Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Windows gesperrt (https://www.trojaner-board.de/112777-windows-gesperrt.html)

wookimaster 31.03.2012 16:44
Windows gesperrt
 
Hallo,

ich habe auch den Windows-gesperrt Trojaner und wahrscheinlich noch einiges anderes.
Vor einigen Wochen hatte der Rechner schon mal einen Trojaner (der entfernt wurde, aber ich weiß nicht genau wie und es gibt auch keine Logs)

Hier die Logs von Malwarebytes und OTL die ich im abgesicherten Modus erstellt habe.

ich habe gelesen, dass OTL normalerweise 2 Logs auswirft, habe aber das andere nicht gefunden..

Code:
OTL logfile created on: 3/31/2012 5:37:21 PM - Run 2
OTL by OldTimer - Version 3.2.39.2    Folder = C:\Users\Felix\Downloads
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 2.20 Gb Available Physical Memory | 73.28% Memory free
6.00 Gb Paging File | 5.26 Gb Available in Paging File | 87.66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 900.41 Gb Total Space | 632.73 Gb Free Space | 70.27% Space Free | Partition Type: NTFS
Drive D: | 30.00 Gb Total Space | 10.39 Gb Free Space | 34.63% Space Free | Partition Type: NTFS
 
Computer Name: FELIX-PC | User Name: Felix | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Felix\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}\components\RadioWMPCoreGecko5.dll ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\WinRAR\rarext.dll ()
MOD - C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (SearchAnonymizer) -- C:\Users\Felix\AppData\Roaming\OCS\SM\SearchAnonymizerHelper.exe ()
SRV - (Hamachi2Svc) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (Bandoo Coordinator) -- C:\PROGRA~1\Bandoo\Bandoo.exe (Bandoo Media Inc.)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (IAStorDataMgrSvc) Intel(R) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (sftvsa) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
SRV - (sftlist) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (IT9135BDA) -- C:\Windows\System32\drivers\IT9135BDA.sys (ITE                      )
DRV - (amdkmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (amdkmdap) -- C:\Windows\System32\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV - (AtiHdmiService) -- C:\Windows\System32\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV - (RTL8192su) -- C:\Windows\System32\drivers\RTL8192su.sys (Realtek Semiconductor Corporation                          )
DRV - (Sftvol) -- C:\Windows\System32\drivers\Sftvollh.sys (Microsoft Corporation)
DRV - (Sftredir) -- C:\Windows\System32\drivers\Sftredirlh.sys (Microsoft Corporation)
DRV - (Sftplay) -- C:\Windows\System32\drivers\Sftplaylh.sys (Microsoft Corporation)
DRV - (Sftfs) -- C:\Windows\System32\drivers\Sftfslh.sys (Microsoft Corporation)
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (hamachi) -- C:\Windows\System32\drivers\hamachi.sys (LogMeIn, Inc.)
DRV - (Afc) -- C:\Windows\System32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (prohlp02) -- C:\Windows\System32\drivers\prohlp02.sys (Protection Technology)
DRV - (prodrv06) -- C:\Windows\System32\drivers\prodrv06.sys (Protection Technology)
DRV - (sfhlp01) -- C:\Windows\System32\drivers\sfhlp01.sys (Protection Technology)
DRV - (prosync1) -- C:\Windows\System32\drivers\prosync1.sys (Protection Technology)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.foxtab.com/?s=0&chnl=dcom&cd=2XzutBtN2Y1L1QzuyByE0FtDyC0DyDyEtB0EyD0CtDzytBtCtCtN0D0TzutBtDtCtDtDzztCtC&cr=1963431316
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://start.facemoods.com/?a=ironto&s={searchTerms}&f=4
IE - HKLM\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Program Files\Winload\prxtbWin0.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {51a86bb3-6602-4c85-92a5-130ee4864f13} - C:\Program Files\BrotherSoft_Extreme\prxtbBro0.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {77f8c945-4b74-4bd6-a073-e0d1997edce8} - C:\Program Files\midicair\prxtbmidi.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{36668FFD-7809-43FB-A609-999C5A7AB5FE}: "URL" = hxxp://search.foxtab.com/?q={searchTerms}&s=1&chnl=dcom&cd=2XzutBtN2Y1L1QzuyByE0FtDyC0DyDyEtB0EyD0CtDzytBtCtCtN0D0TzutBtDtCtDtDzztCtC&cr=1963431316
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = hxxp://dts.search-results.com/sr?src=ieb&appid=102&systemid=406&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2319825
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=MDNB&bmod=MDNB
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.search-results.com/?l=dis&o=41648036
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = hxxp://www.google.com/ie
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = hxxp://www.google.com/ie
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Program Files\Winload\prxtbWin0.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\URLSearchHook: {51a86bb3-6602-4c85-92a5-130ee4864f13} - C:\Program Files\BrotherSoft_Extreme\prxtbBro0.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\URLSearchHook: {77f8c945-4b74-4bd6-a073-e0d1997edce8} - C:\Program Files\midicair\prxtbmidi.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\URLSearchHook: {c840e246-6b95-475e-9bd7-caa1c7eca9f2} - No CLSID value found
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes,DefaultScope = {926011B1-4C26-41B2-9256-A87EDA80CC30}
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = hxxp://start.facemoods.com.anonymize-me.de/?anonymto=687474703A2F2F73746172742E666163656D6F6F64732E636F6D2F3F613D69726F6E746F26733D7B7365617263685465726D737D26663D34&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com.anonymize-me.de/?anonymto=687474703A2F2F7365617263682E626162796C6F6E2E636F6D2F7765622F7B7365617263685465726D737D3F6261627372633D53505F73732661666649443D313030343838266D6E747249643D3136663039323131303030303030303030303030373466303664353432653563&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{31A29A8B-F5AF-445B-8C5B-C0916172015D}: "URL" = hxxp://www.pricerunner.de.anonymize-me.de/?to=707269636572756E6E65722E6465&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&mode=bounce&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{36668FFD-7809-43FB-A609-999C5A7AB5FE}: "URL" = hxxp://search.foxtab.com.anonymize-me.de/?anonymto=687474703A2F2F7365617263682E666F787461622E636F6D2F3F713D7B7365617263685465726D737D26733D312663686E6C3D64636F6D2663643D32587A757442744E3259314C31517A7579427945304674447943304479447945744230457944304374447A79744274437443744E304430547A75744274447443744474447A7A744374432663723D31393633343331333136&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{37443597-0278-4185-82EF-C16DEB3034D9}: "URL" = hxxp://search.ebay.de.anonymize-me.de/?to=656261792E6465&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&mode=bounce&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{4A378F0F-3402-47BD-9F69-388343D48E2D}: "URL" = hxxp://websearch.search-results.com/redirect?client=ie&tb=STC-SRS&o=41648033&src=crm&q={searchTerms}&locale=&apn_ptnrs=96&apn_dtid=YYYYYYYYDE&apn_uid=36B29D09-2220-49B7-A013-DA95B15D1587&apn_sauid=256FAFCE-2734-4FDC-ABA3-7E06DE2B391A&
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{4EB164A5-9DE1-4089-8EE4-0DDF447992F8}: "URL" = hxxp://www.myvideo.de.anonymize-me.de/?to=6D79766964656F2E6465&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&mode=bounce&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{90051C7E-3118-4A3C-A6A9-D96C239F3154}: "URL" = hxxp://www.otto.de.anonymize-me.de/?to=6F74746F2E6465&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&mode=bounce&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{926011B1-4C26-41B2-9256-A87EDA80CC30}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MDNB_enDE393
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = hxxp://dts.search-results.com.anonymize-me.de/?anonymto=687474703A2F2F6474732E7365617263682D726573756C74732E636F6D2F73723F7372633D6965622661707069643D3130322673797374656D69643D34303626713D7B7365617263685465726D737D&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{A958F7DA-A2CB-4982-BB02-D45DAED6399A}: "URL" = hxxp://www.amazon.de.anonymize-me.de/?to=616D617A6F6E2E6465&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&mode=bounce&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2319825
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = hxxp://mystart.incredimail.com.anonymize-me.de/?anonymto=687474703A2F2F6D7973746172742E696E63726564696D61696C2E636F6D2F6D6234342F3F7365617263683D7B7365617263685465726D737D266C6F633D7365617263685F626F7826753D31303336303435343231323333323538373031&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\..\SearchScopes\{E441E2FA-7C3C-42A1-9687-A5ECB2944401}: "URL" = hxxp://de.wikipedia.org.anonymize-me.de/?to=64652E77696B6970656469612E6F7267&st={searchTerms}&clid=45058dcd-6fc0-4005-84f1-17564083a0af&pid=winsoftware&mode=bounce&k=0
IE - HKU\S-1-5-21-3995049860-688048530-36496495-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..CT2319825.browser.search.defaultthis.engineName: true
FF - prefs.js..browser.search.defaultengine: "Search-Results"
FF - prefs.js..browser.search.defaultenginename: "Search-Results"
FF - prefs.js..browser.search.defaultthis.engineName: "midicair Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2795622&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.order.1: "Search-Results"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de/"
FF - prefs.js..keyword.URL: "hxxp://websearch.search-results.com/redirect?client=ff&src=kw&tb=STC-SRS&o=41648033&locale=de_DE&apn_uid=36B29D09-2220-49B7-A013-DA95B15D1587&apn_ptnrs=96&apn_sauid=256FAFCE-2734-4FDC-ABA3-7E06DE2B391A&apn_dtid=YYYYYYYYDE&q="
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Felix\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/08 07:24:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\ffox@bandoo.com: C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles/nwq2omz0.default\extensions\ffox@bandoo.com [2010/08/08 20:14:00 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\finder@meingutscheincode.de: C:\Program Files\Mein Gutscheincode Finder\Firefox [2010/08/22 09:45:20 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\firejump@firejump.net: C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\extensions\firejump@firejump.net [2012/03/31 16:38:59 | 000,000,000 | ---D | M]
 
[2010/08/08 20:13:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Felix\AppData\Roaming\mozilla\Extensions
[2012/03/31 17:28:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions
[2012/01/09 18:01:24 | 000,000,000 | ---D | M] (Winload) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\{40c3cc16-7269-4b32-9531-17f2950fb06f}
[2010/08/22 12:04:39 | 000,000,000 | ---D | M] (BrotherSoft Extreme Community Toolbar) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\{51a86bb3-6602-4c85-92a5-130ee4864f13}
[2012/03/07 19:53:34 | 000,000,000 | ---D | M] (midicair Community Toolbar) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\{77f8c945-4b74-4bd6-a073-e0d1997edce8}
[2010/08/08 20:13:05 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2012/03/09 22:45:36 | 000,000,000 | ---D | M] (uTorrentBar_DE Community Toolbar) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\{c840e246-6b95-475e-9bd7-caa1c7eca9f2}
[2012/01/06 22:06:20 | 000,000,000 | ---D | M] (Battlefield Heroes Updater) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\battlefieldheroespatcher@ea.com
[2010/08/08 20:14:00 | 000,000,000 | ---D | M] (Bandoo for Firefox) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\ffox@bandoo.com
[2010/08/12 09:39:29 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\ffxtlbr@babylon.com
[2010/11/30 20:57:53 | 000,000,000 | ---D | M] (Facemoods) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\ffxtlbr@Facemoods.com
[2012/03/31 16:38:59 | 000,000,000 | ---D | M] (FireJump) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\firejump@firejump.net
[2012/03/31 17:28:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\staged
[2011/12/29 21:05:16 | 000,000,000 | ---D | M] (Search-Results Toolbar) -- C:\Users\Felix\AppData\Roaming\mozilla\Firefox\Profiles\nwq2omz0.default\extensions\toolbar@ask.com
[2012/01/11 14:03:48 | 000,000,907 | ---- | M] () -- C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\searchplugins\conduit.xml
[2010/08/11 22:02:16 | 000,005,425 | ---- | M] () -- C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\searchplugins\Foxtab Web Search.xml
[2010/08/09 20:11:55 | 000,002,210 | ---- | M] () -- C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\searchplugins\MyStart Search.xml
[2012/03/31 16:38:52 | 000,003,367 | ---- | M] () -- C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\searchplugins\search-results.xml
[2010/08/08 20:13:04 | 000,002,501 | ---- | M] () -- C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\searchplugins\SearchResults.xml
[2011/12/19 17:13:31 | 000,001,871 | ---- | M] () -- C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\searchplugins\{61FD2FBE-D177-4EC4-A688-EE0CAE8D32D0}.xml
[2011/12/19 17:13:31 | 000,002,189 | ---- | M] () -- C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\searchplugins\{621649A6-015B-4DDE-BE52-D2A34784B17A}.xml
[2011/12/19 17:13:31 | 000,002,078 | ---- | M] () -- C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\nwq2omz0.default\searchplugins\{6DE243E0-4A86-4C92-96A4-84ED78853943}.xml
[2010/08/08 20:13:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\mozilla firefox\extensions
() (No name found) -- C:\USERS\FELIX\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NWQ2OMZ0.DEFAULT\EXTENSIONS\{EF4E370E-D9F0-4E00-B93E-A4F274CFDD5A}.XPI
[2011/07/08 09:31:38 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/12/19 17:13:31 | 000,001,685 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011/12/19 17:13:31 | 000,002,404 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2011/12/19 17:13:31 | 000,001,936 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/19 17:13:31 | 000,001,272 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011/12/19 17:13:31 | 000,001,628 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fcmdSrch.xml
[2011/12/19 17:13:31 | 000,007,052 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2010/08/08 20:13:04 | 000,002,501 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml
[2011/12/19 17:13:31 | 000,001,279 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011/12/19 17:13:31 | 000,001,171 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
========== Chrome  ==========
 
CHR - default_search_provider: facemoods (Enabled)
CHR - default_search_provider: search_url = hxxp://start.facemoods.com/?a=ironto&s={searchTerms}&f=4
CHR - default_search_provider: suggest_url =
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\gcswf32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\pdf.dll
CHR - plugin: Chrome NaCl (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\ppGoogleNaClPluginChrome.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.63\gears.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
CHR - plugin: Windows Live Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.2_0\
CHR - Extension: Google-Suche = C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: Facemoods = C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihflimipbcaljfnojhhknppphnnciiif\1.4.1_0\
CHR - Extension: preisspion.de = C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgfpelakfkbbkkdchaaaknckhoadkcbo\3.0.2_0\
CHR - Extension: uTorrentBar_DE = C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\leocdeigfnkaojcapikdjcdbedcjmffc\2.0.1.4_0\
CHR - Extension: Winload = C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngnjhfpfhadncgafgbneeljaginimmmk\2.3.2.4_0\
CHR - Extension: Google Mail = C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.4_0\
 
O1 HOSTS File: ([2009/06/10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Mein Gutscheincode Finder zeigt automatisch Shopping-Gutscheine an mit denen Sie beim Online-Einkauf sparen können.) - {1ED16E0A-E8C4-40A0-8BC2-79485D21F796} - C:\Program Files\Mein Gutscheincode Finder\Internet Explorer\x86\ConversionOneIE.dll (Conversion One GmbH)
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.31.2\bh\BabylonToolbar.dll (Babylon BHO)
O2 - BHO: (Winload Toolbar) - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Program Files\Winload\prxtbWin0.dll (Conduit Ltd.)
O2 - BHO: (BrotherSoft Extreme Toolbar) - {51a86bb3-6602-4c85-92a5-130ee4864f13} - C:\Program Files\BrotherSoft_Extreme\prxtbBro0.dll (Conduit Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (CescrtHlpr Object) - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll (facemoods.com BHO)
O2 - BHO: (midicair Toolbar) - {77f8c945-4b74-4bd6-a073-e0d1997edce8} - C:\Program Files\midicair\prxtbmidi.dll (Conduit Ltd.)
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (UrlHelper Class) - {A40DC6C5-79D0-4ca8-A185-8FF989AF1115} - C:\PROGRA~1\WI3C8A~1\Datamngr\IEBHO.dll (Bandoo Media, inc)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
O2 - BHO: (BandooIEPlugin Class) - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Bandoo\Plugins\IE\ieplugin.dll (Bandoo Media Inc.)
O3 - HKLM\..\Toolbar: (Winload Toolbar) - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Program Files\Winload\prxtbWin0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (BrotherSoft Extreme Toolbar) - {51a86bb3-6602-4c85-92a5-130ee4864f13} - C:\Program Files\BrotherSoft_Extreme\prxtbBro0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (midicair Toolbar) - {77f8c945-4b74-4bd6-a073-e0d1997edce8} - C:\Program Files\midicair\prxtbmidi.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.31.2\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI3C8A~1\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (Search-Results Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Search-Results)
O3 - HKLM\..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll (facemoods.com)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Search-Results)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [DATAMNGR] C:\PROGRA~1\WI3C8A~1\Datamngr\DATAMN~1.EXE (Bandoo Media, inc)
O4 - HKLM..\Run: [facemoods] C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe (facemoods.com)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [Ocs_SM] C:\Users\Felix\AppData\Roaming\OCS\SM\SearchAnonymizer.exe (OCS)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-3995049860-688048530-36496495-1000..\Run: [Catatl] C:\Users\Felix\AppData\Roaming\twainserv\cscjava.exe ()
O4 - HKU\S-1-5-21-3995049860-688048530-36496495-1000..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-3995049860-688048530-36496495-1000..\Run: [Speech Recognition] C:\Windows\Speech\Common\sapisvr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3995049860-688048530-36496495-1000..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"  /MINIMIZED File not found
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll (Malwarebytes Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3995049860-688048530-36496495-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10v_Plugin.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{270E8BF8-4DA2-490D-9669-053129DD7356}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A72F1B78-3C52-4A73-8146-1429ACAC1EA3}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\progra~1\wi3c8a~1\datamngr\datamngr.dll) - c:\progra~1\wi3c8a~1\datamngr\datamngr.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (c:\progra~1\wi3c8a~1\datamngr\iebho.dll) - c:\progra~1\wi3c8a~1\datamngr\iebho.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (c:\progra~1\bandoo\bndhook.dll) - c:\progra~1\bandoo\bndhook.dll (Discordia Limited)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\Autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012/03/31 16:42:16 | 000,000,000 | ---D | C] -- C:\Users\Felix\AppData\Roaming\Malwarebytes
[2012/03/31 16:42:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/31 16:42:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/03/31 16:42:12 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/03/31 16:42:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012/03/31 17:30:22 | 000,654,372 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012/03/31 17:30:22 | 000,616,254 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/31 17:30:22 | 000,129,986 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012/03/31 17:30:22 | 000,106,376 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/31 17:25:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/31 17:25:48 | 2415,321,088 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/31 16:42:13 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/31 16:36:14 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/15 21:29:21 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/15 21:29:21 | 000,009,888 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/15 21:02:00 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/14 19:03:09 | 000,002,741 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012/03/31 16:42:13 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/19 17:13:31 | 000,338,432 | ---- | C] () -- C:\Windows\System32\sqlite36_engine.dll
[2011/07/02 11:23:17 | 000,000,058 | ---- | C] () -- C:\Windows\ben4.ini
[2011/06/04 20:13:05 | 000,000,126 | ---- | C] () -- C:\Windows\System32\AF15IRTBL.bin
[2010/11/30 20:58:00 | 000,098,304 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2010/10/25 22:32:33 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2010/10/25 22:29:13 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/10/25 20:11:57 | 000,654,372 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2010/10/25 20:11:57 | 000,295,922 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2010/10/25 20:11:57 | 000,129,986 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2010/10/25 20:11:57 | 000,038,104 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2010/10/25 19:55:02 | 000,294,912 | ---- | C] () -- C:\Windows\System32\ATIODE.exe
[2010/10/25 19:55:02 | 000,045,056 | ---- | C] () -- C:\Windows\System32\ATIODCLI.exe
[2010/10/25 19:55:02 | 000,002,137 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2010/10/25 19:55:01 | 000,203,336 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2010/10/03 14:34:16 | 000,000,281 | ---- | C] () -- C:\Windows\Sierra.ini
[2010/08/09 15:05:15 | 000,003,584 | ---- | C] () -- C:\Users\Felix\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/08 20:13:57 | 001,524,112 | ---- | C] () -- C:\Windows\System32\bandoolmx.dll

< End of report >
Code:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Datenbank Version: v2012.03.31.07

Windows 7 x86 NTFS (Abgesichertenmodus/Netzwerkfähig)
Internet Explorer 8.0.7600.16385
Felix :: FELIX-PC [Administrator]

31.03.2012 16:42:51
mbam-log-2012-03-31 (16-42-51).txt

Art des Suchlaufs: Vollständiger Suchlauf
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 329739
Laufzeit: 24 Minute(n), 24 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FoxTab PDF Creator (Adware.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Registrierungswerte: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SkypePM (Trojan.Agent) -> Daten: C:\Users\Felix\AppData\Local\Skype\SkypePM.exe -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell.Gen) -> Daten: C:\Users\Felix\AppData\Roaming\6ekjsr5e.exe -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|L1fHvZilhgticDP (Backdoor.Messa) -> Daten: C:\Users\Felix\AppData\Roaming\6ekjsr5e.exe -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateiobjekte der Registrierung: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bösartig: (1) Gut: (0) -> Erfolgreich ersetzt und in Quarantäne gestellt.

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 10
C:\Users\Felix\Downloads\SoftonicDownloader_fuer_lego-indiana-jones-the-original-adventures.exe (PUP.BundleOffer.Downloader.S) -> Keine Aktion durchgeführt.
C:\Users\Felix\AppData\Local\Skype\SkypePM.exe (Trojan.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Program Files\FoxTabPDFConverter\Uninstall\Uninstall.exe (Adware.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Felix\AppData\Local\Temp\comver.dll (Adware.GameSpyArcade) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Felix\AppData\Local\Temp\mor.exe (Trojan.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Felix\AppData\Local\Temp\ICReinstall\FlvPlayerSetup(3).exe (Adware.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Felix\Downloads\Facemoods.exe (Adware.InstallCore) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Felix\Downloads\FlvPlayerSetup.exe (Adware.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Felix\Downloads\PDFCreatorSetup.exe (Adware.Agent) -> Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Users\Felix\Downloads\setup(1).exe (Trojan.FakeVLC) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)
Vielen dank im Voraus!!

markusg 31.03.2012 17:33
hi
otl is bei dir schon mal gelaufen, da wird dann die extra.txt nich mehr erstellt

dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user.
wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts.


• Starte bitte die OTL.exe
• Kopiere nun das Folgende in die Textbox.



Code:
:OTL
O4 - HKU\S-1-5-21-3995049860-688048530-36496495-1000..\Run: [Catatl] C:\Users\Felix\AppData\Roaming\twainserv\cscjava.exe ()
 :Files
C:\Users\Felix\AppData\Roaming\twainserv
:Commands
[purity]
[EMPTYFLASH]
[emptytemp]
[Reboot]


• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
• OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren.
starte in den normalen modus.

falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden

Hinweis: Die Datei bitte wie in der Anleitung zum UpChannel angegeben auch da hochladen. Bitte NICHT die ZIP-Datei hier als Anhang
in den Thread posten!



Drücke bitte die http://larusso.trojaner-board.de/Images/windows.jpg + E Taste.
  • Öffne dein Systemlaufwerk ( meistens C: )
  • Suche nun
    folgenden Ordner: _OTL und öffne diesen.
  • Mache einen Rechtsklick auf den Ordner Movedfiles --> Senden an --> Zip-Komprimierter Ordner

  • Dies wird eine Movedfiles.zip Datei in _OTL erstellen
  • Lade diese bitte in unseren Uploadchannel
    hoch. ( Durchsuchen --> C:\_OTL\Movedfiles.zip )
Teile mir mit ob der Upload problemlos geklappt hat. Danke im voraus :)

wookimaster 31.03.2012 18:01
okay, danke schonmal, dass du uns hilfst!

hier das Log:

Code:
All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3995049860-688048530-36496495-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Catatl deleted successfully.
C:\Users\Felix\AppData\Roaming\twainserv\cscjava.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYFLASH]
 
User: All Users
 
User: Default
 
User: Default User
 
User: Felix
->Flash cache emptied: 76327 bytes
 
User: Gast
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Felix
->Temp folder emptied: 2660252561 bytes
->Temporary Internet Files folder emptied: 60929155 bytes
->Java cache emptied: 201818 bytes
->FireFox cache emptied: 1152157227 bytes
->Google Chrome cache emptied: 361471797 bytes
->Flash cache emptied: 0 bytes
 
User: Gast
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 970355597 bytes
RecycleBin emptied: 27637457488 bytes
 
Total Files Cleaned = 31,321.00 mb
 
 
OTL by OldTimer - Version 3.2.39.2 log created on 03312012_185154

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
Upload hat problemslos geklappt.

markusg 31.03.2012 18:02
hi
nutzt du den pc für onlinebanking, einkäufe, sonstige zahlungsabwicklungen, oder ähnlich wichtiges, wie berufliches?

wookimaster 31.03.2012 18:23
naja, also manchmal amazon oder so. online-banking nicht, der pc wird hauptsächlich zum spielen und internetsurfen genutzt.

heißt dass, die infektion ist schlimm?
wenn es geht, würde ich gerne neuaufsetzen vermeiden.

markusg 01.04.2012 14:55
hi, das system muss auf grund des zbot trojaners neu gemacht werden.
1. Datenrettung:2. Formatieren, Windows neuinstallieren:3. PC absichern: http://www.trojaner-board.de/96344-a...-rechners.html
4. alle Passwörter ändern!
5. nach PC Absicherung, die gesicherten Daten prüfen und falls sauber: zurückspielen.
6. werde ich dann noch was zum absichern von Onlinebanking mit Chip Card Reader + Star Money sagen.

wookimaster 01.04.2012 15:46
"so ein mist. danke dir natürlich trotzdem.

ich traue mir das nicht alleine zu und werde einen freund fragen, ob er mir hilft.
vielleicht melden wir uns dann nochmal"

markusg 02.04.2012 08:48
melde dich für die absicherung noch mal, dann zeige ich dir wie du es vernünftig anstellst und in zukunft dein gerät selbst sauber wiederherstellen kannst, ohne auf andere angewiesen zu sein :-)


Alle Zeitangaben in WEZ +1. Es ist jetzt 16:00 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131