Trojaner-Board - Bundespolizei Trojaner

Vielen dank für den weiteren Support :daumenhoc
Ich hab die Answeisungen ausgeführt, wie beschrieben. ComboFix auf den Desktop geladen uns ausgeführt. Dabei habe ich, da ich (momentan) kein AV-Programm habe, Windows Defender und die Firewall abgeschaltet und davor noch die Internetverbindung komplett gekappt (Wlan Stick rausgezogen).

Hier der ComboFix Log:
Code:
ComboFix 11-08-07.03 - *** 08.08.2011  13:49:33.1.4 - x64

Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.49.1031.18.4093.2661 [GMT 2:00]

ausgeführt von:: c:\users\***\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\acer\Preload\Autorun\DRV\Pro-Nets Modem HPI56M3\_desktop.ini

c:\acer\Preload\Autorun\DRV\Pro-Nets Modem HPI56M3\98\_desktop.ini

c:\acer\Preload\Autorun\DRV\Pro-Nets Modem HPI56M3\ME\_desktop.ini

c:\acer\Preload\Autorun\DRV\Pro-Nets Modem HPI56M3\VISTAXP2K\_desktop.ini

c:\acer\Preload\Autorun\DRV\Pro-Nets Modem HPI56M3\VISTAXP2K\amd64\_desktop.ini

c:\acer\Preload\Autorun\DRV\Pro-Nets Modem HPI56M3\VISTAXP2K\x86\_desktop.ini

C:\Install.exe

c:\program files (x86)\Uninstall.exe

c:\program files (x86)\update.exe

c:\users\***\AppData\Roaming\Windows

c:\users\Benutzerkonto 2\fauxut.exe

c:\users\Benutzerkonto 2\liwor.exe

c:\users\Benutzerkonto 2\yiiaj.exe

c:\windows\system32\AutoRun.inf

c:\windows\system32\Install.cmd

c:\windows\SysWow64\10247940.dll

c:\windows\SysWow64\22013553.dll

.

.

(((((((((((((((((((((((   Dateien erstellt von 2011-07-08 bis 2011-08-08  ))))))))))))))))))))))))))))))

.

.

2011-08-06 12:50 . 2011-07-13 04:53        8578896        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{BC659A54-83C8-4FA9-B9EE-3BCEE4F97D12}\mpengine.dll

2011-08-06 12:35 . 2010-10-10 17:49        1724416        ----a-w-        c:\windows\system32\drivers\athurx.sys

2011-08-04 11:13 . 2011-08-04 11:13        --------        d-----w-        C:\_OTL

2011-08-02 19:56 . 2011-08-02 19:57        --------        d-----w-        c:\program files\Wireshark

2011-07-31 13:20 . 2011-07-31 13:20        --------        d-----w-        c:\users\***\AppData\Roaming\DVDVideoSoft

.

.

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 17:52 . 2010-07-29 08:51        41272        ----a-w-        c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-07-06 17:52 . 2009-12-15 17:52        25912        ----a-w-        c:\windows\system32\drivers\mbam.sys

2011-05-24 17:14 . 2009-10-02 21:38        270720        ------w-        c:\windows\system32\MpSigStub.exe

2011-05-20 19:44 . 2011-05-20 19:44        1138440        ----a-w-        c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2010-08-06 13:40 . 2010-08-06 13:40        10064640        ----a-w-        c:\program files (x86)\ts3client_win64.exe

2010-05-18 12:46 . 2010-05-18 12:46        1033216        ----a-w-        c:\program files (x86)\fmodex64.dll

2010-05-17 08:29 . 2010-05-17 08:29        10144768        ----a-w-        c:\program files (x86)\QtGui4.dll

2010-03-25 09:57 . 2010-03-25 09:57        2699264        ----a-w-        c:\program files (x86)\QtCore4.dll

2010-03-22 09:59 . 2010-03-22 09:59        934400        ----a-w-        c:\program files (x86)\QtNetwork4.dll

2004-07-09 03:08 . 2004-07-09 03:08        472576        ----a-w-        c:\program files\dxsetup.exe

2004-07-09 03:08 . 2004-07-09 03:08        472576        ----a-w-        c:\program files (x86)\dxsetup.exe

2004-07-09 03:08 . 2004-07-09 03:08        2242560        ----a-w-        c:\program files\dsetup32.dll

2004-07-09 03:08 . 2004-07-09 03:08        2242560        ----a-w-        c:\program files (x86)\dsetup32.dll

2004-07-09 02:03 . 2004-07-09 02:03        62976        ----a-w-        c:\program files\DSETUP.dll

2004-07-09 02:03 . 2004-07-09 02:03        62976        ----a-w-        c:\program files (x86)\DSETUP.dll

.

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SmpcSys"="c:\program files\PACKARD BELL\SetUpMyPC\SmpSys.exe" [2008-07-07 1038136]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SmpcSys"="c:\program files\Packard Bell\SetupMyPC\SmpSys.exe" [2008-07-07 1038136]

.

c:\users\Benutzerkonto 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

.

c:\users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe"

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 27648]

R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athurx.sys [x]

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [x]

R4 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]

S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [x]

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]

S2 ETService;Empowering Technology Service;c:\program files\PACKARDBELL\Packard Bell Recovery Management\Service\ETService.exe [2008-07-16 24576]

S2 RealtekUSB;RealtekUSB;c:\program files (x86)\Realtek\USB Wireless LAN Utility\RtlService.exe [2007-07-28 36864]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-11 240232]

S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe [2009-11-13 1353544]

S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesDriver64.sys [2009-10-14 11856]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt        REG_MULTI_SZ           hpqcxs08 hpqddsvc

Akamai        REG_MULTI_SZ           Akamai

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs

ezSharedSvc

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2008-04-24 6242816]

"Skytel"="Skytel.exe" [2007-11-20 1826816]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs

UxTuneUp

.

------- Zusätzlicher Suchlauf -------

.

uStart Page = hxxp://www.google.de/ig?hl=de

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0407&s=1&o=vp64&d=1108&m=imedia_x5500_ge

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Free YouTube to MP3 Converter - c:\users\***\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

LSP: %SystemRoot%\system32\PrxerDrv.dll

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{8EAE8017-8F40-4890-A26D-0A1776921479}: NameServer = 195.50.140.87,195.50.140.153

TCP: Interfaces\{AB5DDB5A-F492-4FA3-AABB-B7531A2CDEF8}: NameServer = 190.50.140.15,195.50.140.69

DPF: {A21769F8-CEC5-4AFA-A6A4-CC921A15DF40} - hxxp://www.n2030.com/atlas_activex.dll

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\***\AppData\Roaming\Mozilla\Firefox\Profiles\3vkjwety.default\

FF - prefs.js: network.proxy.gopher - 

FF - prefs.js: network.proxy.gopher_port - 

FF - prefs.js: network.proxy.type - 0

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

.

------- Dateityp-Verknüpfung -------

.

JSEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -

.

HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe

AddRemove-Adobe Shockwave Player - c:\windows\system32\adobe\SHOCKW~1\UNWISE.EXE

AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe

AddRemove-Adobe Connect Add-in - c:\users\***\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\connectaddin\connectaddin.exe

.

.

.

--------------------- Gesperrte Registrierungsschluessel ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@SACL=

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]

@SACL=

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]

@SACL=

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]

@SACL=

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@SACL=

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@SACL=

@="ShockwaveFlash.ShockwaveFlash.9"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]

@SACL=

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@SACL=

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@SACL=

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@SACL=

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@SACL=

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]

@SACL=

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@SACL=

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]

@SACL=

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@SACL=

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@SACL=

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@SACL=

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]

@Denied: (A 2) (Everyone)

@SACL=

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]

@SACL=

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]

@SACL=

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]

@Denied: (A 2) (Everyone)

@SACL=

@="IFlashBroker"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid]

@Denied: (A 2) (Everyone)

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]

@SACL=

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]

@SACL=

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@SACL=

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@SACL=

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@SACL=

@=""

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@SACL=

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

Zeit der Fertigstellung: 2011-08-08  14:09:57

ComboFix-quarantined-files.txt  2011-08-08 12:09

.

Vor Suchlauf: 21 Verzeichnis(se), 695.068.721.152 Bytes frei

Nach Suchlauf: 26 Verzeichnis(se), 695.443.144.704 Bytes frei

.

- - End Of File - - 00BE122F27950DEE2EA40C4005A93745