Trojaner-Board - Beseitigung von gema.exe

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - Beseitigung von gema.exe (https://www.trojaner-board.de/111720-beseitigung-gema-exe.html)

Zitat:

CHR - plugin: DivX Web Player (Enabled) = C:\Programme\DivX\DivX Plus Web Player\npdivx32.dll

Sagmal gehörst du auch zur der Fraktion, die sich Serien und Kinofilme über dubiose Portale anschaut?
Wenn ja: in Zukunft Finger weg, diese illegalen Portale verbreiten Malware und wenn du in Zukunft malwarefrei sein wilst, musst du auf legale Alternativen ausweichen und auf solche riskanten Streamingseiten verzichten!
Gerade solche Streamingseiten sind für die aktuelle Welle der Erpresserschädlinge verantwortlich, die Windows blockieren und 50 oder 100 EUR erpressen wollen!!

War mal auf so einer Seite die so was anbietet.
Ist mein Computer nun wieder ok?

Nein! Das war erstmal nur ein Hinweis, ist das nicht als solcher erkennbar?!
Wenn du diesen DivX Kram nicht mehr nutzt, und für illegalen Kram nutzt du es in Zukunft ganz mit Sicherheit nicht mehr, dann deinstallier es komplett.
Mach danach wieder wie o.g. ein neues OTL-Log

Habe keinen Ordner C:\Programme\DivX
Habe aber zwei Ordner in C: die "Programme" heißen. Bei einem wird der Zugang verweigert, Schloss dran.

Dann war DivX mal installiert. Naja. ist auch egal. Es ist nur eine Warnung gewesen, weil sich viele auf diese Streamingseiten rumtreiben und dafür wird oft DivX benötigt. Und solche illegalen Seiten vertreiben hauptsächlich solche Schädlinge :pfeiff:

Mach einen OTL-Fix, beende alle evtl. geöffneten Programme, auch Virenscanner deaktivieren (!), starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:

:OTL

FF - prefs.js..browser.search.defaultengine: "Ask.com"

FF - prefs.js..browser.search.defaultenginename: "Ask.com"

FF - prefs.js..browser.search.order.1: "Ask.com"

IE - HKU\S-1-5-21-67750739-3866145124-1799724527-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.facemoods.com/?a=ddrnw

IE - HKU\S-1-5-21-67750739-3866145124-1799724527-1003\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = http://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4

[2012.02.15 13:53:07 | 000,000,000 | ---D | M] (DVDVideoSoftTB Community Toolbar) -- C:\Users\PBG\AppData\Roaming\mozilla\Firefox\Profiles\moc6o292.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}

[2011.03.26 19:52:24 | 000,002,394 | ---- | M] () -- C:\Users\PBG\AppData\Roaming\Mozilla\Firefox\Profiles\moc6o292.default\searchplugins\askcom.xml

O2 - BHO: (CescrtHlpr Object) - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Programme\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll (facemoods.com BHO)

O3 - HKLM\..\Toolbar: (no name) - {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} - No CLSID value found.

O3 - HKLM\..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Programme\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll (facemoods.com)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O4 - HKLM..\Run: [facemoods] C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe (facemoods.com)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\E\Shell - "" = AutoRun

O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\preinst.exe

[2012.03.17 19:05:45 | 000,000,000 | ---D | C] -- C:\Users\PBG\AppData\Roaming\gema

[2012.03.17 19:05:45 | 000,000,000 | ---D | C] -- C:\ProgramData\gema

@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:E8BE05FA

:Commands

[purity]

[emptytemp]

[emptyflash]

[resethosts]

Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt.

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!

Hab das jetzt erst gemacht.
Es gab eine Fehlermeldung, etwas mit dem Verzeichnis HOST. Dann lief OTL nicht weiter. Hab dann das Netbook neu gestartet, hier das OTL Log:

Code:

Files\Folders moved on Reboot...

File move failed. C:\windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
 

Registry entries deleted on Reboot...

Bitte weitere Anweisungen ;)

Wiederhol den Fix im abgesicherten Modus bitte

Hallo lieber Helfer,

hab das heute erst gemacht. Hoffe ich bekomme noch Hilfe jetzt.
Das Logfile:

Code:

All processes killed

========== OTL ==========

Prefs.js: "Ask.com" removed from browser.search.defaultengine

Prefs.js: "Ask.com" removed from browser.search.defaultenginename

Prefs.js: "Ask.com" removed from browser.search.order.1

HKU\S-1-5-21-67750739-3866145124-1799724527-1003\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!

Registry key HKEY_USERS\S-1-5-21-67750739-3866145124-1799724527-1003\Software\Microsoft\Internet Explorer\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D7562AE-8EF6-416d-A838-AB665251703A}\ not found.

Folder C:\Users\PBG\AppData\Roaming\mozilla\Firefox\Profiles\moc6o292.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\ not found.

File C:\Users\PBG\AppData\Roaming\Mozilla\Firefox\Profiles\moc6o292.default\searchplugins\askcom.xml not found.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64182481-4F71-486b-A045-B233BD0DA8FC}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\ not found.

File C:\Programme\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\ not found.

File C:\Programme\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\facemoods not found.

File C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe not found.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!

File C:\autoexec.bat not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.

File E:\preinst.exe not found.

Folder C:\Users\PBG\AppData\Roaming\gema\ not found.

Folder C:\ProgramData\gema\ not found.

Unable to delete ADS C:\ProgramData\TEMP:E8BE05FA .

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: All Users

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: PBG

->Temp folder emptied: 60815473 bytes

->Temporary Internet Files folder emptied: 254036532 bytes

->Java cache emptied: 893705 bytes

->FireFox cache emptied: 363070713 bytes

->Google Chrome cache emptied: 105632102 bytes

->Opera cache emptied: 11205406 bytes

->Flash cache emptied: 25156 bytes

 

User: Public

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 132 bytes

RecycleBin emptied: 1799656 bytes

 

Total Files Cleaned = 761,00 mb

 

 

[EMPTYFLASH]

 

User: All Users

 

User: Default

->Flash cache emptied: 0 bytes

 

User: Default User

->Flash cache emptied: 0 bytes

 

User: PBG

->Flash cache emptied: 0 bytes

 

User: Public

 

Total Flash Files Cleaned = 0,00 mb

 

C:\windows\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

 

OTL by OldTimer - Version 3.2.39.2 log created on 05072012_202554
 

Files\Folders moved on Reboot...
 

Registry entries deleted on Reboot...

Bitte nun (im normalen Windows-Modus) dieses Tool von Kaspersky (TDSS-Killer) ausführen und das Log posten Anleitung und Downloadlink hier => http://www.trojaner-board.de/82358-t...entfernen.html

Hinweis: Bitte den Virenscanner abstellen bevor du den TDSS-Killer ausführst, denn v.a. Avira meldet im TDSS-Tool oft einen Fehalalrm!

Das Tool so einstellen wie unten im Bild angegeben - klick auf change parameters und setze die Haken wie im folgenden Screenshot abgebildet,
Dann auf Start Scan klicken und wenn es durch ist auf den Button Report klicken um das Log anzuzeigen. Dieses bitte komplett posten.
Wenn du das Log nicht findest oder den Inhalt kopieren und in dein Posting übertragen kannst, dann schau bitte direkt auf deiner Windows-Systempartition (meistens Laufwerk C:) nach, da speichert der TDSS-Killer seine Logs.

Hinweis: Bitte nichts voreilig mit dem TDSS-Killer löschen! Falls Objekte vom TDSS-Killer bemängelt werden, alle mit der Aktion "skip" behandeln und hier nur das Log posten!

http://saved.im/mtkwmtcxexhp/setting...8_16-25-18.jpg

Drei Partitionen?

Code:

20:52:43.0568 3512        TDSS rootkit removing tool 2.7.34.0 May  2 2012 09:59:18

20:52:44.0292 3512        ============================================================

20:52:44.0292 3512        Current date / time: 2012/05/07 20:52:44.0292

20:52:44.0292 3512        SystemInfo:

20:52:44.0292 3512        

20:52:44.0292 3512        OS Version: 6.1.7601 ServicePack: 1.0

20:52:44.0292 3512        Product type: Workstation

20:52:44.0292 3512        ComputerName: PBG-PC

20:52:44.0292 3512        UserName: PBG

20:52:44.0292 3512        Windows directory: C:\windows

20:52:44.0292 3512        System windows directory: C:\windows

20:52:44.0292 3512        Processor architecture: Intel x86

20:52:44.0292 3512        Number of processors: 2

20:52:44.0292 3512        Page size: 0x1000

20:52:44.0292 3512        Boot type: Normal boot

20:52:44.0292 3512        ============================================================

20:52:45.0595 3512        Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

20:52:45.0595 3512        ============================================================

20:52:45.0595 3512        \Device\Harddisk0\DR0:

20:52:45.0595 3512        MBR partitions:

20:52:45.0595 3512        \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1E00800, BlocksNum 0x32000

20:52:45.0595 3512        \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1E32800, BlocksNum 0x7530000

20:52:45.0595 3512        \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x9362800, BlocksNum 0x13E62000

20:52:45.0595 3512        ============================================================

20:52:45.0642 3512        Initialize success

20:52:45.0642 3512        ============================================================

20:53:38.0456 1456        ============================================================

20:53:38.0456 1456        Scan started

20:53:38.0456 1456        Mode: Manual; SigCheck; TDLFS; 

20:53:38.0456 1456        ============================================================

20:53:38.0555 1456        1394ohci - ok

20:53:38.0576 1456        ACPI - ok

20:53:38.0590 1456        AcpiPmi - ok

20:53:38.0644 1456        AdobeFlashPlayerUpdateSvc - ok

20:53:38.0664 1456        adp94xx - ok

20:53:38.0689 1456        adpahci - ok

20:53:38.0708 1456        adpu320 - ok

20:53:38.0734 1456        AeLookupSvc - ok

20:53:38.0761 1456        AFD - ok

20:53:38.0778 1456        agp440 - ok

20:53:38.0795 1456        aic78xx - ok

20:53:38.0829 1456        ALG - ok

20:53:38.0846 1456        aliide - ok

20:53:38.0863 1456        amdagp - ok

20:53:38.0881 1456        amdide - ok

20:53:38.0898 1456        AmdK8 - ok

20:53:38.0915 1456        AmdPPM - ok

20:53:38.0933 1456        amdsata - ok

20:53:38.0950 1456        amdsbs - ok

20:53:38.0967 1456        amdxata - ok

20:53:38.0995 1456        AntiVirSchedulerService - ok

20:53:39.0010 1456        AntiVirService - ok

20:53:39.0030 1456        AppID - ok

20:53:39.0047 1456        AppIDSvc - ok

20:53:39.0065 1456        Appinfo - ok

20:53:39.0082 1456        arc - ok

20:53:39.0099 1456        arcsas - ok

20:53:39.0132 1456        AsyncMac - ok

20:53:39.0151 1456        atapi - ok

20:53:39.0177 1456        athr - ok

20:53:39.0199 1456        AudioEndpointBuilder - ok

20:53:39.0217 1456        Audiosrv - ok

20:53:39.0235 1456        avgntflt - ok

20:53:39.0251 1456        avipbb - ok

20:53:39.0270 1456        avkmgr - ok

20:53:39.0288 1456        AxInstSV - ok

20:53:39.0307 1456        b06bdrv - ok

20:53:39.0344 1456        b57nd60x - ok

20:53:39.0385 1456        BazisVirtualCDBus - ok

20:53:39.0404 1456        BDESVC - ok

20:53:39.0433 1456        Beep - ok

20:53:39.0451 1456        BFE - ok

20:53:39.0470 1456        BITS - ok

20:53:39.0487 1456        blbdrive - ok

20:53:39.0507 1456        bowser - ok

20:53:39.0525 1456        BrFiltLo - ok

20:53:39.0541 1456        BrFiltUp - ok

20:53:39.0557 1456        Browser - ok

20:53:39.0576 1456        Brserid - ok

20:53:39.0595 1456        BrSerWdm - ok

20:53:39.0610 1456        BrUsbMdm - ok

20:53:39.0629 1456        BrUsbSer - ok

20:53:39.0661 1456        BthEnum - ok

20:53:39.0681 1456        BTHMODEM - ok

20:53:39.0701 1456        BthPan - ok

20:53:39.0735 1456        BTHPORT - ok

20:53:39.0757 1456        bthserv - ok

20:53:39.0782 1456        BTHUSB - ok

20:53:39.0801 1456        btusbflt - ok

20:53:39.0827 1456        btwaudio - ok

20:53:39.0843 1456        btwavdt - ok

20:53:39.0883 1456        btwdins - ok

20:53:39.0934 1456        btwl2cap - ok

20:53:39.0969 1456        btwrchid - ok

20:53:39.0991 1456        cdfs - ok

20:53:40.0030 1456        cdrom - ok

20:53:40.0052 1456        CertPropSvc - ok

20:53:40.0072 1456        circlass - ok

20:53:40.0089 1456        CLFS - ok

20:53:40.0115 1456        clr_optimization_v2.0.50727_32 - ok

20:53:40.0177 1456        clr_optimization_v4.0.30319_32 - ok

20:53:40.0195 1456        CmBatt - ok

20:53:40.0212 1456        cmdide - ok

20:53:40.0229 1456        CNG - ok

20:53:40.0248 1456        Compbatt - ok

20:53:40.0271 1456        CompositeBus - ok

20:53:40.0289 1456        COMSysApp - ok

20:53:40.0306 1456        crcdisk - ok

20:53:40.0345 1456        CryptSvc - ok

20:53:40.0372 1456        DcomLaunch - ok

20:53:40.0389 1456        defragsvc - ok

20:53:40.0406 1456        DfsC - ok

20:53:40.0431 1456        dgderdrv - ok

20:53:40.0448 1456        Dhcp - ok

20:53:40.0467 1456        discache - ok

20:53:40.0489 1456        Disk - ok

20:53:40.0507 1456        Dnscache - ok

20:53:40.0526 1456        dot3svc - ok

20:53:40.0543 1456        DPS - ok

20:53:40.0561 1456        drmkaud - ok

20:53:40.0581 1456        DXGKrnl - ok

20:53:40.0607 1456        EapHost - ok

20:53:40.0625 1456        ebdrv - ok

20:53:40.0641 1456        EFS - ok

20:53:40.0667 1456        elxstor - ok

20:53:40.0685 1456        ErrDev - ok

20:53:40.0728 1456        EventSystem - ok

20:53:40.0744 1456        exfat - ok

20:53:40.0762 1456        fastfat - ok

20:53:40.0792 1456        Fax - ok

20:53:40.0812 1456        fdc - ok

20:53:40.0827 1456        fdPHost - ok

20:53:40.0844 1456        FDResPub - ok

20:53:40.0875 1456        FileInfo - ok

20:53:40.0890 1456        Filetrace - ok

20:53:40.0907 1456        flpydisk - ok

20:53:40.0925 1456        FltMgr - ok

20:53:40.0944 1456        FontCache - ok

20:53:40.0962 1456        FontCache3.0.0.0 - ok

20:53:40.0980 1456        FsDepends - ok

20:53:40.0997 1456        Fs_Rec - ok

20:53:41.0015 1456        fvevol - ok

20:53:41.0033 1456        gagp30kx - ok

20:53:41.0050 1456        gpsvc - ok

20:53:41.0067 1456        hcw85cir - ok

20:53:41.0100 1456        HdAudAddService - ok

20:53:41.0119 1456        HDAudBus - ok

20:53:41.0137 1456        HidBatt - ok

20:53:41.0153 1456        HidBth - ok

20:53:41.0172 1456        HidIr - ok

20:53:41.0190 1456        hidserv - ok

20:53:41.0225 1456        HidUsb - ok

20:53:41.0236 1456        hkmsvc - ok

20:53:41.0246 1456        HomeGroupListener - ok

20:53:41.0272 1456        HomeGroupProvider - ok

20:53:41.0292 1456        HpSAMD - ok

20:53:41.0319 1456        HTTP - ok

20:53:41.0345 1456        hwpolicy - ok

20:53:41.0357 1456        i8042prt - ok

20:53:41.0388 1456        iaStor - ok

20:53:41.0398 1456        iaStorV - ok

20:53:41.0437 1456        idsvc - ok

20:53:41.0452 1456        igfx - ok

20:53:41.0471 1456        iirsp - ok

20:53:41.0488 1456        IKEEXT - ok

20:53:41.0527 1456        IntcAzAudAddService - ok

20:53:41.0540 1456        intelide - ok

20:53:41.0560 1456        intelppm - ok

20:53:41.0576 1456        IPBusEnum - ok

20:53:41.0590 1456        IpFilterDriver - ok

20:53:41.0608 1456        iphlpsvc - ok

20:53:41.0625 1456        IPMIDRV - ok

20:53:41.0642 1456        IPNAT - ok

20:53:41.0660 1456        IRENUM - ok

20:53:41.0678 1456        isapnp - ok

20:53:41.0695 1456        iScsiPrt - ok

20:53:41.0738 1456        kbdclass - ok

20:53:41.0766 1456        kbdhid - ok

20:53:41.0795 1456        KeyIso - ok

20:53:41.0819 1456        KSecDD - ok

20:53:41.0836 1456        KSecPkg - ok

20:53:41.0856 1456        KtmRm - ok

20:53:41.0874 1456        LanmanServer - ok

20:53:41.0890 1456        LanmanWorkstation - ok

20:53:41.0929 1456        lltdio - ok

20:53:41.0942 1456        lltdsvc - ok

20:53:41.0972 1456        lmhosts - ok

20:53:41.0991 1456        LSI_FC - ok

20:53:42.0009 1456        LSI_SAS - ok

20:53:42.0027 1456        LSI_SAS2 - ok

20:53:42.0045 1456        LSI_SCSI - ok

20:53:42.0060 1456        luafv - ok

20:53:42.0090 1456        MBAMProtector - ok

20:53:42.0124 1456        MBAMService - ok

20:53:42.0151 1456        megasas - ok

20:53:42.0169 1456        MegaSR - ok

20:53:42.0187 1456        MMCSS - ok

20:53:42.0202 1456        Modem - ok

20:53:42.0221 1456        monitor - ok

20:53:42.0239 1456        mouclass - ok

20:53:42.0257 1456        mouhid - ok

20:53:42.0274 1456        mountmgr - ok

20:53:42.0306 1456        MozillaMaintenance - ok

20:53:42.0326 1456        mpio - ok

20:53:42.0346 1456        mpsdrv - ok

20:53:42.0369 1456        MpsSvc - ok

20:53:42.0386 1456        MRxDAV - ok

20:53:42.0400 1456        mrxsmb - ok

20:53:42.0417 1456        mrxsmb10 - ok

20:53:42.0435 1456        mrxsmb20 - ok

20:53:42.0452 1456        msahci - ok

20:53:42.0469 1456        msdsm - ok

20:53:42.0486 1456        MSDTC - ok

20:53:42.0519 1456        Msfs - ok

20:53:42.0537 1456        mshidkmdf - ok

20:53:42.0556 1456        msisadrv - ok

20:53:42.0571 1456        MSiSCSI - ok

20:53:42.0589 1456        msiserver - ok

20:53:42.0617 1456        MSKSSRV - ok

20:53:42.0635 1456        MSPCLOCK - ok

20:53:42.0653 1456        MSPQM - ok

20:53:42.0670 1456        MsRPC - ok

20:53:42.0695 1456        mssmbios - ok

20:53:42.0712 1456        MSTEE - ok

20:53:42.0729 1456        MTConfig - ok

20:53:42.0746 1456        Mup - ok

20:53:42.0767 1456        napagent - ok

20:53:42.0809 1456        NativeWifiP - ok

20:53:42.0838 1456        NDIS - ok

20:53:42.0853 1456        NdisCap - ok

20:53:42.0883 1456        NdisTapi - ok

20:53:42.0901 1456        Ndisuio - ok

20:53:42.0919 1456        NdisWan - ok

20:53:42.0936 1456        NDProxy - ok

20:53:42.0953 1456        NetBIOS - ok

20:53:42.0971 1456        NetBT - ok

20:53:42.0988 1456        Netlogon - ok

20:53:43.0018 1456        Netman - ok

20:53:43.0035 1456        netprofm - ok

20:53:43.0051 1456        NetTcpPortSharing - ok

20:53:43.0069 1456        nfrd960 - ok

20:53:43.0087 1456        NlaSvc - ok

20:53:43.0105 1456        Npfs - ok

20:53:43.0122 1456        nsi - ok

20:53:43.0139 1456        nsiproxy - ok

20:53:43.0166 1456        Ntfs - ok

20:53:43.0183 1456        Null - ok

20:53:43.0202 1456        nvraid - ok

20:53:43.0247 1456        nvstor - ok

20:53:43.0262 1456        nv_agp - ok

20:53:43.0280 1456        ohci1394 - ok

20:53:43.0297 1456        p2pimsvc - ok

20:53:43.0317 1456        p2psvc - ok

20:53:43.0335 1456        Parport - ok

20:53:43.0351 1456        partmgr - ok

20:53:43.0368 1456        Parvdm - ok

20:53:43.0387 1456        PcaSvc - ok

20:53:43.0405 1456        pci - ok

20:53:43.0422 1456        pciide - ok

20:53:43.0440 1456        pcmcia - ok

20:53:43.0459 1456        pcw - ok

20:53:43.0477 1456        PEAUTH - ok

20:53:43.0525 1456        pla - ok

20:53:43.0558 1456        PlugPlay - ok

20:53:43.0576 1456        PNRPAutoReg - ok

20:53:43.0598 1456        PNRPsvc - ok

20:53:43.0615 1456        PolicyAgent - ok

20:53:43.0641 1456        Power - ok

20:53:43.0667 1456        PptpMiniport - ok

20:53:43.0684 1456        Processor - ok

20:53:43.0702 1456        ProfSvc - ok

20:53:43.0720 1456        ProtectedStorage - ok

20:53:43.0738 1456        Psched - ok

20:53:43.0759 1456        ql2300 - ok

20:53:43.0779 1456        ql40xx - ok

20:53:43.0797 1456        QWAVE - ok

20:53:43.0814 1456        QWAVEdrv - ok

20:53:43.0830 1456        RasAcd - ok

20:53:43.0850 1456        RasAgileVpn - ok

20:53:43.0869 1456        RasAuto - ok

20:53:43.0887 1456        Rasl2tp - ok

20:53:43.0911 1456        RasMan - ok

20:53:43.0939 1456        RasPppoe - ok

20:53:43.0969 1456        RasSstp - ok

20:53:43.0987 1456        rdbss - ok

20:53:44.0003 1456        rdpbus - ok

20:53:44.0019 1456        RDPCDD - ok

20:53:44.0049 1456        RDPENCDD - ok

20:53:44.0072 1456        RDPREFMP - ok

20:53:44.0090 1456        RDPWD - ok

20:53:44.0109 1456        rdyboost - ok

20:53:44.0129 1456        RemoteAccess - ok

20:53:44.0144 1456        RemoteRegistry - ok

20:53:44.0171 1456        Rezip - ok

20:53:44.0197 1456        RFCOMM - ok

20:53:44.0215 1456        RpcEptMapper - ok

20:53:44.0231 1456        RpcLocator - ok

20:53:44.0250 1456        RpcSs - ok

20:53:44.0269 1456        rspndr - ok

20:53:44.0287 1456        RTL8167 - ok

20:53:44.0316 1456        SABI - ok

20:53:44.0343 1456        SamSs - ok

20:53:44.0376 1456        samsung_hspa_datacard_cdc_acm - ok

20:53:44.0405 1456        samsung_hspa_datacard_cdc_ecm - ok

20:53:44.0428 1456        samsung_hspa_datacard_dc_enum - ok

20:53:44.0460 1456        sbp2port - ok

20:53:44.0476 1456        SCardSvr - ok

20:53:44.0486 1456        scfilter - ok

20:53:44.0515 1456        Schedule - ok

20:53:44.0531 1456        SCPolicySvc - ok

20:53:44.0550 1456        SDRSVC - ok

20:53:44.0570 1456        secdrv - ok

20:53:44.0591 1456        seclogon - ok

20:53:44.0612 1456        SENS - ok

20:53:44.0636 1456        Serenum - ok

20:53:44.0657 1456        Serial - ok

20:53:44.0675 1456        sermouse - ok

20:53:44.0717 1456        SessionEnv - ok

20:53:44.0735 1456        sffdisk - ok

20:53:44.0753 1456        sffp_mmc - ok

20:53:44.0771 1456        sffp_sd - ok

20:53:44.0789 1456        sfloppy - ok

20:53:44.0857 1456        SharedAccess - ok

20:53:44.0877 1456        ShellHWDetection - ok

20:53:44.0895 1456        sisagp - ok

20:53:44.0915 1456        SiSRaid2 - ok

20:53:44.0931 1456        SiSRaid4 - ok

20:53:44.0975 1456        SkypeUpdate - ok

20:53:44.0993 1456        Smb - ok

20:53:45.0036 1456        SNMPTRAP - ok

20:53:45.0054 1456        spldr - ok

20:53:45.0071 1456        Spooler - ok

20:53:45.0089 1456        sppsvc - ok

20:53:45.0107 1456        sppuinotify - ok

20:53:45.0138 1456        SQLWriter - ok

20:53:45.0158 1456        srv - ok

20:53:45.0172 1456        srv2 - ok

20:53:45.0190 1456        srvnet - ok

20:53:45.0238 1456        sscdbus - ok

20:53:45.0250 1456        sscdmdfl - ok

20:53:45.0267 1456        sscdmdm - ok

20:53:45.0284 1456        SSDPSRV - ok

20:53:45.0301 1456        ssmdrv - ok

20:53:45.0320 1456        SstpSvc - ok

20:53:45.0365 1456        ss_bbus - ok

20:53:45.0387 1456        ss_bmdfl - ok

20:53:45.0408 1456        ss_bmdm - ok

20:53:45.0441 1456        ss_bserd - ok

20:53:45.0477 1456        StarOpen - ok

20:53:45.0497 1456        stexstor - ok

20:53:45.0521 1456        StiSvc - ok

20:53:45.0541 1456        swenum - ok

20:53:45.0570 1456        swprv - ok

20:53:45.0604 1456        SynTP - ok

20:53:45.0631 1456        SysMain - ok

20:53:45.0660 1456        TabletInputService - ok

20:53:45.0687 1456        TapiSrv - ok

20:53:45.0714 1456        TBS - ok

20:53:45.0734 1456        Tcpip - ok

20:53:45.0752 1456        TCPIP6 - ok

20:53:45.0779 1456        tcpipreg - ok

20:53:45.0806 1456        TDPIPE - ok

20:53:45.0824 1456        TDTCP - ok

20:53:45.0842 1456        tdx - ok

20:53:45.0861 1456        TermDD - ok

20:53:45.0880 1456        TermService - ok

20:53:45.0900 1456        Themes - ok

20:53:45.0919 1456        THREADORDER - ok

20:53:45.0944 1456        TrkWks - ok

20:53:45.0976 1456        truecrypt - ok

20:53:45.0993 1456        TrustedInstaller - ok

20:53:46.0021 1456        tssecsrv - ok

20:53:46.0060 1456        TsUsbFlt - ok

20:53:46.0078 1456        tunnel - ok

20:53:46.0097 1456        uagp35 - ok

20:53:46.0115 1456        udfs - ok

20:53:46.0161 1456        UI0Detect - ok

20:53:46.0186 1456        uliagpkx - ok

20:53:46.0205 1456        umbus - ok

20:53:46.0233 1456        UmPass - ok

20:53:46.0257 1456        upnphost - ok

20:53:46.0276 1456        usbccgp - ok

20:53:46.0296 1456        usbcir - ok

20:53:46.0315 1456        usbehci - ok

20:53:46.0339 1456        usbhub - ok

20:53:46.0357 1456        usbohci - ok

20:53:46.0386 1456        usbprint - ok

20:53:46.0422 1456        usbscan - ok

20:53:46.0438 1456        USBSTOR - ok

20:53:46.0455 1456        usbuhci - ok

20:53:46.0488 1456        usbvideo - ok

20:53:46.0522 1456        usb_rndisx - ok

20:53:46.0549 1456        UxSms - ok

20:53:46.0567 1456        VaultSvc - ok

20:53:46.0592 1456        vdrvroot - ok

20:53:46.0609 1456        vds - ok

20:53:46.0629 1456        vga - ok

20:53:46.0645 1456        VgaSave - ok

20:53:46.0662 1456        vhdmp - ok

20:53:46.0695 1456        viaagp - ok

20:53:46.0714 1456        ViaC7 - ok

20:53:46.0732 1456        viaide - ok

20:53:46.0751 1456        volmgr - ok

20:53:46.0771 1456        volmgrx - ok

20:53:46.0791 1456        volsnap - ok

20:53:46.0817 1456        vsmraid - ok

20:53:46.0834 1456        VSS - ok

20:53:46.0851 1456        vwifibus - ok

20:53:46.0876 1456        vwififlt - ok

20:53:46.0899 1456        vwifimp - ok

20:53:46.0920 1456        W32Time - ok

20:53:46.0945 1456        WacomPen - ok

20:53:46.0962 1456        WANARP - ok

20:53:46.0980 1456        Wanarpv6 - ok

20:53:46.0997 1456        wbengine - ok

20:53:47.0018 1456        WbioSrvc - ok

20:53:47.0037 1456        wcncsvc - ok

20:53:47.0054 1456        WcsPlugInService - ok

20:53:47.0067 1456        Wd - ok

20:53:47.0085 1456        Wdf01000 - ok

20:53:47.0104 1456        WdiServiceHost - ok

20:53:47.0144 1456        WdiSystemHost - ok

20:53:47.0162 1456        WebClient - ok

20:53:47.0198 1456        Wecsvc - ok

20:53:47.0224 1456        wercplsupport - ok

20:53:47.0258 1456        WerSvc - ok

20:53:47.0281 1456        WfpLwf - ok

20:53:47.0301 1456        WIMMount - ok

20:53:47.0321 1456        WinDefend - ok

20:53:47.0353 1456        WinHttpAutoProxySvc - ok

20:53:47.0371 1456        Winmgmt - ok

20:53:47.0402 1456        WinRM - ok

20:53:47.0464 1456        WinUsb - ok

20:53:47.0471 1456        Wlansvc - ok

20:53:47.0491 1456        WmiAcpi - ok

20:53:47.0542 1456        wmiApSrv - ok

20:53:47.0570 1456        WMPNetworkSvc - ok

20:53:47.0609 1456        WPCSvc - ok

20:53:47.0645 1456        WPDBusEnum - ok

20:53:47.0673 1456        ws2ifsl - ok

20:53:47.0685 1456        wscsvc - ok

20:53:47.0712 1456        WSDPrintDevice - ok

20:53:47.0732 1456        WSDScan - ok

20:53:47.0751 1456        WSearch - ok

20:53:47.0781 1456        wuauserv - ok

20:53:47.0800 1456        WudfPf - ok

20:53:47.0821 1456        WUDFRd - ok

20:53:47.0845 1456        wudfsvc - ok

20:53:47.0867 1456        WwanSvc - ok

20:53:47.0895 1456        yukonw7 - ok

20:53:48.0021 1456        MBR (0x1B8)     (ddc4773eef68ef7fac87cf9235395cab) \Device\Harddisk0\DR0

20:53:49.0802 1456        \Device\Harddisk0\DR0 - ok

20:53:49.0851 1456        Boot (0x1200)   (2819502ddd2e4cb2309a568199733fb3) \Device\Harddisk0\DR0\Partition0

20:53:49.0852 1456        \Device\Harddisk0\DR0\Partition0 - ok

20:53:49.0873 1456        Boot (0x1200)   (5e89b9eaa47ef79b096270573927d40e) \Device\Harddisk0\DR0\Partition1

20:53:49.0875 1456        \Device\Harddisk0\DR0\Partition1 - ok

20:53:49.0907 1456        Boot (0x1200)   (3d8a46dd54b25adc4c718dfac7c78b3d) \Device\Harddisk0\DR0\Partition2

20:53:49.0908 1456        \Device\Harddisk0\DR0\Partition2 - ok

20:53:49.0910 1456        ============================================================

20:53:49.0910 1456        Scan finished

20:53:49.0910 1456        ============================================================

20:53:50.0030 4072        Detected object count: 0

20:53:50.0030 4072        Actual detected object count: 0

Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop.

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!

Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Solltest du nach der Ausführung von Combofix Probleme beim Starten von Anwendungen haben und Meldungen erhalten wie

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

startest du Windows dann manuell neu und die Fehlermeldungen sollten nicht mehr auftauchen.

Bei Avira kann ich aber nur den Scanner schliessen, nicht aber das ganze Avira.
Trotzdem OK?

Es reicht wenn der Scanner deaktiviert wurde

Code:

ComboFix 12-05-07.02 - PBG 07.05.2012  22:18:22.1.2 - x86

Microsoft Windows 7 Starter   6.1.7601.1.1252.49.1031.18.2037.1216 [GMT 2:00]

ausgeführt von:: c:\users\PBG\Desktop\ComboFix.exe

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\facemoods.com

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoods.crx

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoods.png

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsApp.dll

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsEng.dll

c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe

c:\windows\system32\system32

c:\windows\system32\system32\3DAudio.ax

c:\windows\system32\system32\avrt.dll

c:\windows\system32\system32\cis-2.4.dll

c:\windows\system32\system32\issacapi_bs-2.3.dll

c:\windows\system32\system32\issacapi_pe-2.3.dll

c:\windows\system32\system32\issacapi_se-2.3.dll

c:\windows\system32\system32\MACXMLProto.dll

c:\windows\system32\system32\MaDRM.dll

c:\windows\system32\system32\MaJGUILib.dll

c:\windows\system32\system32\MAMACExtract.dll

c:\windows\system32\system32\MASetupCleaner.exe

c:\windows\system32\system32\MaXMLProto.dll

c:\windows\system32\system32\mfplat.dll

c:\windows\system32\system32\MK_Lyric.dll

c:\windows\system32\system32\MSCLib.dll

c:\windows\system32\system32\MSFLib.dll

c:\windows\system32\system32\MSLUR71.dll

c:\windows\system32\system32\msvcp60.dll

c:\windows\system32\system32\MTTELECHIP.dll

c:\windows\system32\system32\MTXSYNCICON.dll

c:\windows\system32\system32\muzaf1.dll

c:\windows\system32\system32\muzapp.dll

c:\windows\system32\system32\muzapp.exe

c:\windows\system32\system32\muzdecode.ax

c:\windows\system32\system32\muzeffect.ax

c:\windows\system32\system32\muzmp4sp.ax

c:\windows\system32\system32\muzmpgsp.ax

c:\windows\system32\system32\muzoggsp.ax

c:\windows\system32\system32\muzwmts.dll

c:\windows\system32\system32\psapi.dll

.

.

(((((((((((((((((((((((   Dateien erstellt von 2012-04-07 bis 2012-05-07  ))))))))))))))))))))))))))))))

.

.

2012-05-07 15:05 . 2012-05-07 15:06        --------        d-----w-        c:\users\PBG\AppData\Local\Deployment

2012-05-07 15:05 . 2012-05-07 15:05        --------        d-----w-        c:\users\PBG\AppData\Local\Apps

2012-05-07 10:57 . 2012-05-07 10:57        --------        d-----w-        c:\program files\Common Files\Java

2012-05-07 10:55 . 2012-05-07 10:54        476960        ----a-w-        c:\windows\system32\npdeployJava1.dll

2012-05-01 16:00 . 2012-05-01 16:00        --------        d-----w-        c:\program files\Mozilla Maintenance Service

2012-05-01 15:59 . 2012-05-01 15:59        157352        ----a-w-        c:\program files\Mozilla Firefox\maintenanceservice_installer.exe

2012-05-01 15:59 . 2012-05-01 15:59        129976        ----a-w-        c:\program files\Mozilla Firefox\maintenanceservice.exe

2012-04-29 19:17 . 2012-04-29 19:17        237        ----a-w-        C:\user.js

2012-04-29 19:17 . 2012-04-29 19:17        --------        d-----w-        c:\program files\BabylonToolbar

2012-04-29 19:16 . 2012-04-29 19:16        --------        d-----w-        c:\users\PBG\AppData\Local\Babylon

2012-04-29 19:16 . 2012-04-29 19:16        --------        d-----w-        c:\programdata\Babylon

2012-04-29 19:16 . 2012-04-29 19:16        --------        d-----w-        c:\users\PBG\AppData\Roaming\Babylon

2012-04-17 21:18 . 2012-05-04 19:44        419488        ----a-w-        c:\windows\system32\FlashPlayerApp.exe

2012-04-17 19:08 . 2012-04-17 19:08        --------        d-----w-        C:\_OTL

2012-04-17 05:55 . 2012-04-17 05:55        --------        d-----w-        c:\program files\Photo Notifier and Animation Creator

2012-04-17 05:55 . 2012-04-17 05:55        --------        d-----w-        c:\programdata\Photo Notifier and Animation Creator

2012-04-17 05:54 . 2012-04-17 05:59        --------        d-----w-        c:\users\PBG\AppData\Local\IM

2012-04-17 05:53 . 2012-04-17 05:55        --------        d-----w-        c:\programdata\IM

2012-04-17 05:53 . 2012-04-17 05:53        --------        d-----w-        c:\programdata\IncrediMail

2012-04-17 05:53 . 2012-04-17 05:53        --------        d-----w-        c:\program files\IncrediMail

2012-04-13 22:08 . 2012-03-01 05:46        19824        ----a-w-        c:\windows\system32\drivers\fs_rec.sys

2012-04-13 22:08 . 2012-03-01 05:37        172544        ----a-w-        c:\windows\system32\wintrust.dll

2012-04-13 22:08 . 2012-03-01 05:29        5120        ----a-w-        c:\windows\system32\wmi.dll

2012-04-13 22:08 . 2012-03-01 05:33        159232        ----a-w-        c:\windows\system32\imagehlp.dll

2012-04-13 22:07 . 2012-03-06 05:59        3968368        ----a-w-        c:\windows\system32\ntkrnlpa.exe

2012-04-13 22:07 . 2012-03-06 05:59        3913072        ----a-w-        c:\windows\system32\ntoskrnl.exe

.

.

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-07 10:54 . 2010-07-15 00:24        472864        ----a-w-        c:\windows\system32\deployJava1.dll

2012-05-04 19:44 . 2011-05-23 19:03        70304        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 13:56 . 2012-03-26 21:00        22344        ----a-w-        c:\windows\system32\drivers\mbam.sys

2012-02-17 05:34 . 2012-03-14 08:02        826880        ----a-w-        c:\windows\system32\rdpcore.dll

2012-02-17 04:14 . 2012-03-14 08:02        183808        ----a-w-        c:\windows\system32\drivers\rdpwd.sys

2012-02-17 04:13 . 2012-03-14 08:02        24576        ----a-w-        c:\windows\system32\drivers\tdtcp.sys

2012-02-15 08:37 . 2011-12-02 17:07        137416        ----a-w-        c:\windows\system32\drivers\avipbb.sys

2012-02-10 05:38 . 2012-03-14 08:03        1077248        ----a-w-        c:\windows\system32\DWrite.dll

2011-01-19 11:34 . 2011-01-19 11:34        3003392        ----a-w-        c:\program files\openofficeorg33.msi

2011-01-19 11:33 . 2011-01-19 11:33        475016        ----a-w-        c:\program files\setup.exe

2012-05-01 15:59 . 2011-11-10 19:13        97208        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll

2006-05-03 11:06        163328        --sha-r-        c:\windows\System32\flvDX.dll

2007-02-21 12:47        31232        --sha-r-        c:\windows\System32\msfDX.dll

2008-03-16 14:30        216064        --sha-r-        c:\windows\System32\nbDX.dll

2010-01-06 23:00        107520        --sha-r-        c:\windows\System32\TAKDSDecoder.dll

.

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2011-12-12 1517520]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-02-26 1713448]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-14 8120864]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-25 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-25 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-25 150552]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-2 795936]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]

2009-12-14 17:36        8120864        ------w-        c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"MobileConnect"=c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-01-31 158856]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 257696]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]

R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-01 129976]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2010-12-21 98432]

R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2010-12-21 14848]

R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2010-12-21 123648]

R3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\DRIVERS\ss_bserd.sys [2010-12-21 100224]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WSDPrintDevice;WSD-Druckunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]

R3 WSDScan;WSD-Scanunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 20480]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]

S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-19 36000]

S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AntiVirSchedulerService;Avira Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-10-19 86224]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]

S2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [2009-03-05 311296]

S3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2011-08-08 117584]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]

S3 samsung_hspa_datacard_cdc_acm;Samsung HSPA DataCard CDC-ACM driver;c:\windows\system32\DRIVERS\samsung_hspa_datacard_cdc_acm.sys [2010-01-15 68608]

S3 samsung_hspa_datacard_cdc_ecm;samsung_hspa_datacard_cdc_ecm;c:\windows\system32\DRIVERS\samsung_hspa_datacard_cdc_ecm.sys [2010-01-15 81920]

S3 samsung_hspa_datacard_dc_enum;Samsung HSPA DataCard DC Enumerator;c:\windows\system32\DRIVERS\samsung_hspa_datacard_dc_enum.sys [2010-01-15 62464]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.

.

--- Andere Dienste/Treiber im Speicher ---

.

*NewlyCreated* - 89351301

*Deregistered* - 89351301

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation        REG_MULTI_SZ           SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc

.

Inhalt des "geplante Tasks" Ordners

.

2012-05-07 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 19:44]

.

2012-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-67750739-3866145124-1799724527-1003Core.job

- c:\users\PBG\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-03 09:50]

.

2012-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-67750739-3866145124-1799724527-1003UA.job

- c:\users\PBG\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-03 09:50]

.

.

------- Zusätzlicher Suchlauf -------

.

uStart Page = 

uInternet Settings,ProxyOverride = <local>

IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Free YouTube Download - c:\users\PBG\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm

IE: Free YouTube to MP3 Converter - c:\users\PBG\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{6CB44DBC-6166-496D-B83D-F8183DC7BE4B}: NameServer = 10.74.83.22 193.254.160.1

FF - ProfilePath - c:\users\PBG\AppData\Roaming\Mozilla\Firefox\Profiles\moc6o292.default\

FF - prefs.js: browser.search.selectedEngine - MyStart Search

FF - prefs.js: browser.startup.homepage - www.google.de

FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com//?loc=ff_address_bar&a=1ex6xjvzjt4&search=

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110819

FF - user.js: extensions.BabylonToolbar_i.babExt - 

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.id - ba320b67000000000000b282febe9249

FF - user.js: extensions.BabylonToolbar_i.hardId - ba320b67000000000000b282febe9249

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15459

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1721:17

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -

.

HKCU-Run-KiesPDLR - c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe

MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe

AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe

AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe

AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe

AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe

AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe

AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe

AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe

AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe

AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe

AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe

AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe

AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe

AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe

AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe

AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe

AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe

AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe

AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe

AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe

.

.

.

--------------------- Gesperrte Registrierungsschluessel ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Zeit der Fertigstellung: 2012-05-07  22:39:34

ComboFix-quarantined-files.txt  2012-05-07 20:39

.

Vor Suchlauf: 2.353.442.816 Bytes frei

Nach Suchlauf: 2.244.456.448 Bytes frei

.

- - End Of File - - 47B29923B4AB8DEE201467791B6D41AE

Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.

Hinweis: Zum Entpacken von OSAM bitte WinRAR oder 7zip verwenden! Stell auch unbedingt den Virenscanner ab, besonders der Scanner von McAfee meldet oft einen Fehalarm in OSAM!

Downloade dir bitte

aswMBR.exe und speichere die Datei auf deinem Desktop.

Starte die aswMBR.exe - (aswMBR.exe Anleitung)
Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten".
Das Tool wird dich fragen, ob Du mit der aktuellen Virendefinition von AVAST! dein System scannen willst. Beantworte diese Frage bitte mit Ja. (Sollte deine Firewall fragen, bitte den Zugriff auf das Internet zulassen )
Der Download der Definitionen kann je nach Verbindung eine Weile dauern.
Klicke auf Scan.
Warte bitte bis Scan finished successfully im DOS-Fenster steht.
Drücke auf Save Log und speichere diese auf dem Desktop.

Poste mir die aswMBR.txt in deiner nächsten Antwort.

Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung

Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).

Noch ein Hinweis: Sollte aswMBR abstürzen und es kommt eine Meldung wie "aswMBR.exe funktioniert nicht mehr, dann mach Folgendes:
Starte aswMBR neu, wähle unten links im Drop-Down-Menü (unten links im Fenster von aswMBR) bei "AV scan" (none) aus und klick nochmal auf den Scan-Button.