Mehrfacher Virenbefall mit z.B. BDS/Cycbot.B.1860

Jonestown · 02.04.2011, 15:29

Hallo gemeinsam,

habe seit einigen Tagen auf meinem Computer mehrfach über Antivir die Meldung erhalten, dass sich einige Schädlinge auf meinem Rechner befinden.
Da dieser Rechner verschiedene Benutzer führt, stellen sich die Probleme allerdings nur bei meiner Benutzerkennung dar. Alle anderen Benutzer haben bislang keine offensichtlichen Probleme.

Internet-Browser, ob Firefox oder IE8, keiner funkioniert mehr. Erst hatte sich der Befall durch eine eingeschränkte Google Suche und der damit verbundenen Fehlleitung auf andere Seiten geäußert. Nun funktionieren beide Browser nicht mehr.

Habe Larusso`s Anleitung nach bestem Wissen durchgeführt, obgleich ich feststellen musste, dass der Neustart nach TFC nötig war. Alle anderen Programme habe ich also ohne vorherigen Neustart laufen lassen.

1) Mein persönlicher Antivir Auszug:

Code:

ATTFilter

In der Datei 'C:\Users\Cee\AppData\Roaming\dwm.exe'
wurde ein Virus oder unerwünschtes Programm 'BDS/Cycbot.B.1860' [backdoor] gefunden.
Ausgeführte Aktion: Datei in Quarantäne verschieben

In der Datei 'C:\Users\Cee\AppData\Local\Temp\csrss.exe'
wurde ein Virus oder unerwünschtes Programm 'BDS/Agent.18022457' [backdoor] gefunden.
Ausgeführte Aktion: Datei in Quarantäne verschieben

Die Datei 'C:\Users\Cee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\1ff56765-5b9542e3'
enthielt einen Virus oder unerwünschtes Programm 'JAVA/Exdoer.Y' [virus].
Durchgeführte Aktion(en):
Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '4df57934.qua' verschoben!

In der Datei 'C:\Users\Cee\AppData\Roaming\dwm.exe'
wurde ein Virus oder unerwünschtes Programm 'TR/Dldr.Kazy.BV' [trojan] gefunden.
Ausgeführte Aktion: Zugriff verweigern

In der Datei 'C:\Users\Cee\AppData\Local\Temp\1689.exe'
wurde ein Virus oder unerwünschtes Programm 'BDS/Cycbot.B.1491' [backdoor] gefunden.
Ausgeführte Aktion: Zugriff verweigern

In der Datei 'C:\Users\Cee\AppData\Local\Temp\1689.exe'
wurde ein Virus oder unerwünschtes Programm 'BDS/Cycbot.B.1491' [backdoor] gefunden.
Ausgeführte Aktion: Zugriff verweigern

2) Highjack This:

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:10:58, on 02.04.2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Cee\Desktop\meine soich.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ts.fujitsu.com/index2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.ts.fujitsu.com/index2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:53050
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F3 - REG:win.ini: load=C:\Users\Cee\AppData\Local\Temp\csrss.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DeskViewBasic] %ProgramFiles%\Fujitsu\DeskViewBasic\DeskViewBasic.exe
O4 - HKLM\..\Run: [Wireless_Selector] C:\Program Files\Fujitsu\Wireless_Utility\Wireless Selector.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DeskViewBasicService - Fujitsu Technology Solutions - C:\Program Files\Fujitsu\DeskViewBasic\DeskViewBasicService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Fujitsu Diagnostic Testhandler (TestHandler) - Fujitsu Technology Solutions - C:\Program Files\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe

--
End of file - 5079 bytes

3) OTL Scan

Code:

ATTFilter

OTL logfile created on: 4/2/2011 3:33:07 PM - Run 1
OTL by OldTimer - Version 3.2.22.3     Folder = C:\Users\Claire\Desktop
 An unknown product  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147.04 Gb Total Space | 115.20 Gb Free Space | 78.35% Space Free | Partition Type: NTFS
 
Computer Name: CLAIRE-PC | User Name: Claire | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2011/04/02 15:27:41 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Claire\Desktop\OTL.exe
PRC - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/10/31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/19 14:34:04 | 000,034,816 | ---- | M] (Fujitsu Technology Solutions) -- C:\Program Files\Fujitsu\DeskViewBasic\DeskViewBasicService.exe
PRC - [2009/07/21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/14 03:26:21 | 000,101,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\consent.exe
PRC - [2009/05/13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/02/19 15:46:26 | 000,341,264 | ---- | M] (Fujitsu Technology Solutions) -- C:\Program Files\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2011/04/02 15:27:41 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Claire\Desktop\OTL.exe
MOD - [2009/07/14 03:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2009/08/19 14:34:04 | 000,034,816 | ---- | M] (Fujitsu Technology Solutions) [Auto | Running] -- C:\Program Files\Fujitsu\DeskViewBasic\DeskViewBasicService.exe -- (DeskViewBasicService)
SRV - [2009/07/21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/07/14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)
SRV - [2009/05/13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/02/19 15:46:26 | 000,341,264 | ---- | M] (Fujitsu Technology Solutions) [Auto | Running] -- C:\Program Files\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe -- (TestHandler)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2009/11/25 12:19:02 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/07/29 20:39:00 | 009,820,256 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/07/14 03:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 03:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 03:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/14 01:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/14 01:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 01:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/14 01:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2009/07/14 00:02:46 | 001,096,704 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/07/01 12:20:54 | 000,287,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmf6232.sys -- (NVNET)
DRV - [2009/06/30 17:33:08 | 000,139,296 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvrd32.sys -- (nvrd32)
DRV - [2009/06/30 17:32:54 | 000,212,000 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
DRV - [2009/06/29 00:36:36 | 000,017,920 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2009/05/18 16:49:42 | 000,016,384 | ---- | M] (Fujitsu) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FSCSLII.sys -- (FSCSLII)
DRV - [2009/05/11 10:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 10:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 12:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ts.fujitsu.com/index2
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.ts.fujitsu.com/index2
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/02/23 21:41:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/23 21:41:37 | 000,000,000 | ---D | M]
 
[2010/06/18 18:46:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Claire\AppData\Roaming\mozilla\Extensions
[2010/06/18 18:46:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Claire\AppData\Roaming\mozilla\Firefox\Profiles\dlo60cl1.default\extensions
[2010/06/18 17:17:26 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\mozilla firefox\extensions
[2010/06/18 17:17:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/18 17:17:12 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/11/06 15:07:41 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2010/11/06 15:07:41 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2010/11/06 15:07:41 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2010/11/06 15:07:41 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2010/11/06 15:07:41 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009/06/10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DeskViewBasic] C:\Program Files\Fujitsu\DeskViewBasic\DeskViewBasic.exe (Fujitsu Technology Solutions)
O4 - HKLM..\Run: [Wireless_Selector]  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - c:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - c:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Camera Hotkey - hkey= - key= - C:\Program Files\Fujitsu\Wireless_Utility\Camera Hotkey.exe (Inventec Corp.)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: RtHDVCpl - hkey= - key= - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

 
========== Files/Folders - Created Within 30 Days ==========
 
[2011/04/02 15:31:07 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/04/02 15:30:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/04/02 15:30:15 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/02 15:27:34 | 000,791,393 | ---- | C] (Lars Hederer                                                ) -- C:\Users\Claire\Desktop\Erunt-setup.exe
[2011/04/02 15:27:34 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Claire\Desktop\OTL.exe
[2011/04/02 15:27:34 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Claire\Desktop\TFC.exe
[2011/03/28 10:00:29 | 000,000,000 | ---D | C] -- C:\Users\Claire\AppData\Roaming\dvdcss
 
========== Files - Modified Within 30 Days ==========
 
[2011/04/02 15:28:00 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/02 15:27:47 | 000,301,568 | ---- | M] () -- C:\Users\Claire\Desktop\g2m3e4r.exe
[2011/04/02 15:27:45 | 000,791,393 | ---- | M] (Lars Hederer                                                ) -- C:\Users\Claire\Desktop\Erunt-setup.exe
[2011/04/02 15:27:41 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Claire\Desktop\OTL.exe
[2011/04/02 15:27:41 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Claire\Desktop\TFC.exe
[2011/04/02 14:20:14 | 000,643,866 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011/04/02 14:20:14 | 000,607,190 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/02 14:20:14 | 000,126,394 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011/04/02 14:20:14 | 000,103,568 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/02 14:12:06 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/01 07:09:08 | 000,009,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/01 07:09:08 | 000,009,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/01 07:01:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/01 07:01:42 | 1206,718,464 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/13 13:36:01 | 000,009,241 | ---- | M] () -- C:\Users\Claire\Desktop\Anleitung.html
 
========== Files Created - No Company Name ==========
 
[2011/04/02 15:27:34 | 000,301,568 | ---- | C] () -- C:\Users\Claire\Desktop\g2m3e4r.exe
[2011/03/13 13:41:20 | 000,009,241 | ---- | C] () -- C:\Users\Claire\Desktop\Anleitung.html
[2010/07/13 22:18:09 | 000,010,752 | ---- | C] () -- C:\Users\Claire\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/17 20:30:56 | 000,007,168 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2009/08/07 15:54:23 | 000,643,866 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2009/08/07 15:54:23 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2009/08/07 15:54:23 | 000,126,394 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2009/08/07 15:54:23 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2009/07/30 13:49:22 | 000,040,448 | ---- | C] () -- C:\Windows\REGOBJ.DLL
[2009/07/14 06:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 06:33:53 | 000,409,384 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/14 04:05:48 | 000,607,190 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/14 04:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/14 04:05:48 | 000,103,568 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/14 04:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/14 04:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/14 04:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/14 02:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009/07/14 01:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/14 01:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
 
========== LOP Check ==========
 
[2010/03/17 20:31:23 | 000,000,000 | ---D | M] -- C:\Users\Claire\AppData\Roaming\Canneverbe Limited
[2010/02/05 23:09:26 | 000,000,000 | ---D | M] -- C:\Users\Claire\AppData\Roaming\IrfanView
[2011/03/09 08:04:20 | 000,032,640 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*. >
[2010/03/06 19:02:10 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin
[2009/08/07 15:42:54 | 000,000,000 | -HSD | M] -- C:\Boot
[2009/07/14 06:53:55 | 000,000,000 | -HSD | M] -- C:\Documents and Settings
[2010/01/15 22:04:30 | 000,000,000 | ---D | M] -- C:\Drivers
[2010/02/05 18:27:38 | 000,000,000 | ---D | M] -- C:\Fujitsu
[2009/08/21 08:31:07 | 000,000,000 | RH-D | M] -- C:\MSOCache
[2011/04/02 15:30:15 | 000,000,000 | R--D | M] -- C:\Program Files
[2010/12/01 08:06:50 | 000,000,000 | -H-D | M] -- C:\ProgramData
[2009/08/07 23:49:48 | 000,000,000 | -HSD | M] -- C:\Recovery
[2011/03/26 11:10:00 | 000,000,000 | ---D | M] -- C:\System Volume Information
[2010/02/06 00:26:54 | 000,000,000 | R--D | M] -- C:\Users
[2011/04/02 15:31:07 | 000,000,000 | ---D | M] -- C:\Windows
 
< %PROGRAMFILES%\*.exe >
 
< %LOCALAPPDATA%\*.exe >
 
< %systemroot%\*. /mp /s >
 
 
< MD5 for: EXPLORER.EXE  >
[2009/07/14 03:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009/10/31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\explorer.exe
[2009/10/31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2009/08/03 07:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2009/08/03 07:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009/10/31 08:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
 
< MD5 for: USERINIT.EXE  >
[2009/07/14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\System32\userinit.exe
[2009/07/14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
 
< MD5 for: WININIT.EXE  >
[2009/07/14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe
[2009/07/14 03:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe
 
< MD5 for: WINLOGON.EXE  >
[2009/10/28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\System32\winlogon.exe
[2009/10/28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009/10/28 07:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2009/07/14 03:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-02-05 21:46:14

< End of report >

4) OTL Extras

Code:

ATTFilter

OTL Extras logfile created on: 4/2/2011 3:33:07 PM - Run 1
OTL by OldTimer - Version 3.2.22.3     Folder = C:\Users\Claire\Desktop
 An unknown product  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147.04 Gb Total Space | 115.20 Gb Free Space | 78.35% Space Free | Partition Type: NTFS
 
Computer Name: CLAIRE-PC | User Name: Claire | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [dm Fotowelt] -- "C:\Program Files\dm\dm Fotowelt\dm Fotowelt.exe" "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D80B6D8-C7FC-C635-B3D2-1DFE9BEE890D}" = TiltShiftGenerator: artandmobile.com
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
"{90120000-0015-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
"{90120000-0019-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
"{90120000-001A-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_PROHYBRIDR_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_PROHYBRIDR_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_PROHYBRIDR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_PROHYBRIDR_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
"{AC76BA86-7AD7-1031-7B44-A91000000001}" = Adobe Reader 9.1.3 - Deutsch
"{BD5E96FA-73D8-467F-995F-1CD1924A9A65}" = Wireless_Utility
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EF59DB7F-7426-426E-B862-7031F83ED304}" = SystemDiagnostics
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"7-Zip" = 7-Zip 4.65
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audiograbber" = Audiograbber 1.83 SE 
"Audiograbber-Lame" = Audiograbber Lame-MP3-Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"dm Fotowelt" = dm Fotowelt
"ERUNT_is1" = ERUNT 1.1j
"InstallShield_{BD5E96FA-73D8-467F-995F-1CD1924A9A65}" = Wireless_Utility
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PROHYBRIDR" = 2007 Microsoft Office system
"RealPlayer 12.0" = RealPlayer
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TiltShift.E66C440A17F1D70FFD66FDB4568328647297CFDC.1" = TiltShiftGenerator: artandmobile.com
"VLC media player" = VLC media player 1.0.5
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 3/17/2011 4:02:22 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 5179
 
Error - 3/17/2011 4:02:23 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 3/17/2011 4:02:23 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6209
 
Error - 3/17/2011 4:02:23 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6209
 
Error - 3/17/2011 5:02:25 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 3/17/2011 5:02:25 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3608178
 
Error - 3/17/2011 5:02:25 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3608178
 
Error - 3/17/2011 5:02:26 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
 
Error - 3/17/2011 5:02:26 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3609224
 
Error - 3/17/2011 5:02:26 PM | Computer Name = Claire-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3609224
 
[ System Events ]
Error - 3/26/2011 4:37:58 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
Error - 3/26/2011 4:37:58 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
Error - 3/26/2011 4:37:58 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
Error - 3/26/2011 4:37:58 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
Error - 3/27/2011 3:15:28 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
Error - 3/27/2011 3:15:29 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
Error - 3/27/2011 3:15:29 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
Error - 3/27/2011 3:15:29 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
Error - 3/27/2011 3:15:29 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
Error - 3/27/2011 3:15:29 AM | Computer Name = Claire-PC | Source = WMPNetworkSvc | ID = 866306
Description = 
 
 
< End of report >

5) Gmer Scan

Code:

ATTFilter

GMER 1.0.15.15570 - hxxp://www.gmer.net
Rootkit scan 2011-04-02 15:58:36
Windows 6.1.7600  Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545016B9A300 rev.PBBOC64G
Running: g2m3e4r.exe; Driver: C:\Users\Claire\AppData\Local\Temp\kxlirpod.sys


---- System - GMER 1.0.15 ----

SSDT            905418A4                                 ZwCreateThread
SSDT            90541890                                 ZwOpenProcess
SSDT            90541895                                 ZwOpenThread
SSDT            9054189F                                 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwSaveKeyEx + 13AD          82C44579 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2   82C68F52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntkrnlpa.exe!RtlSidHashLookup + 34C      82C7084C 4 Bytes  [A4, 18, 54, 90]
.text           ntkrnlpa.exe!RtlSidHashLookup + 4E8      82C709E8 4 Bytes  [90, 18, 54, 90]
.text           ntkrnlpa.exe!RtlSidHashLookup + 508      82C70A08 4 Bytes  [95, 18, 54, 90]
.text           ntkrnlpa.exe!RtlSidHashLookup + 7B8      82C70CB8 4 Bytes  [9F, 18, 54, 90]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0  Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\00000048        halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1   rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2   rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                 fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Ich danke schon jetzt für die verlässliche Hilfe und hoffe, dass der Plagegeistbefall nicht ganz so schwer wiegt. Ist hier auf diesem System nach 2 Jahren der erste Befall.

Danke!

cosinus · 03.04.2011, 15:07

Gibt es noch weitere Logs von Malwarebytes? Wenn ja bitte alle posten, die in Malwarebytes im Reiter Logdateien sichtbar sind.

Jonestown · 03.04.2011, 17:48

Hallo Arne,

habe jetzt eben nach einem Update von Maleware einen Scan damit laufen lassen. Die Logfile ist nachfolgend zu finden. Weitere Logs unter dem Reiter waren keine Vorhanden, da ich dieses Programm sonst nicht nutze.

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5222

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

03.04.2011 18:16:58
mbam-log-2011-04-03 (18-16-58).txt

Scan type: Quick scan
Objects scanned: 120920
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

cosinus · 03.04.2011, 17:55

Zitat:

Database version: 5222

Du hast Malwarebytes vorher nicht aktualisiert. Bitte updaten und einen Vollscan machen.

Jonestown · 03.04.2011, 18:46

Tatsächlich, unter anderem Benutzer hatte das Update fuktioniert.

Anbei die Logdatei...

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6256

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

03.04.2011 19:33:26
mbam-log-2011-04-03 (19-33-10).txt

Scan type: Full scan (C:\|)
Objects scanned: 200070
Time elapsed: 24 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Cee\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> No action taken.

cosinus · 03.04.2011, 19:19

Wieso entfernst du die Funde nicht?

Jonestown · 03.04.2011, 20:19

Tja dass hört sich natürlich blöd an, ich wollte im Zuge der Bereinigung nicht vorgreifen. Schien mir auf den ersten Blick als zu einfach.

Werde die Bereinigung natürlich nachholen, müssen denn noch weitere Dinge
gemacht oder geändert werden?

Jonestown · 03.04.2011, 20:48

Hier der Ordnung halber die Logdatei.

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6256

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

03.04.2011 21:32:09
mbam-log-2011-04-03 (21-32-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 200070
Time elapsed: 21 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Cee\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

cosinus · 04.04.2011, 10:05

Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Jonestown · 02.05.2011, 18:18

...so HALLO nochmal, die Zeit hat in den letzten Tagen einfah nicht gereicht. Das Problem hat sich jedoch nicht von allein gelöst, daher nachfolgend das Ergebnis des Scans mit "COFI"...

Habe mal probiert ob die Benutzermaske des betroffenen Nutzer schon wieder einen Internetzugang hergibt, leider ist dem nicht so. Scheint wohl doch noch etwas zu dauer. Mal so gefragt, ist so ein Befall denn eigentlich Nutzerbezogen zu sehen, oder wenn ein Nutzer "verseucht" betrifft es auch gleich alle? Würde mich mal interessieren, da die anderen beiden Nutzer keine Probleme beim Zugang ins Netz haben.

Danke schon jetzt für die Unterstützung.

Code:

ATTFilter

ComboFix 11-05-01.04 - Claire 02.05.2011  18:27:22.1.2 - x86
ausgeführt von:: c:\users\Cee\Desktop\cofi.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2011-04-02 bis 2011-05-02  ))))))))))))))))))))))))))))))
.
.
2011-05-02 16:32 . 2011-05-02 16:33	--------	d-----w-	c:\users\Claire\AppData\Local\temp
2011-05-02 16:32 . 2011-05-02 16:32	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-05-02 16:32 . 2011-05-02 16:32	--------	d-----w-	c:\users\Claires\AppData\Local\temp
2011-05-02 10:18 . 2011-05-02 10:18	--------	d-----w-	c:\users\Claire\AppData\Roaming\OpenOffice.org
2011-05-02 10:16 . 2011-05-02 10:16	--------	d-----w-	c:\program files\OpenOffice.org 3
2011-05-02 10:16 . 2011-05-02 10:16	--------	d-----w-	c:\program files\Common Files\Java
2011-04-03 16:11 . 2011-04-03 16:11	--------	d-----w-	c:\users\Cee\AppData\Roaming\Malwarebytes
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 10:15 . 2010-06-18 15:17	472808	----a-w-	c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-18 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
c:\users\Claire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10	35696	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Hotkey]
2010-02-05 16:25	311296	----a-w-	c:\program files\Fujitsu\Wireless_Utility\Camera Hotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 14:08	421160	----a-w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2009-05-22 22:22	7514656	------w-	c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-10 11:33	202256	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 DeskViewBasicService;DeskViewBasicService;c:\program files\Fujitsu\DeskViewBasic\DeskViewBasicService.exe [2009-08-19 34816]
S3 FSCSLII;FSCSLII;c:\windows\system32\DRIVERS\FSCSLII.sys [2009-05-18 16384]
.
.
Inhalt des "geplante Tasks" Ordners
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 15:18]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 15:18]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.ts.fujitsu.com/index2
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Claire\AppData\Roaming\Mozilla\Firefox\Profiles\dlo60cl1.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-DeskViewBasic - %ProgramFiles%\Fujitsu\DeskViewBasic\DeskViewBasic.exe
HKLM-Run-Wireless_Selector - c:\program files\Fujitsu\Wireless_Utility\Wireless Selector.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2011-05-02  18:35:01
ComboFix-quarantined-files.txt  2011-05-02 16:35
.
Vor Suchlauf: 7 Verzeichnis(se), 118.569.955.328 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 118.487.683.072 Bytes frei
.
- - End Of File - - F832756A75AA86EA38A1802C4B6196F8

cosinus · 02.05.2011, 19:52

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.

Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.

Doppelklick auf die MBRCheck.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Das Tool braucht nur wenige Sekunden.
Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.

Poste mir bitte den Inhalt des .txt Dokumentes

Jonestown · 02.05.2011, 21:02

...nun gut dann mal der Reihe nach...

a) GMER

Code:

ATTFilter

GMER 1.0.15.15570 - hxxp://www.gmer.net
Rootkit scan 2011-05-02 21:28:44
Windows 6.1.7600  Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545016B9A300 rev.PBBOC64G
Running: g2m3e4r.exe; Driver: C:\Users\Claire\AppData\Local\Temp\kxlirpod.sys


---- System - GMER 1.0.15 ----

SSDT            8054F9EC                                                                                                 ZwCreateThread
SSDT            8054F9D8                                                                                                 ZwOpenProcess
SSDT            8054F9DD                                                                                                 ZwOpenThread
SSDT            8054F9E7                                                                                                 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                                          82E52579 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                   82E76F52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntkrnlpa.exe!RtlSidHashLookup + 34C                                                                      82E7E84C 4 Bytes  [EC, F9, 54, 80]
.text           ntkrnlpa.exe!RtlSidHashLookup + 4E8                                                                      82E7E9E8 4 Bytes  [D8, F9, 54, 80]
.text           ntkrnlpa.exe!RtlSidHashLookup + 508                                                                      82E7EA08 4 Bytes  [DD, F9, 54, 80]
.text           ntkrnlpa.exe!RtlSidHashLookup + 7B8                                                                      82E7ECB8 4 Bytes  [E7, F9, 54, 80]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Windows\System32\rundll32.exe[2692] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]    [75445D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT             C:\Windows\System32\rundll32.exe[2692] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]     [75445D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT             C:\Windows\System32\rundll32.exe[2692] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]   [75445D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT             C:\Windows\System32\rundll32.exe[2692] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]  [75445D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                  Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                  Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\00000049                                                                        halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                   rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                   rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

b) OSAM

Code:

ATTFilter

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 21:38:37 on 02.05.2011

OS: Windows 7  (Build 7600), 32-bit
Default Browser: Microsoft Corporation Internet Explorer 8.00.7600.16385

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"mlcfg32.cpl" - "Microsoft Corporation" - c:\PROGRA~1\MICROS~1\Office12\MLCFG32.CPL
"QuickTime" - "Apple Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"avgio" (avgio) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"catchme" (catchme) - ? - C:\Users\Claire\AppData\Local\Temp\catchme.sys  (File not found)
"kxlirpod" (kxlirpod) - ? - C:\Users\Claire\AppData\Local\Temp\kxlirpod.sys  (Hidden registry entry, rootkit activity | File not found)
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
"StarOpen" (StarOpen) - ? - C:\Windows\system32\drivers\StarOpen.sys  (File found, but it contains no detailed information)

[Explorer]
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - c:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Program Files\iTunes\iTunesMiniPlayer.dll
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - c:\Program Files\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - c:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - c:\PROGRA~1\MICROS~1\Office12\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - c:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{AE424E85-F6DF-4910-A6A9-438797986431} "OpenOffice.org Property Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\propertyhdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - c:\PROGRA~1\MICROS~1\Office12\OLKFSTUB.DLL
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" - "RealNetworks, Inc." - C:\Program Files\Real\RealPlayer\rpshell.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_22" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} "Java Plug-in 1.6.0_22" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_22" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_22.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} "{E2883E8F-472F-4FB0-9522-AC9BF37916A7}" - ? -   (File not found | COM-object registry key not found) / hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - c:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "Google Toolbar" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} "Google Toolbar Helper" - "Google Inc." - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\Claire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"OpenOffice.org 3.3.lnk" - ? - C:\Program Files\OpenOffice.org 3\program\quickstart.exe  (Shortcut exists | File found, but it contains no detailed information | File exists)
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"swg" - "Google Inc." - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
"iTunesHelper" - "Apple Inc." - "C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task" - "Apple Inc." - "C:\Program Files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe
"DeskViewBasicService" (DeskViewBasicService) - "Fujitsu Technology Solutions" - C:\Program Files\Fujitsu\DeskViewBasic\DeskViewBasicService.exe
"Dienst "Bonjour"" (Bonjour Service) - "Apple Inc." - C:\Program Files\Bonjour\mDNSResponder.exe
"Fujitsu Diagnostic Testhandler" (TestHandler) - "Fujitsu Technology Solutions" - C:\Program Files\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
"Google Software Updater" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Google Update-Dienst (gupdatem)" (gupdatem) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Program Files\iPod\bin\iPodService.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
"NMSAccess" (NMSAccess) - ? - C:\Program Files\CDBurnerXP\NMSAccessU.exe  (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

c) MBR

Code:

ATTFilter

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:			
Windows Version:		Windows 7 Professional
Windows Information:		 (build 7600), 32-bit
Base Board Manufacturer:	FUJITSU SIEMENS
BIOS Manufacturer:		Phoenix Technologies Ltd.
System Manufacturer:		FUJITSU SIEMENS
System Product Name:		ESPRIMO Mobile V6555
Logical Drives Mask:		0x00000014

Kernel Drivers (total 191):
  0x82E0F000 \SystemRoot\system32\ntkrnlpa.exe
  0x8321F000 \SystemRoot\system32\halmacpi.dll
  0x80BD0000 \SystemRoot\system32\kdcom.dll
  0x8762C000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
  0x876A4000 \SystemRoot\system32\PSHED.dll
  0x876B5000 \SystemRoot\system32\BOOTVID.dll
  0x876BD000 \SystemRoot\system32\CLFS.SYS
  0x876FF000 \SystemRoot\system32\CI.dll
  0x87830000 \SystemRoot\system32\drivers\Wdf01000.sys
  0x878A1000 \SystemRoot\system32\drivers\WDFLDR.SYS
  0x878AF000 \SystemRoot\system32\DRIVERS\ACPI.sys
  0x878F7000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
  0x87900000 \SystemRoot\system32\DRIVERS\msisadrv.sys
  0x87908000 \SystemRoot\system32\DRIVERS\pci.sys
  0x87932000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
  0x8793D000 \SystemRoot\System32\drivers\partmgr.sys
  0x8794E000 \SystemRoot\system32\DRIVERS\compbatt.sys
  0x87956000 \SystemRoot\system32\DRIVERS\BATTC.SYS
  0x87961000 \SystemRoot\system32\DRIVERS\volmgr.sys
  0x87971000 \SystemRoot\System32\drivers\volmgrx.sys
  0x879BC000 \SystemRoot\system32\DRIVERS\pciide.sys
  0x879C3000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
  0x879D1000 \SystemRoot\System32\drivers\mountmgr.sys
  0x87800000 \SystemRoot\system32\DRIVERS\nvraid.sys
  0x877AA000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
  0x8781F000 \SystemRoot\system32\DRIVERS\atapi.sys
  0x877CF000 \SystemRoot\system32\DRIVERS\ataport.SYS
  0x879E7000 \SystemRoot\system32\DRIVERS\amdxata.sys
  0x87A31000 \SystemRoot\system32\drivers\fltmgr.sys
  0x87A65000 \SystemRoot\system32\drivers\fileinfo.sys
  0x87A76000 \SystemRoot\System32\Drivers\Ntfs.sys
  0x87BA5000 \SystemRoot\System32\Drivers\msrpc.sys
  0x87BD0000 \SystemRoot\System32\Drivers\ksecdd.sys
  0x87C2B000 \SystemRoot\System32\Drivers\cng.sys
  0x87C88000 \SystemRoot\System32\drivers\pcw.sys
  0x87C96000 \SystemRoot\System32\Drivers\Fs_Rec.sys
  0x87C9F000 \SystemRoot\system32\drivers\ndis.sys
  0x87D56000 \SystemRoot\system32\drivers\NETIO.SYS
  0x87D94000 \SystemRoot\System32\Drivers\ksecpkg.sys
  0x87E2D000 \SystemRoot\System32\drivers\tcpip.sys
  0x87F76000 \SystemRoot\System32\drivers\fwpkclnt.sys
  0x87FA7000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
  0x87FB0000 \SystemRoot\system32\DRIVERS\volsnap.sys
  0x87FEF000 \SystemRoot\System32\Drivers\spldr.sys
  0x87E00000 \SystemRoot\System32\drivers\rdyboost.sys
  0x87DB9000 \SystemRoot\System32\Drivers\mup.sys
  0x87FF7000 \SystemRoot\System32\drivers\hwpolicy.sys
  0x87DC9000 \SystemRoot\System32\DRIVERS\fvevol.sys
  0x87C00000 \SystemRoot\system32\DRIVERS\disk.sys
  0x87A00000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0x87A1F000 \SystemRoot\System32\Drivers\Null.SYS
  0x87A26000 \SystemRoot\System32\Drivers\Beep.SYS
  0x879F0000 \SystemRoot\System32\drivers\vga.sys
  0x87600000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
  0x877F2000 \SystemRoot\System32\drivers\watchdog.sys
  0x87828000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0x87621000 \SystemRoot\system32\drivers\rdpencdd.sys
  0x8D029000 \SystemRoot\system32\drivers\rdprefmp.sys
  0x8D031000 \SystemRoot\System32\Drivers\Msfs.SYS
  0x8D03C000 \SystemRoot\System32\Drivers\Npfs.SYS
  0x8D04A000 \SystemRoot\system32\DRIVERS\tdx.sys
  0x8D061000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0x8D06C000 \SystemRoot\system32\drivers\afd.sys
  0x8D0C6000 \SystemRoot\System32\DRIVERS\netbt.sys
  0x8D0F8000 \SystemRoot\system32\DRIVERS\wfplwf.sys
  0x8D0FF000 \SystemRoot\system32\DRIVERS\pacer.sys
  0x8D11E000 \SystemRoot\system32\DRIVERS\vwififlt.sys
  0x8D12F000 \SystemRoot\system32\DRIVERS\netbios.sys
  0x8D13D000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0x8D150000 \SystemRoot\system32\DRIVERS\termdd.sys
  0x8D160000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
  0x8D166000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0x8D1A7000 \SystemRoot\system32\drivers\nsiproxy.sys
  0x8D1B1000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0x8D1BB000 \SystemRoot\System32\drivers\discache.sys
  0x8D428000 \SystemRoot\system32\drivers\csc.sys
  0x8D48C000 \SystemRoot\System32\Drivers\dfsc.sys
  0x8D4A4000 \SystemRoot\system32\DRIVERS\blbdrive.sys
  0x8D4B2000 \SystemRoot\system32\DRIVERS\avipbb.sys
  0x8D4CE000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
  0x8D4D0000 \SystemRoot\system32\DRIVERS\tunnel.sys
  0x8D4F1000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0x8D503000 \SystemRoot\system32\DRIVERS\FSCSLII.sys
  0x8D50D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0x8D525000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0x8D532000 \SystemRoot\system32\DRIVERS\SynTP.sys
  0x8D565000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0x8D567000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0x8D574000 \SystemRoot\system32\DRIVERS\CmBatt.sys
  0x8D578000 \SystemRoot\system32\DRIVERS\nvsmu.sys
  0x8D581000 \SystemRoot\system32\DRIVERS\usbohci.sys
  0x8D58B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0x8D5D6000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0x8D400000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0x8D80B000 \SystemRoot\system32\DRIVERS\nvmf6232.sys
  0x8D850000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
  0x8DE10000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
  0x8E76E000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
  0x8D856000 \SystemRoot\System32\drivers\dxgkrnl.sys
  0x8E770000 \SystemRoot\System32\drivers\dxgmms1.sys
  0x8D607000 \SystemRoot\system32\DRIVERS\athr.sys
  0x8D717000 \SystemRoot\system32\DRIVERS\vwifibus.sys
  0x8D721000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
  0x8D72A000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
  0x8D737000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
  0x8D749000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0x8D761000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0x8D76C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0x8D78E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0x8D7A6000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0x8D7BD000 \SystemRoot\system32\DRIVERS\rassstp.sys
  0x8D7D4000 \SystemRoot\system32\DRIVERS\rdpbus.sys
  0x8D7DE000 \SystemRoot\system32\DRIVERS\swenum.sys
  0x8E7A9000 \SystemRoot\system32\DRIVERS\ks.sys
  0x8D7E0000 \SystemRoot\system32\DRIVERS\umbus.sys
  0x8D90D000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0x8D7EE000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0x82223000 \SystemRoot\system32\drivers\RTKVHDA.sys
  0x82463000 \SystemRoot\system32\drivers\portcls.sys
  0x82492000 \SystemRoot\system32\drivers\drmk.sys
  0x824AB000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0x824E0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0x824E7000 \SystemRoot\System32\Drivers\usbvideo.sys
  0x82522000 \SystemRoot\System32\Drivers\crashdmp.sys
  0x8252F000 \SystemRoot\System32\Drivers\dump_dumpata.sys
  0x8253A000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0x82543000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
  0x93960000 \SystemRoot\System32\win32k.sys
  0x82554000 \SystemRoot\System32\drivers\Dxapi.sys
  0x93BC0000 \SystemRoot\System32\TSDDD.dll
  0x82569000 \SystemRoot\system32\drivers\luafv.sys
  0x82584000 \SystemRoot\system32\DRIVERS\avgntflt.sys
  0x82598000 \SystemRoot\system32\drivers\WudfPf.sys
  0x825B2000 \SystemRoot\system32\DRIVERS\lltdio.sys
  0x8D951000 \SystemRoot\system32\DRIVERS\nwifi.sys
  0x825C2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0x825D2000 \SystemRoot\system32\DRIVERS\rspndr.sys
  0x97028000 \SystemRoot\system32\drivers\HTTP.sys
  0x970AD000 \SystemRoot\system32\DRIVERS\bowser.sys
  0x970C6000 \SystemRoot\System32\drivers\mpsdrv.sys
  0x970D8000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0x970FB000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
  0x97136000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
  0x97169000 \SystemRoot\system32\drivers\peauth.sys
  0x97000000 \SystemRoot\System32\Drivers\secdrv.SYS
  0x82200000 \SystemRoot\System32\DRIVERS\srvnet.sys
  0x9700A000 \SystemRoot\System32\drivers\tcpipreg.sys
  0x8D997000 \SystemRoot\System32\DRIVERS\srv2.sys
  0x9BA2D000 \SystemRoot\System32\DRIVERS\srv.sys
  0x9BAE8000 \SystemRoot\system32\DRIVERS\monitor.sys
  0x9BAF3000 \??\C:\Users\Claire\AppData\Local\Temp\kxlirpod.sys
  0x93940000 \SystemRoot\System32\cdd.dll
  0x773A0000 \Windows\System32\ntdll.dll
  0x48170000 \Windows\System32\smss.exe
  0x775E0000 \Windows\System32\apisetschema.dll
  0x009D0000 \Windows\System32\autochk.exe
  0x775C0000 \Windows\System32\normaliz.dll
  0x77560000 \Windows\System32\shlwapi.dll
  0x77550000 \Windows\System32\psapi.dll
  0x77260000 \Windows\System32\urlmon.dll
  0x77500000 \Windows\System32\Wldap32.dll
  0x771D0000 \Windows\System32\clbcatq.dll
  0x77100000 \Windows\System32\msctf.dll
  0x774E0000 \Windows\System32\sechost.dll
  0x77060000 \Windows\System32\advapi32.dll
  0x77030000 \Windows\System32\imagehlp.dll
  0x76F60000 \Windows\System32\user32.dll
  0x76ED0000 \Windows\System32\oleaut32.dll
  0x76280000 \Windows\System32\shell32.dll
  0x76180000 \Windows\System32\wininet.dll
  0x76170000 \Windows\System32\nsi.dll
  0x76010000 \Windows\System32\ole32.dll
  0x75E70000 \Windows\System32\setupapi.dll
  0x75E10000 \Windows\System32\difxapi.dll
  0x75DF0000 \Windows\System32\imm32.dll
  0x75D70000 \Windows\System32\comdlg32.dll
  0x75CC0000 \Windows\System32\rpcrt4.dll
  0x75C10000 \Windows\System32\msvcrt.dll
  0x75BC0000 \Windows\System32\gdi32.dll
  0x75B20000 \Windows\System32\usp10.dll
  0x75A40000 \Windows\System32\kernel32.dll
  0x75A30000 \Windows\System32\lpk.dll
  0x75830000 \Windows\System32\iertutil.dll
  0x757F0000 \Windows\System32\ws2_32.dll
  0x757D0000 \Windows\System32\devobj.dll
  0x757A0000 \Windows\System32\cfgmgr32.dll
  0x75710000 \Windows\System32\comctl32.dll
  0x756C0000 \Windows\System32\KernelBase.dll
  0x755A0000 \Windows\System32\crypt32.dll
  0x75570000 \Windows\System32\wintrust.dll
  0x75560000 \Windows\System32\msasn1.dll

Processes (total 58):
       0 System Idle Process
       4 System
     264 C:\Windows\System32\smss.exe
     388 csrss.exe
     448 C:\Windows\System32\wininit.exe
     456 csrss.exe
     504 C:\Windows\System32\services.exe
     520 C:\Windows\System32\lsass.exe
     528 C:\Windows\System32\lsm.exe
     620 C:\Windows\System32\winlogon.exe
     688 C:\Windows\System32\svchost.exe
     784 C:\Windows\System32\svchost.exe
     860 C:\Windows\System32\svchost.exe
     924 C:\Windows\System32\svchost.exe
     956 C:\Windows\System32\svchost.exe
    1128 C:\Windows\System32\svchost.exe
    1308 C:\Windows\System32\svchost.exe
    1452 C:\Windows\System32\spoolsv.exe
    1488 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1508 C:\Windows\System32\svchost.exe
    1652 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1672 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1716 C:\Program Files\Bonjour\mDNSResponder.exe
    1768 C:\Program Files\CDBurnerXP\NMSAccessU.exe
    1828 C:\Windows\System32\svchost.exe
    1860 C:\Program Files\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
    1916 C:\Program Files\Fujitsu\DeskViewBasic\DeskViewBasicService.exe
    1340 C:\Windows\System32\taskhost.exe
    2140 C:\Windows\System32\dwm.exe
    2272 C:\Windows\explorer.exe
    2536 C:\Windows\System32\svchost.exe
    2692 rundll32.exe
    2832 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    2856 C:\Program Files\iTunes\iTunesHelper.exe
    2868 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2876 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3124 C:\Program Files\iPod\bin\iPodService.exe
    3336 C:\Windows\System32\SearchIndexer.exe
    3436 C:\Program Files\Windows Media Player\wmpnetwk.exe
    3808 C:\Windows\System32\svchost.exe
    3648 csrss.exe
    3388 C:\Windows\System32\winlogon.exe
    2324 C:\Windows\System32\taskhost.exe
    1064 C:\Windows\System32\dwm.exe
    1932 C:\Windows\explorer.exe
    2052 C:\Windows\System32\svchost.exe
     108 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    2668 C:\Program Files\iTunes\iTunesHelper.exe
     716 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3020 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3960 C:\Program Files\OpenOffice.org 3\program\soffice.exe
    1252 C:\Program Files\OpenOffice.org 3\program\soffice.bin
    3940 C:\Program Files\Mozilla Firefox\firefox.exe
    1068 C:\Windows\System32\audiodg.exe
    3008 C:\Windows\System32\SearchProtocolHost.exe
    3600 C:\Windows\System32\SearchFilterHost.exe
    1856 C:\Users\Cee\Desktop\MBRCheck.exe
     312 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`808cd800  (NTFS)

PhysicalDrive0 Model Number: HitachiHTS545016B9A300, Rev: PBBOC64G

      Size  Device Name          MBR Status
  --------------------------------------------
    149 GB  \\.\PhysicalDrive0   Windows 7 MBR code detected
            SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

cosinus · 02.05.2011, 21:13

Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!

Jonestown · 03.05.2011, 19:24

...nachfolgend die Logs!

a) mabam

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6493

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

02.05.2011 22:40:17
mbam-log-2011-05-02 (22-40-17).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Durchsuchte Objekte: 252704
Laufzeit: 32 Minute(n), 26 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

b) Superantispyware

Code:

ATTFilter

SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com

Generated 05/03/2011 at 08:06 PM

Application Version : 4.51.1000

Core Rules Database Version : 6979
Trace Rules Database Version: 4791

Scan type       : Complete Scan
Total Scan Time : 00:58:14

Memory items scanned      : 752
Memory threats detected   : 0
Registry items scanned    : 9084
Registry threats detected : 0
File items scanned        : 83467
File threats detected     : 1

Adware.Tracking Cookie
	akamai.smartadserver.com [ C:\Users\Claire\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2AJHD2F8 ]

Wenn nun zum Glück nicht viel sein sollte, was wären die Maßnahmen? Deinstallation der alten Browser und Neuinstallation von aktuellen? Außerdem hätte ich echt gerne noch gewusst wie sich dass mit den Benutzerbezogenen Problemen verhält, auch wenn die Frage vielleicht nicht von Fachwissen zeugt, dafür bin aber ja auch bei Euch gelandet.

cosinus · 04.05.2011, 10:42

Sieht ok aus, da wurden nur Cookies gefunden.
Noch Probleme oder weitere Funde in der Zwischenzeit?

Zitat:

Außerdem hätte ich echt gerne noch gewusst wie sich dass mit den Benutzerbezogenen Problemen verhält

Welche genau sind da noch offen?

03.04.2011, 15:07	#2
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Mehrfacher Virenbefall mit z.B. BDS/Cycbot.B.1860 Gibt es noch weitere Logs von Malwarebytes? Wenn ja bitte alle posten, die in Malwarebytes im Reiter Logdateien sichtbar sind. __________________ __________________

03.04.2011, 19:19	#6
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Mehrfacher Virenbefall mit z.B. BDS/Cycbot.B.1860 Wieso entfernst du die Funde nicht? __________________ --> Mehrfacher Virenbefall mit z.B. BDS/Cycbot.B.1860

02.05.2011, 21:13	#13
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Mehrfacher Virenbefall mit z.B. BDS/Cycbot.B.1860 Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SUPERAntiSpyware und poste die Logs. Denk dran beide Tools zu updaten vor dem Scan!! __________________ Logfiles bitte immer in CODE-Tags posten

Mehrfacher Virenbefall mit z.B. BDS/Cycbot.B.1860

Log-Analyse und Auswertung: Mehrfacher Virenbefall mit z.B. BDS/Cycbot.B.1860