hier ist das Log:

Zitat:

All processes killed
========== OTL ==========
Service Drtelsriknqb stopped successfully!
Service Drtelsriknqb deleted successfully!
File File not found not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.
File move failed. C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{601ED020-FB6C-11D3-87D8-0050DA59922B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{601ED020-FB6C-11D3-87D8-0050DA59922B}\ deleted successfully.
C:\Programme\Ipswitch\WS_FTP Pro\wsbho2k0.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
C:\Programme\Java\jre6\bin\ssv.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE7CD045-E861-484f-8273-0445EE161910}\ deleted successfully.
C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cc05a3e3-64c3-4af2-bfc1-af0d66b69065}\ deleted successfully.
C:\Programme\softonic-de3\tbsoft.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{0CFFDD36-D100-367B-55CE-08723E3E0E65} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0CFFDD36-D100-367B-55CE-08723E3E0E65}\ not found.
C:\Dokumente und Einstellungen\Leo\Anwendungsdaten\Iped\ydzam.exe moved successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
C:\WINDOWS\Downloaded Program Files\asinst.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000}
C:\WINDOWS\Downloaded Program Files\swflash.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job moved successfully.
C:\WINDOWS\tasks\SA.DAT moved successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: ***
->Flash cache emptied: 1501040 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 405 bytes

Total Flash Files Cleaned = 1,00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49152 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49152 bytes

User: ***
->Temp folder emptied: 218632823 bytes
->Temporary Internet Files folder emptied: 3491801 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 35505575 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 233115 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2951 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 98209426 bytes
RecycleBin emptied: 1083906348 bytes

Total Files Cleaned = 1.373,00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.1.2 log created on 07212010_174628

Files\Folders moved on Reboot...
C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll moved successfully.

Registry entries deleted on Reboot...

Zitat:

Zitat von Koti

hier ist das Log:

ok das sieht besser aus.

Jetzt machen wir noch einen Rootkit Scan und wenn der sauber ist sind wir fast durch.

Lade dir rootrepeal hier runter:
http://ad13.geekstogo.com/RootRepeal.exe

mit doppelklick öffnen NICHT sofort auf Scan klicken! Suche unten in der Leiste: REPORT. Darauf klicken. Klicke Scan> alle Scanalternativen ankrueuzen> ok> alle festplatten ankreuzen> klicke ok > der Scan startet und nach dem Scan kommt automatisch ein Log hoch, poste es hier.

Zitat:

Zitat von MalwareHero

ok das sieht besser aus.

Lade dir rootrepeal hier runter:
hxxp://ad13.geekstogo.com/RootRepeal.exe

Der Link ist tot. Hättest du evtl. eine Alternative?

Zitat:

Zitat von Koti

Der Link ist tot. Hättest du evtl. eine Alternative?

http://download.bleepingcomputer.com...RootRepeal.exe

ok, hier ist es.

Zitat:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/07/21 18:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB2462000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B69000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0C60000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf8d16fc6

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8d16fbc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf8d16fcb

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf8d16fd5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf8d16fda

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8d16fa8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8d16fad

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf8d16fe4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf8d16fdf

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf8d16fd0

==EOF==

Zitat:

Zitat von Koti

ok, hier ist es.

Bitte bis morgen noch durchführen und alle Logs posten:

> mbr.exe von hier runterladen:
http://www2.gmer.net/mbr/mbr.exe

• Download mbr.exe zum Desktop
• Doppelklick mbr.exe um das Tool zu starten (ganz kurz öffnet sich ein fenster)
• Es wird ein Log erstellt liegt auf deinem Desktop.
• poste dessen Inhalt

> sfc/scannow und chkdsk/f durchführen, anleitung hast du schon.

> Kontrollscans mit ESET und DR.Web

Führe DR.Web (schneller Scan) im abgesicherten Modus aus.
http://www.trojaner-board.de/59299-a...eb-cureit.html
Fünde löschen lassen/Log erstellen und hier posten

ESET Online Scan
ESET Online Scanner - ESET Antivirus Software
Fünde hier melden/entfernen

> Alles an veralterter Software deinstallieren> Adobe Reader/java...
Updates laden: Secunia Personal Software Inspector - Download - COMPUTER BILD

> Windows Update duchführen!

******************************************************

hier ist schon mal das mbr-Log

Zitat:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, hxxp://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

was ist mit sfc/scannow bzw. chkdsk/f gemeint? Könntest du mir noch einen Hinweis geben. Hab schon so viel getestet... - danke.

Zitat:

> sfc/scannow und chkdsk/f durchführen, anleitung hast du schon.

War das mit dem Befehl "Ausführen"? Nicht schlimm, dass ich keine Windows CD habe?