Trojaner-Board - Computer verlangsamt, hängt kurze zeit

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Computer verlangsamt, hängt kurze zeit (https://www.trojaner-board.de/95751-computer-verlangsamt-haengt-kurze-zeit.html)

Computer verlangsamt, hängt kurze zeit

Hallo,
mein pc hat sich seit Samstag den 12.02 verlangsamt und hängt kurz wenn ich eine Anwendung starte.
Am Samstag hat mein Virenschutz die Dateien xnd464.exe und xnda2f.exe gefunden und als Bedrohung erkannt und schliessend Isoliert.
könnt ihr mal schaun ob hier noch Auswirkungen der Dateien sind?
HiJackthis Logfile:

Code:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:49:59, on 16.02.2011

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.19019)

Boot mode: Normal
 

Running processes:

C:\Program Files (x86)\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin

C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files (x86)\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe

C:\Program Files (x86)\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe

E:\Program Files (x86)\SpeedFan\speedfan.exe

E:\Program Files (x86)\ICQ7.4\ICQ.exe

E:\Program Files (x86)\Mozilla Firefox\firefox.exe

E:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

E:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\17.8.0.5\IPSBHO.DLL

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll

O4 - HKLM\..\Run: [EnergySettings] C:\Program Files (x86)\Fujitsu Siemens Computers\Energy Settings\EnergySettings.exe

O4 - HKLM\..\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [CanonSolutionMenuEx] "C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" /logon

O4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe

O4 - HKCU\..\Run: [fsc-reg] C:\fsc-reg\fscreg.exe 20110131

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [ICQ] "E:\Program Files (x86)\ICQ7.4\ICQ.exe" silent loginmode=4

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files (x86)\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files (x86)\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O9 - Extra button: ICQ7.4 - {73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - E:\Program Files (x86)\ICQ7.4\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ7.4 - {73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - E:\Program Files (x86)\ICQ7.4\ICQ.exe

O13 - Gopher Prefix: 

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/de/uno1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - hxxp://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: ASP.NET-Zustandsdienst (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)

O23 - Service: Google Update Service (gupdate1ca2a2c3fc24000) (gupdate1ca2a2c3fc24000) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: Norton AntiVirus Kompakt (NAV) - Symantec Corporation - C:\Program Files (x86)\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\Program Files (x86)\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 

--

End of file - 8480 bytes

--- --- ---

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 5774

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

16.02.2011 21:06:11
mbam-log-2011-02-16 (21-06-11).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|G:\|)
Durchsuchte Objekte: 344364
Laufzeit: 57 Minute(n), 3 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 2

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (hxxp://www.helpmeopen.com/?n=app&ext=%s) Good: (hxxp://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\program files (x86)\pando networks\media booster\uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Stefan\AppData\Roaming\desktopicon\ebayshortcuts.exe (Adware.ADON) -> Quarantined and deleted successfully.

Gibt es noch weitere Logs von Malwarebytes? Wenn ja bitte alle davon posten. Du findest diese im Reiter Logdateien in Malwarebytes.

Im Anhang sind alle Malwarebytes Logs und OTL Log

Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:

:OTL

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009.11.30 06:43:01 | 000,000,000 | RH-D | M] - G:\autorun -- [ NTFS ]

O32 - AutoRun File - [2002.10.17 03:56:50 | 000,000,036 | RH-- | M] () - G:\autorun.inf -- [ NTFS ]

O33 - MountPoints2\{b17aef0e-1724-11e0-a1ce-001bdc0f5e2f}\Shell - "" = AutoRun

O33 - MountPoints2\{b17aef0e-1724-11e0-a1ce-001bdc0f5e2f}\Shell\AutoRun\command - "" = "M:\WD SmartWare.exe" autoplay=true

O33 - MountPoints2\{f1886aa0-14b5-11e0-bada-001bdc0f5e2f}\Shell - "" = AutoRun

O33 - MountPoints2\{f1886aa0-14b5-11e0-bada-001bdc0f5e2f}\Shell\AutoRun\command - "" = M:\LaunchU3.exe

@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:5B30BB17

:Commands

[purity]

[resethosts]

[emptytemp]

Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
File not found.
G:\autorun.inf moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b17aef0e-1724-11e0-a1ce-001bdc0f5e2f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b17aef0e-1724-11e0-a1ce-001bdc0f5e2f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b17aef0e-1724-11e0-a1ce-001bdc0f5e2f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b17aef0e-1724-11e0-a1ce-001bdc0f5e2f}\ not found.
File "M:\WD SmartWare.exe" autoplay=true not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f1886aa0-14b5-11e0-bada-001bdc0f5e2f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f1886aa0-14b5-11e0-bada-001bdc0f5e2f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f1886aa0-14b5-11e0-bada-001bdc0f5e2f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f1886aa0-14b5-11e0-bada-001bdc0f5e2f}\ not found.
File M:\LaunchU3.exe not found.
ADS C:\ProgramData\TEMP:5B30BB17 deleted successfully.
========== COMMANDS ==========
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: AppData

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mcx1-STEFAN-PC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3431759 bytes
->Flash cache emptied: 41661 bytes

User: Public

User: Stefan
->Temp folder emptied: 747144 bytes
->Temporary Internet Files folder emptied: 1537087 bytes
->Java cache emptied: 61357260 bytes
->FireFox cache emptied: 42785239 bytes
->Google Chrome cache emptied: 37275808 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 7945 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 512000 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2216928 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 51973 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 143,00 mb

OTL by OldTimer - Version 3.2.20.6 log created on 02172011_144822

Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

http://saved.im/mtm0nzyzmzd5/cofi.jpg

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Noch ne frage ist es normal das das Programm Malwarebytes vom Desktop entfernt?

Hier das Log:

Combofix Logfile:

Code:

ComboFix 11-02-16.05 - Stefan 17.02.2011  15:25:57.1.4 - x64

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.4094.2460 [GMT 1:00]

ausgeführt von:: c:\users\Stefan\Desktop\cofi.exe

AV: Norton AntiVirus Kompakt *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.
 

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\CFLog

c:\program files (x86)\Java

c:\programdata\Desktop

c:\users\Stefan\AppData\Roaming\Desktopicon
 

.

(((((((((((((((((((((((   Dateien erstellt von 2011-01-17 bis 2011-02-17  ))))))))))))))))))))))))))))))

.
 

2011-02-17 14:31 . 2011-02-17 14:34        --------        d-----w-        c:\users\Stefan\AppData\Local\temp

2011-02-17 13:48 . 2011-02-17 13:48        --------        d-----w-        C:\_OTL

2011-02-16 17:33 . 2010-12-20 17:09        38224        ----a-w-        c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-02-16 13:27 . 2011-01-13 10:20        7844688        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{E20454CA-9EE1-4DED-9DE8-C8E4A3148E20}\mpengine.dll

2011-02-15 19:07 . 2011-02-15 19:18        --------        d-----w-        c:\users\Stefan\AppData\Local\Yahoo

2011-02-15 19:07 . 2011-02-15 19:07        --------        d-----w-        c:\users\Stefan\AppData\Roaming\Yahoo!

2011-02-15 18:54 . 2011-02-15 19:18        --------        d-----w-        c:\programdata\Yahoo!

2011-02-14 18:41 . 2011-02-14 18:41        --------        d-sh--w-        c:\programdata\SecuROM

2011-02-14 15:43 . 2011-02-14 18:40        --------        d-----w-        c:\users\Stefan\AppData\Local\Rockstar Games

2011-02-14 15:36 . 2011-02-14 17:37        --------        d-----w-        c:\program files (x86)\Microsoft Games for Windows - LIVE

2011-02-14 15:36 . 2011-02-14 15:36        --------        d-----w-        c:\windows\SysWow64\xlive

2011-02-13 10:48 . 2011-02-13 10:48        --------        d-----w-        c:\programdata\DVD Shrink

2011-02-13 09:55 . 2010-10-15 14:02        4699024        ----a-w-        c:\windows\system32\ntoskrnl.exe

2011-02-13 09:55 . 2010-10-15 13:43        1168512        ----a-w-        c:\windows\SysWow64\ntdll.dll

2011-02-13 09:55 . 2010-10-15 13:43        1585168        ----a-w-        c:\windows\system32\ntdll.dll

2011-02-13 09:53 . 2011-01-08 09:03        48128        ----a-w-        c:\windows\system32\atmlib.dll

2011-02-13 09:53 . 2011-01-08 08:47        34304        ----a-w-        c:\windows\SysWow64\atmlib.dll

2011-02-13 09:53 . 2011-01-08 06:45        367104        ----a-w-        c:\windows\system32\atmfd.dll

2011-02-13 09:53 . 2011-01-08 06:28        292352        ----a-w-        c:\windows\SysWow64\atmfd.dll

2011-02-13 09:53 . 2010-12-31 14:16        2757632        ----a-w-        c:\windows\system32\win32k.sys

2011-02-11 14:38 . 2004-10-22 01:18        749568        ----a-w-        c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iKernel.dll

2011-02-11 14:38 . 2004-10-22 01:17        69715        ----a-w-        c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ctor.dll

2011-02-11 14:38 . 2004-10-22 01:17        274432        ----a-w-        c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iscript.dll

2011-02-11 14:38 . 2004-10-22 01:16        180224        ----a-w-        c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iuser.dll

2011-02-11 14:38 . 2004-10-22 01:16        5632        ----a-w-        c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\DotNetInstaller.exe

2011-02-11 14:37 . 2011-02-11 14:37        323716        ----a-w-        c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll

2011-02-11 14:37 . 2011-02-11 14:37        192644        ----a-w-        c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll

2011-02-11 14:31 . 2011-02-11 14:31        --------        d-----w-        c:\users\Stefan\AppData\Roaming\Earth 2140

2011-02-08 17:13 . 2011-02-08 17:13        --------        d-----w-        c:\users\Stefan\AppData\Roaming\Unigraphics Solutions

2011-02-08 17:00 . 2011-02-08 17:00        178800        ----a-w-        c:\windows\SysWow64\CmdLineExt_x64.dll

2011-02-05 07:55 . 2006-09-20 15:58        40960        ----a-w-        c:\windows\SysWow64\psfind.dll

2011-02-05 07:55 . 2003-03-18 23:20        1060864        ----a-w-        c:\windows\SysWow64\mfc71.dll

2011-02-02 16:33 . 2011-02-02 16:33        --------        d-----w-        c:\users\Stefan\Musik_Alben

2011-02-02 15:01 . 2011-02-02 15:01        --------        d-----w-        c:\users\Stefan\AppData\Roaming\NVIDIA

2011-02-02 15:00 . 2011-02-02 15:00        --------        d-----w-        c:\users\Stefan\AppData\Local\Ascaron Entertainment

2011-02-02 14:58 . 2008-07-12 07:18        467984        ----a-w-        c:\windows\SysWow64\d3dx10_39.dll

2011-02-02 14:58 . 2008-07-12 07:18        1493528        ----a-w-        c:\windows\SysWow64\D3DCompiler_39.dll

2011-02-02 14:58 . 2008-07-12 07:18        540688        ----a-w-        c:\windows\system32\d3dx10_39.dll

2011-02-02 14:58 . 2008-07-12 07:18        1942552        ----a-w-        c:\windows\system32\D3DCompiler_39.dll

2011-02-02 14:58 . 2008-07-12 07:18        3851784        ----a-w-        c:\windows\SysWow64\D3DX9_39.dll

2011-02-02 14:58 . 2008-07-12 07:18        4992520        ----a-w-        c:\windows\system32\D3DX9_39.dll

2011-01-30 15:45 . 2011-01-30 15:45        135568        ----a-w-        c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2011-01-29 13:13 . 2011-02-11 14:53        --------        d-----w-        c:\users\Stefan\AppData\Roaming\InstallShield Installation Information

2011-01-19 21:03 . 2011-01-19 21:04        --------        d-----w-        c:\users\Stefan\AppData\Roaming\PhotoScape
 

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-14 17:41 . 2009-08-18 11:49        564632        ----a-w-        c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll

2011-02-14 17:41 . 2009-08-18 10:24        18328        ----a-w-        c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-02-02 16:11 . 2011-01-03 08:08        270720        ------w-        c:\windows\system32\MpSigStub.exe

2010-12-28 16:08 . 2011-01-12 15:27        466944        ----a-w-        c:\windows\system32\odbc32.dll

2010-12-28 15:55 . 2011-01-12 15:27        413696        ----a-w-        c:\windows\SysWow64\odbc32.dll

2010-12-20 17:08 . 2010-04-27 14:40        24152        ----a-w-        c:\windows\system32\drivers\mbam.sys

2010-12-17 10:41 . 2010-12-17 10:41        521448        ----a-w-        c:\windows\system32\deployJava1.dll

2010-12-14 16:15 . 2011-01-12 15:27        1251840        ----a-w-        c:\windows\system32\sdclt.exe

.
 

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files (x86)\Windows Sidebar\sidebar.exe" [2009-04-10 1233920]

"fsc-reg"="c:\fsc-reg\fscreg.exe" [2008-08-01 380688]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 152064]

"ICQ"="e:\program files (x86)\ICQ7.4\ICQ.exe" [2011-02-12 119608]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"EnergySettings"="c:\program files (x86)\Fujitsu Siemens Computers\Energy Settings\EnergySettings.exe" [2008-09-19 113664]

"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-08-27 135536]

"Adobe Reader Speed Launcher"="e:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"fsc-reg"="c:\fsc-reg\fscreg.exe" [2008-08-01 380688]
 

c:\users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth Manager.lnk - c:\program files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-3-14 2938184]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)
 

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer7"=wdmaud.drv
 

R2 gupdate1ca2a2c3fc24000;Google Update Service (gupdate1ca2a2c3fc24000);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-08-31 133104]

R3 camfilt2;camfilt2;c:\windows\system32\DRIVERS\camfilt2.sys [2007-08-06 137728]

R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2010-08-27 36720]

R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NAVx64\1008000.029\SYMNDISV.SYS [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R4 UPnPService;UPnPService;c:\program files (x86)\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 544768]

S0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\System32\drivers\sfdrv01a.sys [2006-07-05 77688]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAVx64\1108000.005\SYMDS64.SYS [2009-08-30 433200]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAVx64\1108000.005\SYMEFA64.SYS [2010-04-22 221232]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20110211.003\BHDrvx64.sys [2011-02-11 1124472]

S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAVx64\1108000.005\ccHPx64.sys [2010-02-26 615040]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20110216.001\IDSvia64.sys [2010-11-09 476792]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAVx64\1108000.005\Ironx64.SYS [2010-04-29 150064]

S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NAVx64\1108000.005\SYMTDIV.SYS [2010-05-06 451120]

S2 NAV;Norton AntiVirus Kompakt;c:\program files (x86)\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe [2010-02-26 126392]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-10-22 132656]
 

.

Inhalt des "geplante Tasks" Ordners
 

2011-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-08-31 11:14]
 

2011-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-08-31 11:14]

.
 

--------- x86-64 -----------
 
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-01-06 6962720]

"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-01-06 1833504]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-24 2726728]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Zusätzlicher Suchlauf -------

.

uStart Page = hxxp://www.google.de/

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: {{73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - e:\program files (x86)\ICQ7.4\ICQ.exe

FF - ProfilePath - c:\users\Stefan\AppData\Roaming\Mozilla\Firefox\Profiles\6l91zjr2.default\

FF - prefs.js: browser.startup.homepage - www.google.de

FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=skin&q=

FF - prefs.js: network.proxy.type - 2

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - e:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - e:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - e:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - e:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - e:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: XboxFox: {8e175e4c-dec2-4917-bd9a-d75e7cb33d61} - %profile%\extensions\{8e175e4c-dec2-4917-bd9a-d75e7cb33d61}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -
 

Wow6432Node-HKU-Default-Run-Picasa Media Detector - c:\program files (x86)\Picasa2\PicasaMediaDetector.exe

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
 
 
 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NAV]

"ImagePath"="\"c:\program files (x86)\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files (x86)\Norton AntiVirus\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"

.

--------------------- Gesperrte Registrierungsschluessel ---------------------
 

[HKEY_USERS\S-1-5-21-1035250212-1173603221-2839851230-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:01,0d,2b,75,d9,54,9a,3f,e1,70,36,b0,f0,d0,07,a8,0f,66,11,a4,7a,1e,9f,

   34,a2,80,8a,2e,c9,f5,6d,9e,72,36,3f,e3,55,95,90,97,2e,b1,73,ac,34,2c,dd,7d,\

"??"=hex:fa,ac,54,d4,d7,78,06,b5,8e,83,99,28,f1,68,04,d9
 

[HKEY_USERS\S-1-5-21-1035250212-1173603221-2839851230-1000\Software\SecuROM\License information*]

"datasecu"=hex:82,4a,a6,1a,0e,87,15,e5,4f,9c,a6,55,31,b2,03,a0,c9,14,85,b2,7a,

   a6,f9,20,b1,bd,af,47,4d,6e,e4,eb,23,20,5f,03,b4,aa,80,0b,ee,eb,ba,05,1f,6a,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

------------------------ Weitere laufende Prozesse ------------------------

.

c:\program files (x86)\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe

c:\windows\SysWOW64\DllHost.exe

c:\program files (x86)\OpenOffice.org 3\program\soffice.exe

c:\program files (x86)\OpenOffice.org 3\program\soffice.bin

c:\program files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

c:\program files (x86)\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe

.

**************************************************************************

.

Zeit der Fertigstellung: 2011-02-17  15:39:02 - PC wurde neu gestartet

ComboFix-quarantined-files.txt  2011-02-17 14:39
 

Vor Suchlauf: 17 Verzeichnis(se), 251.368.525.824 Bytes frei

Nach Suchlauf: 20 Verzeichnis(se), 251.166.195.712 Bytes frei
 

- - End Of File - - 57DCFD71082F5682C1E3DC3109226F74

--- --- ---

Bitte nun Logs mit GMER und mbrcheck erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg

Anleitung zu mbrcheck:
Downloade Dir MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.

Doppelklick auf die MBRCheck.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Das Tool braucht nur wenige Sekunden.
Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.

Poste mir bitte den Inhalt des .txt Dokumentes

Log befindet sich im Anhang.

GMER ging nicht?

Code:

      Size  Device Name          MBR Status

  --------------------------------------------

    931 GB  \\.\PhysicalDrive0   MBR Code Faked!

            SHA1: 00029BA0A81E2E6CE37EA5CB7AD650F272333790

    465 GB  \\.\PhysicalDrive1   MBR Code Faked!

            SHA1: A17C1B427645D7EEE143585CA92D9BDA7535F422

Code faked ist schonmal schlecht :balla:

Hast du eine DVD passend zu deiner WIndows-Version da:

Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 64-bit

ne GMER ging nicht.
ne hab mir die Version Runtergeladen.

Führ mal bitte wg. des "unbekannten" MBRs dieses Tool von Kaspersky aus => http://www.trojaner-board.de/82358-t...entfernen.html

Der TDDSKiller von Kapersky erstellt nach dem Scan kein Log.
Und sieht bei mir anders aus wie in der Anleitung.