium Service Pack 1 (64 bits)
# Benutzer : Rainer - RAINER-PC
# Bootmodus : Normal
# Ausgeführt unter : G:\adwcleaner-1.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Ordner Gelöscht : C:\ProgramData\Partner
Ordner Gelöscht : C:\Users\Rainer\AppData\Local\APN

***** [Registrierungsdatenbank] *****

und die Combofix.txt:

Code:

ATTFilter

Combofix Logfile:

	Code: 

 ATTFilter

  
	ComboFix 13-01-08.01 - Rainer 09.01.2013  18:47:21.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.12264.9725 [GMT 1:00]
ausgeführt von:: c:\users\Rainer\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: Emsisoft Anti-Malware *Disabled/Outdated* {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Emsisoft Anti-Malware *Disabled/Outdated* {3E653F0B-EA3E-10F8-1B87-CAD78F211367}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Origin
c:\programdata\Origin\local.xml
c:\programdata\Origin\Origin_App.ini
c:\users\Rainer\6132281.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-12-09 bis 2013-01-09  ))))))))))))))))))))))))))))))
.
.
2013-01-09 17:50 . 2013-01-09 17:50	--------	d-----w-	c:\users\UpdatusUser\AppData\Local\temp
2013-01-09 17:50 . 2013-01-09 17:50	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-01-09 17:50 . 2013-01-09 17:50	--------	d-----w-	c:\users\Anna Lena\AppData\Local\temp
2013-01-09 17:37 . 2013-01-09 17:34	448512	----a-w-	c:\program files\TFC.exe
2013-01-09 05:45 . 2013-01-09 05:45	--------	d-----w-	C:\FRST
2013-01-08 16:58 . 2013-01-09 17:40	--------	d-----w-	c:\program files (x86)\Emsisoft Anti-Malware
2013-01-07 16:26 . 2013-01-07 16:26	--------	d-----w-	c:\users\Anna Lena\AppData\Roaming\Malwarebytes
2013-01-07 16:05 . 2013-01-07 16:05	--------	d-----w-	c:\users\Rainer\AppData\Roaming\Malwarebytes
2013-01-07 16:05 . 2013-01-07 16:05	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2013-01-07 16:05 . 2013-01-07 16:05	--------	d-----w-	c:\programdata\Malwarebytes
2013-01-07 16:05 . 2012-12-14 15:49	24176	----a-w-	c:\windows\system32\drivers\mbam.sys
2013-01-07 16:04 . 2013-01-07 16:04	--------	d-----w-	c:\users\Rainer\AppData\Local\Programs
2013-01-07 15:33 . 2013-01-08 17:04	--------	d-----w-	c:\users\Anna Lena\AppData\Local\Diagnostics
2013-01-07 13:47 . 2013-01-07 17:29	--------	d-----w-	c:\program files\HitmanPro
2013-01-07 13:43 . 2013-01-07 16:27	--------	d-----w-	c:\programdata\HitmanPro
2013-01-04 19:05 . 2013-01-04 19:05	--------	d-----w-	c:\users\Rainer\AppData\Local\Diagnostics
2012-12-20 19:40 . 2012-12-16 17:11	46080	----a-w-	c:\windows\system32\atmlib.dll
2012-12-20 19:40 . 2012-12-16 14:45	367616	----a-w-	c:\windows\system32\atmfd.dll
2012-12-20 19:40 . 2012-12-16 14:13	295424	----a-w-	c:\windows\SysWow64\atmfd.dll
2012-12-20 19:40 . 2012-12-16 14:13	34304	----a-w-	c:\windows\SysWow64\atmlib.dll
2012-12-14 19:34 . 2012-11-09 05:45	2048	----a-w-	c:\windows\system32\tzres.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-19 15:49 . 2012-09-30 09:19	99912	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2012-12-19 15:49 . 2012-09-30 09:19	129216	----a-w-	c:\windows\system32\drivers\avipbb.sys
2012-12-14 23:02 . 2011-07-18 20:31	67413224	----a-w-	c:\windows\system32\MRT.exe
2012-12-02 15:25 . 2012-12-02 15:25	43680	----a-w-	c:\windows\system32\drivers\lirsgt.sys
2012-12-02 15:25 . 2012-12-02 15:25	314016	----a-w-	c:\windows\system32\drivers\atksgt.sys
2012-11-04 11:30 . 2012-11-04 11:30	696760	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2012-11-04 11:30 . 2011-10-14 12:15	73656	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-16 08:38 . 2012-11-28 09:35	135168	----a-w-	c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38 . 2012-11-28 09:35	350208	----a-w-	c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39 . 2012-11-28 09:35	561664	----a-w-	c:\windows\apppatch\AcLayers.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-15 113288]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2010-08-03 107816]
"Inno Tilt"="c:\program files (x86)\Mouse Driver\Tilt.exe" [2009-07-30 729088]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-12-19 384800]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-08-29 1996200]
"emsisoft anti-malware"="c:\program files (x86)\emsisoft anti-malware\a2guard.exe" [2012-10-17 3364264]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
watchmi tray.lnk - c:\windows\Installer\{409DC300-28AF-468F-9624-1F3309701881}\SHCT_TRAY_PROGRAMG_A10D8603999C4E9488776EF2533C58C9.exe [2012-9-29 300928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [2010-07-01 293416]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-11-25 694888]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-23 1255736]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2010-09-23 129008]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2011-05-19 23208]
S1 a2injectiondriver;a2injectiondriver;c:\program files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2012-04-30 44688]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files (x86)\Emsisoft Anti-Malware\a2util64.sys [2010-05-05 14720]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2012-09-24 27800]
S2 a2AntiMalware;Emsisoft Anti-Malware 7.0 - Service;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe [2012-12-12 3084688]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-12-19 85280]
S2 AntiVirWebService;Avira Browser-Schutz;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [2012-12-19 565024]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-08-29 2369960]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-01-07 108904]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-09-28 25824]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-03-11 2656280]
S2 watchmi;watchmi service;c:\program files (x86)\watchmi\TvdService.exe [2011-10-07 70144]
S3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [2012-04-30 66320]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-07-28 92672]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-07-28 209408]
.
.
Inhalt des "geplante Tasks" Ordners
.
2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-29 15:18]
.
2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-29 15:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-16 12673128]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.de/webhp?sourceid=navclient&hl=de&ie=UTF-8
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4
LSP: c:\program files (x86)\Avira\AntiVir Desktop\avsda.dll
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-ApnUpdater - c:\program files (x86)\Ask.com\Updater\Updater.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-01-09  18:51:31
ComboFix-quarantined-files.txt  2013-01-09 17:51
.
Vor Suchlauf: 772.653.056 Bytes frei
Nach Suchlauf: 611.241.984 Bytes frei
.
- - End Of File - - 06869A35A25525FA94861D00059C89C1
         
 --- --- ---

Der Rechner ist anschließend ohne Probleme hochgefahren!

08.01.2013, 20:46	#6
ryder /// TB-Ausbilder	GVU Trojaner So stehts in der Anleitung __________________ --> GVU Trojaner

08.01.2013, 21:12	#8
ryder /// TB-Ausbilder	GVU Trojaner manchmal muss man ein wenig warten. Alternativ kannst du auch ausprobieren ob du den richtigen Stick raten kannst - fang bei d: an und arbeite dich hoch. __________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM!

09.01.2013, 17:18	#12
ryder /// TB-Ausbilder	GVU Trojaner Rnotepad sollst du ja auch nicht schreiben. __________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM!

08.01.2013, 20:45	#5
Nanni-5	GVU Trojaner Hallo ryder, Nach der F8 Taste und Computer reparieren kommt System Recovery Options ist das richtig?

08.01.2013, 21:03	#7
Nanni-5	GVU Trojaner Im notepad wird der USB nicht dargestellt.

09.01.2013, 17:16	#11
Nanni-5	GVU Trojaner Nach drücken der Tasten erscheint: "Rnotepad is not recognized as an........." Drücke ich die falsche Tastenreihenfolge

GVU Trojaner

Plagegeister aller Art und deren Bekämpfung: GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner

GVU Trojaner