Trojaner-Board - GVU Trojaner 2.07 komplett entfernen? Win 7 64bit

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - GVU Trojaner 2.07 komplett entfernen? Win 7 64bit (https://www.trojaner-board.de/119655-gvu-trojaner-2-07-komplett-entfernen-win-7-64bit.html)

GVU Trojaner 2.07 komplett entfernen? Win 7 64bit

Hallo,

ich würde mich sehr über eine Hilfe zum o.g. Problem freuen.

Leider hat mir avast Internet Security 7 (Vollversion) den Trojaner zwar angezeigt, aber nicht verhindert, dass er meinen Bildschirm sperren konnte. Ich habe dann mit Malwarebytes eine Löschung vorgenommen.

Log dazu:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.16.08

Windows 7 Service Pack 1 x64 NTFS (Abgesichertenmodus/Netzwerkfähig)
Internet Explorer 9.0.8112.16421
Lib :: LIB-PC [Administrator]

16.07.2012 18:04:29
mbam-log-2012-07-16 (18-04-29).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 251409
Laufzeit: 30 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 2
C:\Users\Lib\AppData\Local\Temp\fest0r_ot.exe (Spyware.Zbot.DG) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Lib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk (Trojan.Ransom.Gen) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

Danach noch mal einen vollen Scan:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.07.16.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Lib :: LIB-PC [Administrator]

16.07.2012 18:33:31
mbam-log-2012-07-16 (18-33-31).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 544289
Laufzeit: 35 Minute(n), 24 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

OTL kann ich leider nicht starten, da ich den Fehler erhalte, es sei keine zulässige 32bit Anwendung.

Wie muss ich jetzt weiter vorgehen?

Danke schon mal im Voraus.

:hallo:

Lade OTL von hier:
OTL Download - OTL 3.2.53.1 und erstelle das Log wie hier OTL.exe beschrieben.

So. Im Anhang die Logs (hoffentlich alles richtig gemacht). Was muss ich jetzt weiter unternehmen?

Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
Starte die OTL.exe.
Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:

Code:

:OTL

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 

IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC 

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC 

IE - HKCU\..\SearchScopes,DefaultScope = {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} 

IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://search.yahoo.com/search?fr=chr-panda&q={searchTerms}&ei=UTF-8&type=PCAFSI1190 

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local 

FF - prefs.js..browser.search.defaultenginename: "foxsearch" 

FF - prefs.js..browser.search.defaultthis.engineName: "MyAshampoo Customized Web Search" 

FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2475029&SearchSource=3&q={searchTerms}" 

FF - prefs.js..browser.search.order.1: "foxsearch" 

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=244506" 

FF - prefs.js..browser.search.selectedEngine: "foxsearch" 

FF - prefs.js..browser.search.suggest.enabled: false 

FF - prefs.js..browser.search.useDBForOrder: true 

FF - prefs.js..browser.startup.homepage: "about:home" 

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 

FF - prefs.js..extensions.enabledItems: widgetruntime@surfsecret.com:1.0 

FF - prefs.js..extensions.enabledItems: activities@kaply.com:0.7.7 

FF - prefs.js..extensions.enabledItems: autopager@mozilla.org:0.6.2.6 

FF - prefs.js..extensions.enabledItems: bettergmail2@ginatrapani.org:1.2 

FF - prefs.js..extensions.enabledItems: de-DE@dictionaries.addons.mozilla.org:2.0.2 

FF - prefs.js..extensions.enabledItems: DeviceDetection@logitech.com:1.20.0.66 

FF - prefs.js..extensions.enabledItems: extension@virtusdesigns.com:3.6.7 

FF - prefs.js..extensions.enabledItems: kosa@kallout.com:2.0.1.1 

FF - prefs.js..extensions.enabledItems: max@subfighter.com:1.0.3 

FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.2 

FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.12.2.44026 

FF - prefs.js..extensions.enabledItems: smarterwiki@wikiatic.com:4.1.8 

FF - prefs.js..extensions.enabledItems: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.1.1 

FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.8.4 

FF - prefs.js..extensions.enabledItems: {340c2bbc-ce74-4362-90b5-7c26312808ef}:1.7 

FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2 

FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908 

FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10 

FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1 

FF - prefs.js..extensions.enabledItems: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}:1.0 

FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.4 

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3 

FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.49 

FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.8 

FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.2 

FF - prefs.js..extensions.enabledItems: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:5.0.1 

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.2 

FF - prefs.js..extensions.enabledItems: wrc@avast.com:20110101 

FF - prefs.js..extensions.enabledItems: rein@notiz.jp:3.6.1 

FF - prefs.js..extensions.enabledItems: {07b2a769-ed19-4483-87ce-c643914c81b1}:2.2 

FF - prefs.js..extensions.enabledItems: {07b2a769-ed19-4483-87ce-c643914c81bb}:3.0.0.91 

FF - prefs.js..extensions.enabledItems: {239c61a8-e55f-11db-8314-0800200c9a66}:2.1.4 

FF - prefs.js..extensions.enabledItems: {35f30c76-35d4-56d9-8dbc-000a6e787ef4}:1.2.2 

FF - prefs.js..extensions.enabledItems: {3713a489-0634-4472-8456-dc7abd7eba00}:1.3.1 

FF - prefs.js..extensions.enabledItems: {5c876f30-10ce-11dd-bd0b-0800200c9a66}:3.6.7 

FF - prefs.js..extensions.enabledItems: {6e00410e-1176-11dc-8314-0800200c9a66}:1.6.2 

FF - prefs.js..extensions.enabledItems: {7694c49c-9fbd-11dc-8314-0800200c9a66}:3.6.7 

FF - prefs.js..extensions.enabledItems: {9998A493-980E-4716-81BC-F0C77001E9B7}:3.13 

FF - prefs.js..extensions.enabledItems: {c1dffba0-628e-11d9-9669-0800200c9a66}:3.6.3 

FF - prefs.js..keyword.URL: "http://www.finduny.com?client=mozilla-firefox&cd=UTF-8&search=1&q=" 

FF - prefs.js..network.proxy.http: "212.233.184.189" 

FF - prefs.js..network.proxy.http_port: 3128 

FF - prefs.js..network.proxy.no_proxies_on: "localhost, 127.0.0.1, stealthy.co" 

FF - prefs.js..network.proxy.share_proxy_settings: true 

FF - prefs.js..network.proxy.type: 0 

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll () 

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) 

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) 

CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll 

O4 - HKCU..\Run: [KiesHelper] F:\Kies\KiesHelper.exe /s File not found 

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 

O27:64bit: - HKLM IFEO\hirezgamesdiagandsupport.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27:64bit: - HKLM IFEO\hirezlauncherui.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27:64bit: - HKLM IFEO\kies.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27:64bit: - HKLM IFEO\nvstlink.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27:64bit: - HKLM IFEO\nvstview.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27:64bit: - HKLM IFEO\pccompanion.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27:64bit: - HKLM IFEO\setup.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27 - HKLM IFEO\hirezgamesdiagandsupport.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27 - HKLM IFEO\hirezlauncherui.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27 - HKLM IFEO\kies.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27 - HKLM IFEO\nvstlink.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27 - HKLM IFEO\nvstview.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27 - HKLM IFEO\pccompanion.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O27 - HKLM IFEO\setup.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe (TuneUp Software) 

O32 - HKLM CDRom: AutoRun - 1 

O33 - MountPoints2\{48d1e49d-5989-11e1-911d-806e6f6e6963}\Shell - "" = AutoRun 

O33 - MountPoints2\{48d1e49d-5989-11e1-911d-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Bin\assetup.exe 
 

@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:0FF263E8 
 

[2012.07.16 18:02:21 | 004,503,728 | ---- | M] () -- C:\ProgramData\to_r0tsef.pad 

[2012.07.16 17:23:09 | 004,503,728 | ---- | C] () -- C:\ProgramData\to_r0tsef.pad 
 

:Files
 

ipconfig /flushdns /c

:Commands

[purity]

[emptytemp]

[emptyflash]

Schließe alle Programme.
Klicke auf den Fix Button.
Wenn OTL einen Neustart verlangt, bitte zulassen.
Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Falscher Vorgang (edit)

FALSCH!

du hast das MBAM LOG stat des FIX eigegeben!

NOCHMAL: http://www.trojaner-board.de/119655-...tml#post866767

Jetzt startet der Rechner nicht mehr richtig. Das Log wurde noch angezeigt, der Bildschirm bleibt schwarz, aber die Kontrolllampe suggeriert Aktivität....

Hast du nun den Fix ausgefuehrt?

Dort muesste das Logfile sein: C:\_OTL\MovedFiles\

Ggf. im abgesichertem Modus starten.

Dein Browser wurde ueber Rumaenien geleitet

Zitat:

prefs.js..network.proxy.http: "212.233.184.189"

war das absichtlich so eingestellt?

Ja, also gefixed hat er wohl. Wie gesagt, es wurde ein Bericht angezeigt (für ca. 10 Sek.). Ich mache mal ein Hardreset und boote neu.

Mit Rumänien habe ich allerdings nix am Hut und auch keine Ahnung warum das so ist...

Gut,

versuch das Logfile zu finden

danach:

Downloade Dir bitte AdwCleaner auf deinen Desktop.

Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Search.
Nach Ende des Suchlaufs öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.

Code:

All processes killed

========== OTL ==========

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\ not found.

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

Prefs.js: "foxsearch" removed from browser.search.defaultenginename

Prefs.js: "MyAshampoo Customized Web Search" removed from browser.search.defaultthis.engineName

Prefs.js: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2475029&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl

Prefs.js: "foxsearch" removed from browser.search.order.1

Prefs.js: "chr-greentree_ff&type=244506" removed from browser.search.param.yahoo-fr

Prefs.js: "foxsearch" removed from browser.search.selectedEngine

Prefs.js: false removed from browser.search.suggest.enabled

Prefs.js: true removed from browser.search.useDBForOrder

Prefs.js: "about:home" removed from browser.startup.homepage

Prefs.js: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 removed from extensions.enabledItems

Prefs.js: widgetruntime@surfsecret.com:1.0 removed from extensions.enabledItems

Prefs.js: activities@kaply.com:0.7.7 removed from extensions.enabledItems

Prefs.js: autopager@mozilla.org:0.6.2.6 removed from extensions.enabledItems

Prefs.js: bettergmail2@ginatrapani.org:1.2 removed from extensions.enabledItems

Prefs.js: de-DE@dictionaries.addons.mozilla.org:2.0.2 removed from extensions.enabledItems

Prefs.js: DeviceDetection@logitech.com:1.20.0.66 removed from extensions.enabledItems

Prefs.js: extension@virtusdesigns.com:3.6.7 removed from extensions.enabledItems

Prefs.js: kosa@kallout.com:2.0.1.1 removed from extensions.enabledItems

Prefs.js: max@subfighter.com:1.0.3 removed from extensions.enabledItems

Prefs.js: personas@christopher.beard:1.6.2 removed from extensions.enabledItems

Prefs.js: piclens@cooliris.com:1.12.2.44026 removed from extensions.enabledItems

Prefs.js: smarterwiki@wikiatic.com:4.1.8 removed from extensions.enabledItems

Prefs.js: {1018e4d6-728f-4b20-ad56-37578a4de76b}:4.1.1 removed from extensions.enabledItems

Prefs.js: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.8.4 removed from extensions.enabledItems

Prefs.js: {340c2bbc-ce74-4362-90b5-7c26312808ef}:1.7 removed from extensions.enabledItems

Prefs.js: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2 removed from extensions.enabledItems

Prefs.js: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908 removed from extensions.enabledItems

Prefs.js: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10 removed from extensions.enabledItems

Prefs.js: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1 removed from extensions.enabledItems

Prefs.js: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}:1.0 removed from extensions.enabledItems

Prefs.js: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.4 removed from extensions.enabledItems

Prefs.js: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3 removed from extensions.enabledItems

Prefs.js: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.49 removed from extensions.enabledItems

Prefs.js: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.8 removed from extensions.enabledItems

Prefs.js: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.2 removed from extensions.enabledItems

Prefs.js: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:5.0.1 removed from extensions.enabledItems

Prefs.js: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 removed from extensions.enabledItems

Prefs.js: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.2 removed from extensions.enabledItems

Prefs.js: wrc@avast.com:20110101 removed from extensions.enabledItems

Prefs.js: rein@notiz.jp:3.6.1 removed from extensions.enabledItems

Prefs.js: {07b2a769-ed19-4483-87ce-c643914c81b1}:2.2 removed from extensions.enabledItems

Prefs.js: {07b2a769-ed19-4483-87ce-c643914c81bb}:3.0.0.91 removed from extensions.enabledItems

Prefs.js: {239c61a8-e55f-11db-8314-0800200c9a66}:2.1.4 removed from extensions.enabledItems

Prefs.js: {35f30c76-35d4-56d9-8dbc-000a6e787ef4}:1.2.2 removed from extensions.enabledItems

Prefs.js: {3713a489-0634-4472-8456-dc7abd7eba00}:1.3.1 removed from extensions.enabledItems

Prefs.js: {5c876f30-10ce-11dd-bd0b-0800200c9a66}:3.6.7 removed from extensions.enabledItems

Prefs.js: {6e00410e-1176-11dc-8314-0800200c9a66}:1.6.2 removed from extensions.enabledItems

Prefs.js: {7694c49c-9fbd-11dc-8314-0800200c9a66}:3.6.7 removed from extensions.enabledItems

Prefs.js: {9998A493-980E-4716-81BC-F0C77001E9B7}:3.13 removed from extensions.enabledItems

Prefs.js: {c1dffba0-628e-11d9-9669-0800200c9a66}:3.6.3 removed from extensions.enabledItems

Prefs.js: "hxxp://www.finduny.com?client=mozilla-firefox&cd=UTF-8&search=1&q=" removed from keyword.URL

Prefs.js: "212.233.184.189" removed from network.proxy.http

Prefs.js: 3128 removed from network.proxy.http_port

Prefs.js: "localhost, 127.0.0.1, stealthy.co" removed from network.proxy.no_proxies_on

Prefs.js: true removed from network.proxy.share_proxy_settings

Prefs.js: 0 removed from network.proxy.type

Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully.

C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll moved successfully.

Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=3\ deleted successfully.

C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll moved successfully.

Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=9\ deleted successfully.

File C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll not found.

File C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\KiesHelper deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\PromptOnSecureDesktop deleted successfully.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hirezgamesdiagandsupport.exe\ deleted successfully.

C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe moved successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hirezlauncherui.exe\ deleted successfully.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kies.exe\ deleted successfully.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvstlink.exe\ deleted successfully.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvstview.exe\ deleted successfully.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccompanion.exe\ deleted successfully.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\ deleted successfully.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hirezgamesdiagandsupport.exe\ not found.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hirezlauncherui.exe\ not found.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kies.exe\ not found.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvstlink.exe\ not found.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvstview.exe\ not found.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccompanion.exe\ not found.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\ not found.

File C:\Program Files (x86)\TuneUp Utilities 2012\TUAutoReactivator64.exe not found.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48d1e49d-5989-11e1-911d-806e6f6e6963}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48d1e49d-5989-11e1-911d-806e6f6e6963}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48d1e49d-5989-11e1-911d-806e6f6e6963}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48d1e49d-5989-11e1-911d-806e6f6e6963}\ not found.

File D:\Bin\assetup.exe not found.

ADS C:\ProgramData\TEMP:0FF263E8 deleted successfully.

C:\ProgramData\to_r0tsef.pad moved successfully.

File C:\ProgramData\to_r0tsef.pad not found.

========== FILES ==========
 < ipconfig /flushdns /c >

Windows-IP-Konfiguration

Der DNS-Aufl”sungscache wurde geleert.

C:\Users\***\Desktop\cmd.bat deleted successfully.

C:\Users\***\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 111188 bytes

->Temporary Internet Files folder emptied: 323961 bytes

->Java cache emptied: 0 bytes

 

User: All Users

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: ***

->Temp folder emptied: 25889766 bytes

->Temporary Internet Files folder emptied: 885138 bytes

->Java cache emptied: 2771705 bytes

->FireFox cache emptied: 61491035 bytes

->Google Chrome cache emptied: 0 bytes

->Apple Safari cache emptied: 0 bytes

->Opera cache emptied: 0 bytes

->Flash cache emptied: 567 bytes

 

User: Public

 

User: UpdatusUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 1824 bytes

%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 47770674 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67765 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 133,00 mb

 

 

[EMPTYFLASH]

 

User: Administrator

 

User: All Users

 

User: Default

 

User: Default User

 

User: ***

->Flash cache emptied: 0 bytes

 

User: Public

 

User: UpdatusUser

 

Total Flash Files Cleaned = 0,00 mb

 

 

OTL by OldTimer - Version 3.2.54.0 log created on 07162012_212450

Code:

# AdwCleaner v1.702 - Logfile created 07/16/2012 at 22:13:03

# Updated 13/07/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : *** - ***-PC

# Running from : C:\Users\***\Desktop\adwcleaner.exe

# Option [Search]
 
 

***** [Services] *****
 
 

***** [Files / Folders] *****
 

Folder Found : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\Conduit

Folder Found : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\ConduitEngine

Folder Found : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\WinampToolbarData

Folder Found : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

File Found : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\searchplugins\Conduit.xml
 

***** [Registry] *****
 

Key Found : HKLM\SOFTWARE\DT Soft

Key Found : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

[x64] Key Found : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
 

***** [Registre - GUID] *****
 

Key Found : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}

Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}

Key Found : HKLM\SOFTWARE\Classes\Type***\{2D5E2D34-BED5-4B9F-9793-A31E26E6806E}

[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}

[x64] Key Found : HKLM\SOFTWARE\Classes\Type***\{2D5E2D34-BED5-4B9F-9793-A31E26E6806E}
 

***** [Internet Browsers] *****
 

-\\ Internet Explorer v9.0.8112.16421
 

[OK] Registry is clean.
 

-\\ Mozilla Firefox v13.0.1 (de)
 

Profile name : default 

File : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\prefs.js
 

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/868510/864310/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874426/870225/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874430/870228/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874431/870229/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874435/870233/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874437/870235/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874438/870236/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874439/870237/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874440/870238/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874441/870239/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874443/870241/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/909619/905414/DE", "\"0\"")[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2475029", [...]

Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=ct2481020", [...]

Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/toolbar/", "\"63428984078257[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://settings.engine.conduit-services.com/?browser=FF&lut=0", "63[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://settings.engine.conduit-services.com/?browser=FF&lut=1/11/20[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/CT2475029/CT2475029[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/ct2481020/CT2475029[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/equaliz[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/minimiz[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/play.gi[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/stop.gi[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/vol.gif[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=de", "\"634[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"634[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/1344951.xml", "\"6c43e594350b8cbfad8e[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/16887175.xml", "\"834ad08fb6b554b5c7e[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/17151925.xml", "\"0fd81af39cadfc7507c[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/20536157.xml", "\"d6739014f847336d8fa[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/30261067.xml", "\"33826f9181124e5a81e[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/34655603.xml", "\"141c9c47d8bfd93153e[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/759251.xml", "\"3b537a8dedd7323a76ac6[...]

Found : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/816653.xml", "\"3310b3d566d4bd39f603d[...]

Found : user_pref("CommunityToolbar.EngineOwner", "");

Found : user_pref("CommunityToolbar.EngineOwnerGuid", "");

Found : user_pref("CommunityToolbar.EngineOwnerToolbarId", "");

Found : user_pref("CommunityToolbar.IsMyStuffImportedToEngine", true);

Found : user_pref("CommunityToolbar.OriginalEngineOwner", "CT2475029");

Found : user_pref("CommunityToolbar.OriginalEngineOwnerGuid", "{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}");

Found : user_pref("CommunityToolbar.OriginalEngineOwnerToolbarId", "myashampoo");

Found : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://search.yahoo.com/search?fr=panda&[...]

Found : user_pref("CommunityToolbar.ToolbarsList", "ConduitEngine");

Found : user_pref("CommunityToolbar.ToolbarsList2", "");

Found : user_pref("CommunityToolbar.alert.alertInfoInterval", 1440);

Found : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Thu Jan 27 2011 02:43:20 GMT+0100");

Found : user_pref("CommunityToolbar.alert.clientsServerUrl", "hxxp://alert.client.conduit.com");

Found : user_pref("CommunityToolbar.alert.locale", "en");

Found : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);

Found : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Wed Jan 26 2011 23:51:33 GMT+0100");

Found : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1291052234");

Found : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);

Found : user_pref("CommunityToolbar.alert.servicesServerUrl", "hxxp://alert.services.conduit.com");

Found : user_pref("CommunityToolbar.alert.showTrayIcon", false);

Found : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);

Found : user_pref("CommunityToolbar.alert.userId", "439c7628-8e08-47d6-b3ff-b4ee51cf9051");

Found : user_pref("CommunityToolbar.twitter.user_1344951.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100"[...]

Found : user_pref("CommunityToolbar.twitter.user_16887175.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Found : user_pref("CommunityToolbar.twitter.user_17151925.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Found : user_pref("CommunityToolbar.twitter.user_20536157.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Found : user_pref("CommunityToolbar.twitter.user_30261067.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Found : user_pref("CommunityToolbar.twitter.user_34655603.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Found : user_pref("CommunityToolbar.twitter.user_759251.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100")[...]

Found : user_pref("CommunityToolbar.twitter.user_816653.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100")[...]

Found : user_pref("ConduitEngine.FirstServerDate", "01/27/2011 01");

Found : user_pref("ConduitEngine.FirstTime", true);

Found : user_pref("ConduitEngine.FirstTimeFF3", true);

Found : user_pref("ConduitEngine.HasUserGlobalKeys", true);

Found : user_pref("ConduitEngine.Initialize", true);

Found : user_pref("ConduitEngine.InitializeCommonPrefs", true);

Found : user_pref("ConduitEngine.InstalledDate", "Wed Jan 26 2011 23:51:34 GMT+0100");

Found : user_pref("ConduitEngine.IsMulticommunity", false);

Found : user_pref("ConduitEngine.IsOpenThankYouPage", false);

Found : user_pref("ConduitEngine.IsOpenUninstallPage", true);

Found : user_pref("ConduitEngine.LanguagePackLastCheckTime", "Wed Jan 26 2011 23:51:34 GMT+0100");

Found : user_pref("ConduitEngine.LastLogin_3.2.5.2", "Thu Jan 27 2011 16:25:50 GMT+0100");

Found : user_pref("ConduitEngine.PublisherContainerWidth", 0);

Found : user_pref("ConduitEngine.SearchFromAddressBarIsInit", true);

Found : user_pref("ConduitEngine.SettingsLastCheckTime", "Thu Jan 27 2011 16:25:46 GMT+0100");

Found : user_pref("ConduitEngine.UserID", "UN15566717195960056");

Found : user_pref("ConduitEngine.engineLocale", "de");

Found : user_pref("ConduitEngine.enngineContextMenuLastCheckTime", "Wed Jan 26 2011 23:51:34 GMT+0100");

Found : user_pref("ConduitEngine.initDone", true);

Found : user_pref("bettergmail2.enabled.inboxcount", true);

Found : user_pref("bettergmail2.enabled.inboxcountfirst", true);

Found : user_pref("easygestures.customizations.searchQuery1", "hxxp://www.google.de/search?q=%s&ie=UTF-8&hl=[...]

Found : user_pref("easygestures.customizations.searchQuery2", "hxxp://de.wikipedia.org/wiki/Spezial:Search?s[...]

Found : user_pref("easygestures.customizations.searchQuery3", "");

Found : user_pref("easygestures.customizations.searchQuery4", "");

Found : user_pref("easygestures.customizations.searchQuery5", "");

Found : user_pref("easygestures.customizations.searchQuery6", "");

Found : user_pref("easygestures.customizations.translateQuery", "hxxp://info.babylon.com/cgi-bin/info.cgi?ot[...]
 

-\\ Google Chrome v20.0.1132.57
 

File : C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Preferences
 

Found :          "name": "Winamp Application Detector",

Found :          "name": "Winamp Application Detector"
 

-\\ Opera v [Unable to get version]
 

File : C:\Users\***\AppData\Roaming\Opera\Opera\operaprefs.ini
 

[OK] File is clean.
 

*************************
 

AdwCleaner[R1].txt - [11946 octets] - [16/07/2012 22:13:03]
 

########## EOF - C:\AdwCleaner[R1].txt - [12075 octets] ##########

Sehr gut! :daumenhoc

Wie laeuft der Rechner?

Schließe alle offenen Programme und Browser.
Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Delete.
Bestätige jeweils mit Ok.
Dein Rechner wird neu gestartet. Nach dem Neustart öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.

So far - so good :abklatsch:

Melde mich gleich noch mal.

Code:

# AdwCleaner v1.702 - Logfile created 07/16/2012 at 22:36:44

# Updated 13/07/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User : *** - ***-PC

# Running from : C:\Users\***\Desktop\adwcleaner.exe

# Option [Delete]
 
 

***** [Services] *****
 
 

***** [Files / Folders] *****
 

Folder Deleted : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\Conduit

Folder Deleted : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\ConduitEngine

Folder Deleted : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\WinampToolbarData

Folder Deleted : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

File Deleted : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\searchplugins\Conduit.xml
 

***** [Registry] *****
 

Key Deleted : HKLM\SOFTWARE\DT Soft

Key Deleted : HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
 

***** [Registre - GUID] *****
 

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}

Key Deleted : HKLM\SOFTWARE\Classes\Type***\{2D5E2D34-BED5-4B9F-9793-A31E26E6806E}

[x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
 

***** [Internet Browsers] *****
 

-\\ Internet Explorer v9.0.8112.16421
 

[OK] Registry is clean.
 

-\\ Mozilla Firefox v13.0.1 (de)
 

Profile name : default 

File : C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\prefs.js
 

C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\fg4op894.default\user.js ... Deleted !
 

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/868510/864310/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874426/870225/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874430/870228/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874431/870229/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874435/870233/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874437/870235/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874438/870236/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874439/870237/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874440/870238/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874441/870239/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/874443/870241/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/909619/905414/DE", "\"0\"")[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2475029", [...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=ct2481020", [...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/toolbar/", "\"63428984078257[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.engine.conduit-services.com/?browser=FF&lut=0", "63[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.engine.conduit-services.com/?browser=FF&lut=1/11/20[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/CT2475029/CT2475029[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/ct2481020/CT2475029[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/equaliz[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/minimiz[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/play.gi[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/stop.gi[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/vol.gif[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=de", "\"634[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"634[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/1344951.xml", "\"6c43e594350b8cbfad8e[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/16887175.xml", "\"834ad08fb6b554b5c7e[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/17151925.xml", "\"0fd81af39cadfc7507c[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/20536157.xml", "\"d6739014f847336d8fa[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/30261067.xml", "\"33826f9181124e5a81e[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/34655603.xml", "\"141c9c47d8bfd93153e[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/759251.xml", "\"3b537a8dedd7323a76ac6[...]

Deleted : user_pref("CommunityToolbar.ETag.hxxp://twitter.com/users/show/816653.xml", "\"3310b3d566d4bd39f603d[...]

Deleted : user_pref("CommunityToolbar.EngineOwner", "");

Deleted : user_pref("CommunityToolbar.EngineOwnerGuid", "");

Deleted : user_pref("CommunityToolbar.EngineOwnerToolbarId", "");

Deleted : user_pref("CommunityToolbar.IsMyStuffImportedToEngine", true);

Deleted : user_pref("CommunityToolbar.OriginalEngineOwner", "CT2475029");

Deleted : user_pref("CommunityToolbar.OriginalEngineOwnerGuid", "{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}");

Deleted : user_pref("CommunityToolbar.OriginalEngineOwnerToolbarId", "myashampoo");

Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://search.yahoo.com/search?fr=panda&[...]

Deleted : user_pref("CommunityToolbar.ToolbarsList", "ConduitEngine");

Deleted : user_pref("CommunityToolbar.ToolbarsList2", "");

Deleted : user_pref("CommunityToolbar.alert.alertInfoInterval", 1440);

Deleted : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Thu Jan 27 2011 02:43:20 GMT+0100");

Deleted : user_pref("CommunityToolbar.alert.clientsServerUrl", "hxxp://alert.client.conduit.com");

Deleted : user_pref("CommunityToolbar.alert.locale", "en");

Deleted : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);

Deleted : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Wed Jan 26 2011 23:51:33 GMT+0100");

Deleted : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1291052234");

Deleted : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);

Deleted : user_pref("CommunityToolbar.alert.servicesServerUrl", "hxxp://alert.services.conduit.com");

Deleted : user_pref("CommunityToolbar.alert.showTrayIcon", false);

Deleted : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);

Deleted : user_pref("CommunityToolbar.alert.userId", "439c7628-8e08-47d6-b3ff-b4ee51cf9051");

Deleted : user_pref("CommunityToolbar.twitter.user_1344951.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100"[...]

Deleted : user_pref("CommunityToolbar.twitter.user_16887175.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Deleted : user_pref("CommunityToolbar.twitter.user_17151925.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Deleted : user_pref("CommunityToolbar.twitter.user_20536157.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Deleted : user_pref("CommunityToolbar.twitter.user_30261067.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Deleted : user_pref("CommunityToolbar.twitter.user_34655603.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100[...]

Deleted : user_pref("CommunityToolbar.twitter.user_759251.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100")[...]

Deleted : user_pref("CommunityToolbar.twitter.user_816653.LastCheckTime", "Wed Jan 26 2011 23:51:38 GMT+0100")[...]

Deleted : user_pref("ConduitEngine.FirstServerDate", "01/27/2011 01");

Deleted : user_pref("ConduitEngine.FirstTime", true);

Deleted : user_pref("ConduitEngine.FirstTimeFF3", true);

Deleted : user_pref("ConduitEngine.HasUserGlobalKeys", true);

Deleted : user_pref("ConduitEngine.Initialize", true);

Deleted : user_pref("ConduitEngine.InitializeCommonPrefs", true);

Deleted : user_pref("ConduitEngine.InstalledDate", "Wed Jan 26 2011 23:51:34 GMT+0100");

Deleted : user_pref("ConduitEngine.IsMulticommunity", false);

Deleted : user_pref("ConduitEngine.IsOpenThankYouPage", false);

Deleted : user_pref("ConduitEngine.IsOpenUninstallPage", true);

Deleted : user_pref("ConduitEngine.LanguagePackLastCheckTime", "Wed Jan 26 2011 23:51:34 GMT+0100");

Deleted : user_pref("ConduitEngine.LastLogin_3.2.5.2", "Thu Jan 27 2011 16:25:50 GMT+0100");

Deleted : user_pref("ConduitEngine.PublisherContainerWidth", 0);

Deleted : user_pref("ConduitEngine.SearchFromAddressBarIsInit", true);

Deleted : user_pref("ConduitEngine.SettingsLastCheckTime", "Thu Jan 27 2011 16:25:46 GMT+0100");

Deleted : user_pref("ConduitEngine.UserID", "UN15566717195960056");

Deleted : user_pref("ConduitEngine.engineLocale", "de");

Deleted : user_pref("ConduitEngine.enngineContextMenuLastCheckTime", "Wed Jan 26 2011 23:51:34 GMT+0100");

Deleted : user_pref("ConduitEngine.initDone", true);

Deleted : user_pref("bettergmail2.enabled.inboxcount", true);

Deleted : user_pref("bettergmail2.enabled.inboxcountfirst", true);

Deleted : user_pref("easygestures.customizations.searchQuery1", "hxxp://www.google.de/search?q=%s&ie=UTF-8&hl=[...]

Deleted : user_pref("easygestures.customizations.searchQuery2", "hxxp://de.wikipedia.org/wiki/Spezial:Search?s[...]

Deleted : user_pref("easygestures.customizations.searchQuery3", "");

Deleted : user_pref("easygestures.customizations.searchQuery4", "");

Deleted : user_pref("easygestures.customizations.searchQuery5", "");

Deleted : user_pref("easygestures.customizations.searchQuery6", "");

Deleted : user_pref("easygestures.customizations.translateQuery", "hxxp://info.babylon.com/cgi-bin/info.cgi?ot[...]
 

-\\ Google Chrome v20.0.1132.57
 

File : C:\Users\***\AppData\Local\Google\Chrome\User Data\Default\Preferences
 

Deleted :          "name": "Winamp Application Detector",

Deleted :          "name": "Winamp Application Detector"
 

-\\ Opera v [Unable to get version]
 

File : C:\Users\***\AppData\Roaming\Opera\Opera\operaprefs.ini
 

[OK] File is clean.
 

*************************
 

AdwCleaner[R1].txt - [12071 octets] - [16/07/2012 22:13:03]

AdwCleaner[S1].txt - [12114 octets] - [16/07/2012 22:36:44]
 

########## EOF - C:\AdwCleaner[S1].txt - [12243 octets] ##########

Sehr gut! :daumenhoc

zur Kontrolle:

Malware-Scan mit Emsisoft Anti-Malware

Lade die Gratisversion von => Emsisoft Anti-Malware herunter und installiere das Programm.
Lade über Jetzt Updaten die aktuellen Signaturen herunter.
Wähle den Freeware-Modus aus.

Wähle Detail Scan und starte über den Button Scan die Überprüfung des Computers.
Am Ende des Scans nichts loeschen lassen!. Mit Klick auf Bericht speichern das Logfile auf dem Desktop speichern und hier in den Thread posten.

Anleitung: http://www.trojaner-board.de/103809-...i-malware.html

Scan bei 50%. Zwei Funde so weit. Als Laie sage ich mal "unkritisch"...

Code:

Emsisoft Anti-Malware - Version 6.6

Letztes Update: 16.07.2012 22:52:19
 

Scan Einstellungen:
 

Scan Methode: Detail Scan

Objekte: Rootkits, Speicher, Traces, C:\, E:\, F:\, G:\, H:\, I:\, J:\

Archiv Scan: An

ADS Scan: An
 

Scan Beginn:        16.07.2012 22:52:27
 

Key: hkey_current_user\software\microsoft\wab         gefunden: Trace.Registry.win32.zbot!E1

E:\Old\Users\Crash\Desktop\arc\files\zergRush         gefunden: Exploit.Linux.Lotoor!E2

F:\Program Files (x86)\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe         gefunden: Adware.Win32.Toolbar.Dealio.AMN!E1

H:\Users\Crash\Desktop\arc\files\zergRush         gefunden: Exploit.Linux.Lotoor!E2
 

Gescannt        730236

Gefunden        4
 

Scan Ende:        17.07.2012 00:45:26

Scan Zeit:        1:52:59

Was Rumänien angeht: Ich könnte mir vorstellen, dass das mit dem Firefox Addon Stealthy zu tun hat...