Trojaner-Board - Probleme durch 'Bundesministerium'-Trojaner

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - Probleme durch 'Bundesministerium'-Trojaner - OTL startet nicht (abges. Modus) (https://www.trojaner-board.de/128109-probleme-bundesministerium-trojaner-otl-startet-abges-modus.html)

Probleme durch 'Bundesministerium'-Trojaner - OTL startet nicht (abges. Modus)

Verehrte Forengemeinde,

es ist mein Netbook offenbar mit einem Virus oder Trojaner infiziert worden:

Es erscheint eine Seite des Bundesministerium mit Inhalten wegen urheberrechtlichen Angelegenheiten. Ausschalten und Neustart des Systems bringt dann eine weiße blanke Seite.

Ich kann zwar im abgesicherten Modus starten aber die hier im Forum empfohlene Anwendung OTL startet nur das erste Fenster. Nach klick auf Scan tut sich nichts.

Damit kann ich hier keinen Logfile posten.

Aktuell lasse ich gerade Spybot durchlaufen habe aber Zweifel ob dieses Programm hier wirklich hilfreich ist.

Ist meine Hoffnung hier auf Hilfe zu hoffen berechtigt?

Ich danke allen Lesern für die genommene Zeit und allen Tippgeber oder Helfern aurichtig für jeden Hinweis.

:hallo:

Ich werde dir bei deinem Problem helfen. Eine Bereinigung ist mitunter mit viel Arbeit für Dich (und mich) verbunden. Bevor es los geht, habe ich etwas Lesestoff für dich.

Zitat:

Lesestoff:
Regeln für die Bereinigung
Damit die Bereinigung funktioniert bitte ich dich, die folgenden Punkte aufmerksam zu lesen:
Bitte arbeite alle Schritte der Reihe nach ab. Gib mir bitte zu jedem Schritt Rückmeldung (Logfile oder Antwort) und zwar gesammelt, wenn du alles erledigt hast.

Nur Scanns durchführen zu denen Du aufgefordert wirst.

Bitte kein Crossposting (posten in mehreren Foren).

Installiere oder Deinstalliere während der Bereinigung keine Software, ausser Du wurdest dazu aufgefordert.

Lese Dir die Anleitung zuerst vollständig durch. Sollte etwas unklar sein, frage bevor Du beginnst.

Poste die Logfiles direkt in deinen Thread (möglichst in Code-Tags - #-Symbol im Editor). Nicht anhängen ausser ich fordere Dich dazu auf, oder das Logfile wäre zu gross. Erschwert mir nämlich das Auswerten.

Mache deinen Namen nur dann unkenntlich, wenn es unbedingt sein muss.

Beim ersten Anzeichen illegal genutzer Software (Cracks, Patches und Co) wird der Support ohne Diskussion eingestellt.

Sollte ich nicht nach 3 Tagen geantwortet haben, dann (und nur dann) schicke mir bitte eine PM.

Ich werde dir ganz deutlich mitteilen, dass du "sauber" bist. Bis dahin arbeite bitte gut mit.

Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der schnellere und immer der sicherste Weg.

Wenn du das alles gelesen und verstanden hast, kannst du loslegen! :kloppen:

Gelesen und verstanden?

Schritt 1:
Deinstalliere Spybot!

Schritt 2:
Scan mit Combofix

Zitat:

WARNUNG:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
WICHTIG: Speichere Combofix auf deinem Desktop

Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Combofix wird überprüfen, ob die Microsoft Windows Wiederherstellungskonsole installiert ist.
Ist diese nicht installiert, erlaube Combofix diese herunter zu laden und zu installieren. Folge dazu einfach den Anweisungen und aktzeptiere die Endbenutzer-Lizenz.
Bei heutiger Malware ist dies sehr empfehlenswert, da diese uns eine Möglichkeit bietet, dein System zu reparieren, falls etwas schief geht.
Bestätige die Information, dass die Wiederherstellungskonsole installiert wurde mit Ja.
Hinweis: Ist diese bereits installiert, wird Combofix mit der Malwareentfernung fortfahren.

Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!

Wenn Combofix fertig ist, wird es eine Logfile erstellen.

Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

Fehlende Rückmeldung
Dieses Thema wurde aus den Abos gelöscht. Somit bekomm ich keine Benachrichtigung über neue Antworten.
PM an mich falls Du denoch weiter machen willst.

Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner schon sauber ist.

Jeder andere bitte hier klicken und einen eigenen Thread erstellen

Frohe Weihnachten, ryder,

Hier nun also das log und: Mein Dank:

1. ABFRAGE WIEDERHERSTELLUNGSKONSOLE - ZUGELASSEN.

MELDUNG:
DU SCHEINST NICHT MIT DEM INTERNET VERBUNDEN ZU SEIN....

INTERNETVERBINDUNG HERSTELLEN BEVOR DU AUF OK KLICKST.

ANMERKUNG
DEFINITIV: FALSCH. INTERNETVERBINDUNG VORHANDEN - ÜBERTRAGUNGSSTÄRKE: HERVORRAGEND

2. HERUNTERLADEN DER BENÖTIGTEN DATEIEN FEHLGESCHLAGEN. BRECHE AB ... WERDE MIT DEM SUCHLAUF NACH MALEWARE FORTFAHREN.

OK
> OK GEKLICKT

3.Combofix Logfile:

Code:

ComboFix 12-12-20.02 - Daniel 12/21/2012  15:29:18.1.2 - x86

ausgeführt von:: E:\ComboFix.exe

 * Neuer Wiederherstellungspunkt wurde erstellt

.

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!

.

.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Daniel\Application Data\convert\convert.exe

c:\documents and settings\Stef\Application Data\Raqab

c:\documents and settings\Stef\Application Data\Raqab\emin.zog

c:\documents and settings\Stef\Application Data\Utipi

c:\documents and settings\Stef\Application Data\Utipi\zyqi.etn

c:\documents and settings\Stef\Application Data\Utipi\zyqi.tmp

c:\windows\system32\SET25E.tmp

.

.

(((((((((((((((((((((((   Dateien erstellt von 2012-11-21 bis 2012-12-21  ))))))))))))))))))))))))))))))

.

.

2012-12-21 14:19 . 2012-12-21 14:38        --------        d-----w-        c:\windows\LastGood

2012-12-13 15:32 . 2012-12-13 15:32        --------        d-----w-        c:\documents and settings\nbfa\Local Settings\Application Data\Mozilla

2012-12-13 15:20 . 2012-12-13 15:20        --------        d-----w-        c:\documents and settings\nbfa\Application Data\AVG2013

2012-12-13 15:20 . 2012-12-13 15:20        --------        d-----w-        c:\documents and settings\nbfa\Bluetooth Software

2012-12-13 15:20 . 2012-12-13 15:20        --------        d-----w-        c:\documents and settings\nbfa\Local Settings\Application Data\Avg2013

2012-12-13 15:19 . 2012-12-13 15:19        --------        d-----w-        c:\documents and settings\nbfa\Local Settings\Application Data\Scansoft

2012-12-13 14:39 . 2012-12-13 14:39        --------        d-----w-        c:\documents and settings\Administrator\Application Data\AVG2013

2012-12-13 14:29 . 2012-12-13 14:29        --------        d-----w-        c:\documents and settings\Administrator\Application Data\TuneUp Software

2012-12-13 14:23 . 2012-12-13 14:23        --------        d-----w-        c:\documents and settings\Administrator\Local Settings\Application Data\MFAData

2012-12-13 14:23 . 2012-12-13 14:23        --------        d-----w-        c:\documents and settings\Administrator\Local Settings\Application Data\Avg2013

2012-11-30 15:20 . 2012-11-30 15:22        --------        d-----w-        c:\documents and settings\Stef\Application Data\PhotoScape

2012-11-28 18:49 . 2012-11-28 18:56        --------        d-----w-        c:\documents and settings\Daniel\Application Data\PhotoScape

2012-11-28 18:39 . 2012-11-28 18:40        --------        d-----w-        c:\program files\PhotoScape

2012-11-28 18:27 . 2012-11-28 18:27        --------        d-----w-        c:\documents and settings\Daniel\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant

2012-11-28 18:27 . 2012-11-28 18:27        --------        d-----w-        c:\program files\Adobe Download Assistant

2012-11-28 18:27 . 2012-11-28 18:27        --------        d-----w-        c:\program files\Common Files\Adobe AIR

2012-11-28 18:25 . 2012-12-21 14:43        --------        d-----w-        c:\documents and settings\Daniel\Application Data\convert

2012-11-28 18:24 . 2012-11-28 18:25        --------        d-----w-        c:\documents and settings\Daniel\Application Data\loadtbs

2012-11-28 18:24 . 2012-11-28 18:24        --------        d-----w-        c:\program files\WEB.DE MailCheck

2012-11-28 18:18 . 2012-11-28 18:19        --------        d-----w-        c:\program files\Protected Search

2012-11-28 18:18 . 2012-08-30 02:01        15432        ----a-w-        c:\windows\Launcher.exe

2012-11-28 18:14 . 2012-11-28 18:19        --------        d-----w-        c:\documents and settings\Daniel\Local Settings\Application Data\DownTango

2012-11-28 18:13 . 2012-11-28 18:13        --------        d-----w-        c:\program files\Red Sky

2012-11-27 17:30 . 2012-11-27 17:30        --------        dc-h--w-        c:\documents and settings\All Users\Application Data\{E648CD4D-3307-4213-89B2-9C0E20C77202}

2012-11-27 17:07 . 2012-11-27 17:07        --------        dc-h--w-        c:\documents and settings\All Users\Application Data\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}

2012-11-27 17:05 . 2012-11-27 17:10        --------        d-----w-        c:\program files\Common Files\Native Instruments

2012-11-27 17:01 . 2012-11-27 17:01        --------        dc-h--w-        c:\documents and settings\All Users\Application Data\{C78336EC-F2EB-4640-99A4-DFE96581B90B}

2012-11-27 16:59 . 2012-11-27 17:09        --------        d-----w-        c:\program files\Native Instruments

2012-11-27 16:59 . 2012-11-27 17:09        --------        d-----w-        c:\documents and settings\All Users\Application Data\Native Instruments

2012-11-26 22:28 . 2012-12-21 14:26        --------        d-----w-        c:\documents and settings\Daniel\Application Data\vlc

2012-11-26 18:32 . 2007-01-26 00:00        4352        ----a-w-        c:\windows\system32\drivers\avmeject.sys

2012-11-26 18:30 . 2007-01-26 00:00        74752        ----a-w-        c:\windows\system32\fwlanci.dll

2012-11-26 18:30 . 2012-11-26 18:30        --------        d-----w-        c:\documents and settings\Daniel\AVM_Driver

2012-11-26 17:41 . 2012-11-26 18:12        --------        d-----w-        c:\program files\Common Files\DVDVideoSoft

2012-11-26 17:41 . 2012-11-26 18:11        --------        d-----w-        c:\program files\DVDVideoSoft

2012-11-26 17:40 . 2012-11-26 20:35        --------        d-----w-        c:\documents and settings\Daniel\Application Data\DVDVideoSoft

2012-11-25 11:42 . 2012-11-25 11:42        --------        d-----w-        c:\documents and settings\Daniel\Local Settings\Application Data\MFAData

2012-11-25 11:34 . 2012-11-25 11:34        --------        d-----w-        c:\program files\Common Files\Symantec Shared

2012-11-25 11:30 . 2012-11-25 11:30        --------        d-----w-        c:\windows\system32\drivers\NSS

2012-11-25 11:30 . 2012-11-25 11:30        --------        d-----w-        c:\program files\Norton Security Scan

2012-11-25 11:30 . 2012-11-25 11:30        --------        d-----w-        c:\documents and settings\All Users\Application Data\Norton

2012-11-25 11:29 . 2012-11-25 11:29        --------        d-----w-        c:\program files\NortonInstaller

.

.

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-13 16:01 . 2012-08-08 18:49        697272        ----a-w-        c:\windows\system32\FlashPlayerApp.exe

2012-12-13 16:01 . 2012-08-08 18:49        73656        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-13 01:25 . 2009-05-13 22:57        1866368        ----a-w-        c:\windows\system32\win32k.sys

2012-11-08 16:37 . 2012-10-06 15:19        26984        ----a-w-        c:\windows\system32\drivers\avgtpx86.sys

2012-11-06 00:41 . 2009-05-13 22:57        290560        ------w-        c:\windows\system32\atmfd.dll

2012-11-02 02:02 . 2009-05-13 22:57        375296        ----a-w-        c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2009-05-13 22:57        916992        ----a-w-        c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2009-05-13 22:57        43520        ------w-        c:\windows\system32\licmgr10.dll

2012-11-01 12:17 . 2009-05-13 22:57        1469440        ------w-        c:\windows\system32\inetcpl.cpl

2012-11-01 00:35 . 2009-05-13 22:57        385024        ------w-        c:\windows\system32\html.iec

2012-10-02 18:04 . 2009-05-13 22:57        58368        ----a-w-        c:\windows\system32\synceng.dll

2012-12-06 23:53 . 2012-12-06 23:52        262112        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll [BU]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [BU]

"{DFEFCDEE-CF1A-4FC8-88AD-129872198372}"= "c:\documents and settings\Daniel\Application Data\loadtbs\toolbar.dll" [2012-11-28 616448]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

.

[HKEY_CLASSES_ROOT\clsid\{dfefcdee-cf1a-4fc8-88ad-129872198372}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{DFEFCDEE-CF1A-4FC8-88AD-129872198372}"= "c:\documents and settings\Daniel\Application Data\loadtbs\toolbar.dll" [2012-11-28 616448]

.

[HKEY_CLASSES_ROOT\clsid\{dfefcdee-cf1a-4fc8-88ad-129872198372}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BatteryLifeExtender"="c:\program files\Samsung\BatteryLifeExtender\BatteryLifeExtender.exe" [2009-03-13 550912]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-11 149280]

"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-12-03 298664]

"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]

"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]

"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [BU]

"AVMWlanClient"="c:\program files\avmwlanstick\FRITZWLANMini.exe" [2007-02-02 283136]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-08-02 296096]

"YouCam Service"="c:\program files\CyberLink\YouCam\YouCamService.exe" [2012-03-23 255208]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [x]

R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [x]

R3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [x]

R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]

R3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\DRIVERS\fwlanusb.sys [x]

R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]

S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [x]

S2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [x]

S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [x]

S2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller2.exe [x]

S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [x]

S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]

S3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\Drivers\VMC326.sys [x]

S3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\wowfilter.sys [x]

S4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [x]

S4 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [x]

S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [x]

S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]

S4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]

.

.

--- Andere Dienste/Treiber im Speicher ---

.

*Deregistered* - Avgldx86

*Deregistered* - Avglogx

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

yksvcs        REG_MULTI_SZ           yksvc

.

Inhalt des "geplante Tasks" Ordners

.

2012-12-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-08 16:01]

.

2012-12-02 c:\windows\Tasks\Norton Security Scan for Daniel.job

- c:\progra~1\NORTON~2\Engine\372~1.5\Nss.exe [2012-11-25 09:45]

.

2012-12-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2859748474-667080921-3980430596-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]

.

2012-12-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2859748474-667080921-3980430596-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]

.

.

------- Zusätzlicher Suchlauf -------

.

uStart Page = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937

uDefault_Search_URL = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=

mStart Page = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937

mSearch Bar = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Free YouTube to MP3 Converter - c:\documents and settings\Daniel\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\

FF - prefs.js: browser.search.selectedEngine - WEB.DE Suche

FF - prefs.js: browser.startup.homepage - hxxp://go.web.de/tb/mff_startpage

FF - prefs.js: keyword.URL - hxxp://go.web.de/tb/mff_keyurl_search/?su=

FF - ExtSQL: 2012-10-24 20:26; crossriderapp5060@crossrider.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\crossriderapp5060@crossrider.com

FF - ExtSQL: 2012-11-26 18:43; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi

FF - ExtSQL: 2012-11-28 19:25; sparpilot@sparpilot.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\sparpilot@sparpilot.com

FF - ExtSQL: 2012-11-28 19:25; software@loadtubes.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\software@loadtubes.com

FF - ExtSQL: 2012-11-28 19:26; toolbar@web.de; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\toolbar@web.de.xpi

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -

.

WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2012-12-21 15:44

Windows 5.1.2600 Service Pack 3 NTFS

.

Scanne versteckte Prozesse... 

.

Scanne versteckte Autostarteinträge... 

.

Scanne versteckte Dateien... 

.

Scan erfolgreich abgeschlossen

versteckte Dateien: 0

.

**************************************************************************

.

--------------------- Gesperrte Registrierungsschluessel ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

.

- - - - - - - > 'winlogon.exe'(1064)

c:\windows\system32\igfxdev.dll

.

- - - - - - - > 'winlogon.exe'(1588)

c:\windows\system32\igfxdev.dll

.

Zeit der Fertigstellung: 2012-12-21  15:48:34

ComboFix-quarantined-files.txt  2012-12-21 14:48

ComboFix2.txt  2012-12-13 15:11

.

Vor Suchlauf: 54,336,827,392 bytes free

Nach Suchlauf: 55,480,283,136 bytes free

.

- - End Of File - - 38BBA229FCBB6DBBD932A9D106DAD2E8

--- --- ---

Dann haben wir eine Alternative:

Gehe auf die Mircosoft Seite => http://support.microsoft.com/?scid=kb%3Bde%3B310994&x=21&y=12

Wähle den Download, der für dein Betriebssystem bestimmt ist:
Hinweis: Für WinXP Sp3 wähle die Sp2 Version.

http://i94.photobucket.com/albums/l8...ungskonsol.png

Lade die Datei herunter und speichere diese mit dem original Namen, neben ComboFix.exe ab.

http://i94.photobucket.com/albums/l8...onsole_ani.gif

Nun schließe alle offenen Programme und Fenster, inklusive der Antiviren und Antimalware Programme. Dies ist notwendig, damit kein Program den Suchlauf von ComboFix behindert.

Ziehe die Setupdatei auf ComboFix.exe und lasse es los.
Folge den Aufforderungen um ComboFix zu starten und wenn Du dazu aufgefordert wirst, stimme den Nutzungsbedingungen zu um die Wiederherstellungskonsole zu installieren.
Bei der nächsten Eingabeaufforderung, klicke auf "Yes" um den vollständigen Suchlauf von ComboFix zu starten.
Bitte poste mir den Inhalt von C:\ComboFix.txt hier in de Thread.

ryder,

nun folgende Meldung:

ComboFix hat festgestellt ....

antivirus: Avira Desktop
Antivirus: avast! Antivirus

Ich: Alles abgesucht:

START > Programme
systemsteuerung > Programme > installieren/deinstalliere
START > Suche

nix, nirgendwo eines der angemahnten Programme zu finden.

Taskleiste: negativ
Desktop: negativ

und nun???

Den step, das SP auf dem Desktop abzugespeichert und in den Katzenicon zu ziehen haben ich absolviert.

mensch, Trojaner aufs netbook, Hackerattacken, Weihnachtsstress und nun soll ich auch noch die Hilfsbereitschaft eines Fremden kurz vor Weihnachten über Gebühr strapazieren....

Tut mir leid.

CF fragt mich nun auf eigene verantwortung weiterzu machen. Mache ich nun. Auf eigene Verantwortung.

LOG folgt also.

Combofix Logfile:

Code:

ComboFix 12-12-20.02 - Daniel 12/21/2012  17:38:25.2.2 - x86

Microsoft Windows XP Home Edition  5.1.2600.3.1252.49.1033.18.1014.528 [GMT 1:00]

ausgeführt von:: c:\documents and settings\Daniel\Desktop\ComboFix.exe

Benutzte Befehlsschalter :: c:\documents and settings\Daniel\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

(((((((((((((((((((((((   Dateien erstellt von 2012-11-21 bis 2012-12-21  ))))))))))))))))))))))))))))))

.

.

2012-12-13 15:32 . 2012-12-13 15:32        --------        d-----w-        c:\documents and settings\nbfa\Local Settings\Application Data\Mozilla

2012-12-13 15:20 . 2012-12-13 15:20        --------        d-----w-        c:\documents and settings\nbfa\Application Data\AVG2013

2012-12-13 15:20 . 2012-12-13 15:20        --------        d-----w-        c:\documents and settings\nbfa\Bluetooth Software

2012-12-13 15:20 . 2012-12-13 15:20        --------        d-----w-        c:\documents and settings\nbfa\Local Settings\Application Data\Avg2013

2012-12-13 15:19 . 2012-12-13 15:19        --------        d-----w-        c:\documents and settings\nbfa\Local Settings\Application Data\Scansoft

2012-12-13 14:39 . 2012-12-13 14:39        --------        d-----w-        c:\documents and settings\Administrator\Application Data\AVG2013

2012-12-13 14:29 . 2012-12-13 14:29        --------        d-----w-        c:\documents and settings\Administrator\Application Data\TuneUp Software

2012-12-13 14:23 . 2012-12-13 14:23        --------        d-----w-        c:\documents and settings\Administrator\Local Settings\Application Data\MFAData

2012-12-13 14:23 . 2012-12-13 14:23        --------        d-----w-        c:\documents and settings\Administrator\Local Settings\Application Data\Avg2013

2012-11-30 15:20 . 2012-11-30 15:22        --------        d-----w-        c:\documents and settings\Stef\Application Data\PhotoScape

2012-11-28 18:49 . 2012-11-28 18:56        --------        d-----w-        c:\documents and settings\Daniel\Application Data\PhotoScape

2012-11-28 18:39 . 2012-11-28 18:40        --------        d-----w-        c:\program files\PhotoScape

2012-11-28 18:27 . 2012-11-28 18:27        --------        d-----w-        c:\documents and settings\Daniel\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant

2012-11-28 18:27 . 2012-11-28 18:27        --------        d-----w-        c:\program files\Adobe Download Assistant

2012-11-28 18:27 . 2012-11-28 18:27        --------        d-----w-        c:\program files\Common Files\Adobe AIR

2012-11-28 18:25 . 2012-12-21 14:43        --------        d-----w-        c:\documents and settings\Daniel\Application Data\convert

2012-11-28 18:24 . 2012-11-28 18:25        --------        d-----w-        c:\documents and settings\Daniel\Application Data\loadtbs

2012-11-28 18:24 . 2012-11-28 18:24        --------        d-----w-        c:\program files\WEB.DE MailCheck

2012-11-28 18:18 . 2012-11-28 18:19        --------        d-----w-        c:\program files\Protected Search

2012-11-28 18:18 . 2012-08-30 02:01        15432        ----a-w-        c:\windows\Launcher.exe

2012-11-28 18:14 . 2012-11-28 18:19        --------        d-----w-        c:\documents and settings\Daniel\Local Settings\Application Data\DownTango

2012-11-28 18:13 . 2012-11-28 18:13        --------        d-----w-        c:\program files\Red Sky

2012-11-27 17:30 . 2012-11-27 17:30        --------        dc-h--w-        c:\documents and settings\All Users\Application Data\{E648CD4D-3307-4213-89B2-9C0E20C77202}

2012-11-27 17:07 . 2012-11-27 17:07        --------        dc-h--w-        c:\documents and settings\All Users\Application Data\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}

2012-11-27 17:05 . 2012-11-27 17:10        --------        d-----w-        c:\program files\Common Files\Native Instruments

2012-11-27 17:01 . 2012-11-27 17:01        --------        dc-h--w-        c:\documents and settings\All Users\Application Data\{C78336EC-F2EB-4640-99A4-DFE96581B90B}

2012-11-27 16:59 . 2012-11-27 17:09        --------        d-----w-        c:\program files\Native Instruments

2012-11-27 16:59 . 2012-11-27 17:09        --------        d-----w-        c:\documents and settings\All Users\Application Data\Native Instruments

2012-11-26 22:28 . 2012-12-21 14:26        --------        d-----w-        c:\documents and settings\Daniel\Application Data\vlc

2012-11-26 18:32 . 2007-01-26 00:00        4352        ----a-w-        c:\windows\system32\drivers\avmeject.sys

2012-11-26 18:30 . 2007-01-26 00:00        74752        ----a-w-        c:\windows\system32\fwlanci.dll

2012-11-26 18:30 . 2012-11-26 18:30        --------        d-----w-        c:\documents and settings\Daniel\AVM_Driver

2012-11-26 17:41 . 2012-11-26 18:12        --------        d-----w-        c:\program files\Common Files\DVDVideoSoft

2012-11-26 17:41 . 2012-11-26 18:11        --------        d-----w-        c:\program files\DVDVideoSoft

2012-11-26 17:40 . 2012-11-26 20:35        --------        d-----w-        c:\documents and settings\Daniel\Application Data\DVDVideoSoft

2012-11-25 11:42 . 2012-11-25 11:42        --------        d-----w-        c:\documents and settings\Daniel\Local Settings\Application Data\MFAData

2012-11-25 11:34 . 2012-11-25 11:34        --------        d-----w-        c:\program files\Common Files\Symantec Shared

2012-11-25 11:30 . 2012-12-21 15:38        --------        d-----w-        c:\documents and settings\All Users\Application Data\Norton

2012-11-25 11:29 . 2012-11-25 11:29        --------        d-----w-        c:\program files\NortonInstaller

.

.

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-13 16:01 . 2012-08-08 18:49        697272        ----a-w-        c:\windows\system32\FlashPlayerApp.exe

2012-12-13 16:01 . 2012-08-08 18:49        73656        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-13 01:25 . 2009-05-13 22:57        1866368        ----a-w-        c:\windows\system32\win32k.sys

2012-11-08 16:37 . 2012-10-06 15:19        26984        ----a-w-        c:\windows\system32\drivers\avgtpx86.sys

2012-11-06 00:41 . 2009-05-13 22:57        290560        ------w-        c:\windows\system32\atmfd.dll

2012-11-02 02:02 . 2009-05-13 22:57        375296        ----a-w-        c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2009-05-13 22:57        916992        ----a-w-        c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2009-05-13 22:57        43520        ------w-        c:\windows\system32\licmgr10.dll

2012-11-01 12:17 . 2009-05-13 22:57        1469440        ------w-        c:\windows\system32\inetcpl.cpl

2012-11-01 00:35 . 2009-05-13 22:57        385024        ------w-        c:\windows\system32\html.iec

2012-10-02 18:04 . 2009-05-13 22:57        58368        ----a-w-        c:\windows\system32\synceng.dll

2012-12-06 23:53 . 2012-12-06 23:52        262112        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll [BU]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\13.2.0.5\AVG Secure Search_toolbar.dll" [BU]

"{DFEFCDEE-CF1A-4FC8-88AD-129872198372}"= "c:\documents and settings\Daniel\Application Data\loadtbs\toolbar.dll" [2012-11-28 616448]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

.

[HKEY_CLASSES_ROOT\clsid\{dfefcdee-cf1a-4fc8-88ad-129872198372}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{DFEFCDEE-CF1A-4FC8-88AD-129872198372}"= "c:\documents and settings\Daniel\Application Data\loadtbs\toolbar.dll" [2012-11-28 616448]

.

[HKEY_CLASSES_ROOT\clsid\{dfefcdee-cf1a-4fc8-88ad-129872198372}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BatteryLifeExtender"="c:\program files\Samsung\BatteryLifeExtender\BatteryLifeExtender.exe" [2009-03-13 550912]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-11 149280]

"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-12-03 298664]

"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]

"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]

"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [BU]

"AVMWlanClient"="c:\program files\avmwlanstick\FRITZWLANMini.exe" [2007-02-02 283136]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-08-02 296096]

"YouCam Service"="c:\program files\CyberLink\YouCam\YouCamService.exe" [2012-03-23 255208]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [10/6/2012 4:19 PM 26984]

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [5/14/2009 1:51 AM 4300]

R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [10/12/2011 10:50 AM 4176896]

R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller2.exe [2/19/2009 4:08 AM 74992]

R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [5/13/2009 11:57 PM 14336]

R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\drivers\clwvd.sys [9/7/2012 1:44 PM 27760]

R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [5/14/2009 1:55 AM 238464]

R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2/19/2009 4:08 AM 25560]

S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/14/2009 1:52 AM 1684736]

S3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [11/26/2012 7:32 PM 4352]

S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [1/22/2010 9:07 PM 112640]

S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [8/2/2012 4:15 PM 265088]

S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [1/23/2010 8:05 AM 102656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

yksvcs        REG_MULTI_SZ           yksvc

.

Inhalt des "geplante Tasks" Ordners

.

2012-12-21 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-08 16:01]

.

2012-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2859748474-667080921-3980430596-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]

.

2012-12-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2859748474-667080921-3980430596-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]

.

.

------- Zusätzlicher Suchlauf -------

.

uStart Page = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937

uDefault_Search_URL = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=

mStart Page = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937

mSearch Bar = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Free YouTube to MP3 Converter - c:\documents and settings\Daniel\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\

FF - prefs.js: browser.search.selectedEngine - WEB.DE Suche

FF - prefs.js: browser.startup.homepage - hxxp://go.web.de/tb/mff_startpage

FF - prefs.js: keyword.URL - hxxp://go.web.de/tb/mff_keyurl_search/?su=

FF - ExtSQL: 2012-10-24 20:26; crossriderapp5060@crossrider.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\crossriderapp5060@crossrider.com

FF - ExtSQL: 2012-11-26 18:43; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi

FF - ExtSQL: 2012-11-28 19:25; sparpilot@sparpilot.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\sparpilot@sparpilot.com

FF - ExtSQL: 2012-11-28 19:25; software@loadtubes.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\software@loadtubes.com

FF - ExtSQL: 2012-11-28 19:26; toolbar@web.de; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\toolbar@web.de.xpi

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net

Rootkit scan 2012-12-21 17:47

Windows 5.1.2600 Service Pack 3 NTFS

.

Scanne versteckte Prozesse... 

.

Scanne versteckte Autostarteinträge... 

.

Scanne versteckte Dateien... 

.

Scan erfolgreich abgeschlossen

versteckte Dateien: 0

.

**************************************************************************

.

--------------------- Gesperrte Registrierungsschluessel ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

.

- - - - - - - > 'winlogon.exe'(840)

c:\windows\system32\igfxdev.dll

.

- - - - - - - > 'winlogon.exe'(1476)

c:\windows\system32\igfxdev.dll

.

- - - - - - - > 'explorer.exe'(2524)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

- - - - - - - > 'explorer.exe'(3468)

c:\windows\system32\WININET.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Zeit der Fertigstellung: 2012-12-21  17:50:09

ComboFix-quarantined-files.txt  2012-12-21 16:50

ComboFix2.txt  2012-12-21 14:48

ComboFix3.txt  2012-12-13 15:11

.

Vor Suchlauf: 55,500,668,928 bytes free

Nach Suchlauf: 55,478,972,416 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 0C266DD85D2557C557D7C85B8E998742

--- --- ---

Du musst nur richtig lesen. CF meckert manchmal auch wenn alles deaktiviert ist.

So, dann wollen wir mal sehen ....

Schritt 1:
AdwCleaner: Werbeprogramme suchen und löschen

Downloade Dir bitte AdwCleaner auf deinen Desktop.
Starte die adwcleaner.exe mit einem Doppelklick.

Klicke auf Löschen.

Bestätige jeweils mit Ok.

Dein Rechner wird neu gestartet, je nach Schwere der Infektion auch mehrmals - das ist normal. Nach dem Neustart öffnet sich eine Textdatei.

Poste mir den Inhalt mit deiner nächsten Antwort.

Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.

Schritt 2:
Temporäre Dateien löschen mit TFC

Bitte lade dir TFC auf deinen Desktop und starte es. Es wird automatisch alle temporären Dateien entfernen.

Schritt 3:
Noch mal Combofix bitte.

aha, okee. Das klingt beruhigend. Prima.

Morgen werde ich dazukommen Deinen Anweisungen Adw, Tfc und nochmal CF zu folgen.

Steht einem eine derart sachliche und umgehende Hilfe zu Seite, fühlt sich das gut gut.

Für heute einen angenehmen Abend und vielen Dank.

(Thread bitte noch nicht schließen)

Hallo, benötigst Du noch weiterhin Hilfe ?

Sollte ich innerhalb der nächsten 24 Stunden keine Antwort von dir erhalten, werde ich dein Thema aus meinen Abos nehmen und bekomme dadurch keine Nachricht über neue Antworten.

Das Verschwinden der Symptome bedeutet nicht, dass dein System schon sauber ist

Entschuldige die Verzögerung: Empfehlung angewendet wie folgt:

1. ADW CLEANER (logfile nachstehend)
2. TF (System wurde einmal neugestartet)
3. NOCHMAL CF (log untenstehend)

Adwcleaner-Inhalt:
# AdwCleaner v2.102 - Logfile created 12/24/2012 at 12:31:41
# Updated 23/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Daniel - STEFANIE
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Daniel\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\whxrf7qe.default\searchplugins\11-suche.xml
File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\whxrf7qe.default\searchplugins\Web Search.xml
File Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\bprotector_extensions.sqlite
File Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\searchplugins\11-suche.xml
File Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\searchplugins\Web Search.xml
File Deleted : C:\Documents and Settings\nbfa\Application Data\Mozilla\Firefox\Profiles\87f7fvnj.default\searchplugins\11-suche.xml
File Deleted : C:\Documents and Settings\nimo\Application Data\Mozilla\Firefox\Profiles\a01pgjyw.default\bprotector_extensions.sqlite
File Deleted : C:\Documents and Settings\nimo\Application Data\Mozilla\Firefox\Profiles\a01pgjyw.default\searchplugins\Web Search.xml
File Deleted : C:\Documents and Settings\Stef\Application Data\Mozilla\Firefox\Profiles\xl4rikme.default-1348241791359\searchplugins\11-suche.xml
File Deleted : C:\Documents and Settings\Stef\Application Data\Mozilla\Firefox\Profiles\xl4rikme.default-1348241791359\searchplugins\Web Search.xml
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\whxrf7qe.default\extensions\crossriderapp5060@crossrider.com
Folder Deleted : C:\Documents and Settings\Daniel\Application Data\loadtbs
Folder Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\crossriderapp5060@crossrider.com
Folder Deleted : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\software@loadtubes.com
Folder Deleted : C:\Documents and Settings\nbfa\Application Data\Mozilla\Firefox\Profiles\87f7fvnj.default\extensions\staged
Folder Deleted : C:\Documents and Settings\nimo\Application Data\Mozilla\Firefox\Profiles\a01pgjyw.default\extensions\crossriderapp5060@crossrider.com
Folder Deleted : C:\Documents and Settings\Stef\Application Data\Mozilla\Firefox\Profiles\xl4rikme.default-1348241791359\extensions\crossriderapp5060@crossrider.com

***** [Registry] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Claro LTD
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{835315FC-1BF6-4CA9-80CD-F6C158D40692}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DFEFCDEE-CF1A-4FC8-88AD-129872198372}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055505560}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066506660}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044504460}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{DFEFCDEE-CF1A-4FC8-88AD-129872198372}]
Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{b64982b1-d112-42b5-b1e4-d3867c4533f8}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{DFEFCDEE-CF1A-4FC8-88AD-129872198372}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://newtab.certified-toolbar.com/nie?si=41460&tid=2937&new=true --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= --> hxxp://www.google.com

-\\ Mozilla Firefox v17.0.1 (de)

File : C:\Documents and Settings\Stef\Application Data\Mozilla\Firefox\Profiles\xl4rikme.default-1348241791359\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Web Search");
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.order.1", "Web Search");
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationTime", 1355413092);
Deleted : user_pref("extensions.crossriderapp5060.5060.active", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.addressbar", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundjs", "\n\n\"undefined\"!=typeof _GPL_BG_NEW&&[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.can_run_bg_code", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.value", "1355413092");
Deleted : user_pref("extensions.crossriderapp5060.5060.description", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.domain", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.group", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.homepage", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.iframe", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.value", "40");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.value", "0");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.expiration", "Thu Dec 13[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.value", "true");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _GP[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.name", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.newtab", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.opensearch", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.code", "appAPI._cr_config={appID:funct[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.name", "base");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.code", "Array.prototype.indexOf|[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.name", "GPL Plugin (Loader)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.ver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.code", "var _GPL_BG={vars:{},rul[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.name", "GPL Background (BG)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.name", "FacebookFFIE");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.code", "if((typeof isBackground===\"u[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.code", "if(typeof window!==\"undefine[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.code", "var CrossriderDebugManager=(f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.name", "debug");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.code", "(function(a){appAPI.queueMana[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.name", "resources");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.code", "var CrossriderInitializerPlug[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.name", "initializer");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.code", "/*! jQuery v1.7.1 jquery.com |[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.name", "jquery_1_7_1");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.code", "(function(){appAPI.ready=func[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.name", "resources_background");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_0", "17,14,16,47,1000015");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_1", "17,14,13,16,15,4,1,21,22,100[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsversion", 16);
Deleted : user_pref("extensions.crossriderapp5060.5060.publisher", "215 Apps");
Deleted : user_pref("extensions.crossriderapp5060.5060.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.thankyou", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp5060.5060.ver", 40);
Deleted : user_pref("extensions.crossriderapp5060.apps", "5060");
Deleted : user_pref("extensions.crossriderapp5060.bic", "13ab35e2f2a7f290832f97b2eac5b6e9");
Deleted : user_pref("extensions.crossriderapp5060.cid", 5060);
Deleted : user_pref("extensions.crossriderapp5060.firstrun", false);
Deleted : user_pref("extensions.crossriderapp5060.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp5060.installationdate", 1355413088);
Deleted : user_pref("extensions.crossriderapp5060.lastcheck", 22590218);
Deleted : user_pref("extensions.crossriderapp5060.lastcheckitem", 22590222);
Deleted : user_pref("extensions.crossriderapp5060.modetype", "production");
Deleted : user_pref("extensions.crossriderapp5060.reportInstall", true);
Deleted : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=");

File : C:\Documents and Settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Web Search");
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.order.1", "Web Search");
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationThankYouPage", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationTime", 1351103191);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.searchUserConifrmation", false[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.setHomepage", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.setNewTab", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationUserSettings.setSearch", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.active", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.addressbar", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundjs", "\n\n\"undefined\"!=typeof _GPL_BG_NEW&&[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.backgroundver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.can_run_bg_code", true);
Deleted : user_pref("extensions.crossriderapp5060.5060.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.value", "1351103191");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_aoi.value", "1351103191");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_blocklist.expiration", "Fri Nov 30 2012 18:[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_blocklist.value", "%22nonexistantdomain.com[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_country_code.expiration", "Sun Dec 02 2012 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_country_code.value", "%22DE%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_crr.expiration", "Fri Feb 01 2030 00:00:00 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_crr.value", "1354295571");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_hotfix20111102645.expiration", "Fri Feb 01 [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_hotfix20111102645.value", "%221%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_installer_params.expiration", "Fri Feb 01 2[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_installer_params.value", "%7B%22source_id%2[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_parent_zoneid.value", "%2214019%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_pc_20120828.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_pc_20120828.value", "1353852501763");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_product_id.expiration", "Fri Feb 01 2030 00[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_product_id.value", "%221224%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie._GPL_zoneid.value", "%2297646%22");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.dbtest.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.dbtest.value", "1353852487519");
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.lastrequest.expiration", "Fri Feb 01 2030 00:00:[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.lastrequest.value", "%7B%22path%22%3A%22/raylene[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.description", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.domain", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.group", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.homepage", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.iframe", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.InstallerIdentifiers.expiration", "Fri Feb 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.InstallerIdentifiers.value", "%7B%22installe[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_appVer.value", "38");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.expiration", "Fri Feb [...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_lastVersion.value", "0");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.expiration", "Fri Feb 01 2030[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_meta.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.expiration", "Sat Dec 01[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_nextCheck.value", "true");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.expiration", "Fri Feb 01 203[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_queue.value", "%7B%7D");
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_remote_resources.expiration", "Fri[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.Resources_remote_resources.value", "%7B%22re[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.SoftwareDetected.expiration", "Fri Feb 01 20[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.internaldb.SoftwareDetected.value", "%7B%22AnySoftware%[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.js", "\n\nif(\"undefined\"!=typeof _GPL_PLUGIN){var _GP[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.name", "Savings Sidekick");
Deleted : user_pref("extensions.crossriderapp5060.5060.newtab", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.opensearch", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.code", "appAPI._cr_config={appID:funct[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.name", "base");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.code", "Array.prototype.indexOf|[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.name", "GPL Plugin (Loader)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000014.ver", 7);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.code", "var _GPL_BG={vars:{},rul[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.name", "GPL Background (BG)");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_1000015.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.code", "(function(a){a.selectedText=f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_13.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefin[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_14.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.code", "(function(f){var u={};var e=M[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.name", "FacebookFFIE");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_15.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.code", "if((typeof isBackground===\"u[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_16.ver", 4);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.code", "if(typeof window!==\"undefine[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_17.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.code", "var CrossriderDebugManager=(f[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.name", "debug");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_21.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.code", "(function(a){appAPI.queueMana[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.name", "resources");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_22.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.code", "var CrossriderInitializerPlug[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.name", "initializer");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_28.ver", 2);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.code", "/*! jQuery v1.7.1 jquery.com |[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.name", "jquery_1_7_1");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_4.ver", 3);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.code", "(function(){appAPI.ready=func[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.name", "resources_background");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins.plugin_47.ver", 1);
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_0", "17,14,16,47,1000015");
Deleted : user_pref("extensions.crossriderapp5060.5060.plugins_lists.plugins_1", "17,14,13,16,15,4,1,21,22,100[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsurl", "hxxp://app-static.crossrider.com/plugin/a[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.pluginsversion", 16);
Deleted : user_pref("extensions.crossriderapp5060.5060.publisher", "215 Apps");
Deleted : user_pref("extensions.crossriderapp5060.5060.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp5060.5060.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp5060.5060.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.thankyou", "");
Deleted : user_pref("extensions.crossriderapp5060.5060.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp5060.5060.ver", 38);
Deleted : user_pref("extensions.crossriderapp5060.apps", "5060");
Deleted : user_pref("extensions.crossriderapp5060.bic", "13a94072196fa53aa47a365095f8a893");
Deleted : user_pref("extensions.crossriderapp5060.cid", 5060);
Deleted : user_pref("extensions.crossriderapp5060.firstrun", false);
Deleted : user_pref("extensions.crossriderapp5060.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp5060.installationdate", 1353843272);
Deleted : user_pref("extensions.crossriderapp5060.lastcheck", 22571591);
Deleted : user_pref("extensions.crossriderapp5060.lastcheckitem", 22571600);
Deleted : user_pref("extensions.crossriderapp5060.modetype", "production");
Deleted : user_pref("extensions.crossriderapp5060.reportInstall", true);

File : C:\Documents and Settings\nimo\Application Data\Mozilla\Firefox\Profiles\a01pgjyw.default\prefs.js

Deleted : user_pref("browser.startup.homepage", "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=29[...]
Deleted : user_pref("extensions.crossriderapp5060.bic", "13ab8232c104b729506742f49b32eeb7");
Deleted : user_pref("extensions.crossriderapp5060.firstrun", false);
Deleted : user_pref("extensions.crossriderapp5060.installationdate", 1353953300);
Deleted : user_pref("extensions.enabledAddons", "crossriderapp5060@crossrider.com:0.86.38,{972ce4c6-7e08-4474-[...]
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.defaultengine", "Web Search");
Deleted : user_pref("browser.search.selectedEngine", "Web Search");
Deleted : user_pref("browser.newtab.url", "hxxp://newtab.certified-toolbar.com/nff?si=41460&tid=2937&new=true"[...]
Deleted : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=");
Deleted : user_pref("browser.search.order.1", "Web Search");

File : C:\Documents and Settings\nbfa\Application Data\Mozilla\Firefox\Profiles\87f7fvnj.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\whxrf7qe.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Web Search");
Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Deleted : user_pref("browser.search.order.1", "Web Search");
Deleted : user_pref("browser.startup.homepage", "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=29[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.InstallationTime", 1355409230);
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp5060.5060.cookie.InstallationTime.value", "1355409230");
Deleted : user_pref("extensions.crossriderapp5060.bic", "13b94af87c9b745277314ee9e545a29a");
Deleted : user_pref("extensions.crossriderapp5060.firstrun", false);
Deleted : user_pref("extensions.crossriderapp5060.installationdate", 1355409230);
Deleted : user_pref("extensions.crossriderapp5060.lastcheck", 22590154);
Deleted : user_pref("extensions.crossriderapp5060.lastcheckitem", 22590154);
Deleted : user_pref("extensions.crossriderapp5060.reportInstall", true);
Deleted : user_pref("extensions.enabledAddons", "crossriderapp5060%40crossrider.com:0.85.36,%7B411beae9-8c58-4[...]
Deleted : user_pref("keyword.URL", "hxxp://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=");

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Stef\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.4] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937",
Deleted [l.5] : homepage =rowser":{"show_home_button":true,"window_placement":{"bottom":568,"left":2,"maximized":false,"right"[...]

File : C:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.4] : homepage = "hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2937",

*************************

AdwCleaner[R1].txt - [46703 octets] - [25/11/2012 12:09:16]
AdwCleaner[S1].txt - [47092 octets] - [25/11/2012 12:21:46]
AdwCleaner[S2].txt - [34510 octets] - [24/12/2012 12:31:41]

########## EOF - C:\AdwCleaner[S2].txt - [34571 octets] ##########

ABSCHLIESSEND NOCHMAL CF WIE EMPFOHLEN _ INHALT NACHFOLGEND

Combofix Logfile:

Code:

ComboFix 12-12-20.02 - Daniel 12/24/2012  12:45:29.3.2 - x86

Microsoft Windows XP Home Edition  5.1.2600.3.1252.49.1033.18.1014.638 [GMT 1:00]

ausgeführt von:: c:\documents and settings\Daniel\Desktop\ComboFix.exe

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

 * Neuer Wiederherstellungspunkt wurde erstellt

.

.

(((((((((((((((((((((((   Dateien erstellt von 2012-11-24 bis 2012-12-24  ))))))))))))))))))))))))))))))

.

.

2012-12-13 15:32 . 2012-12-13 15:32        --------        d-----w-        c:\documents and settings\nbfa\Local Settings\Application Data\Mozilla

2012-12-13 15:20 . 2012-12-13 15:20        --------        d-----w-        c:\documents and settings\nbfa\Application Data\AVG2013

2012-12-13 15:20 . 2012-12-13 15:20        --------        d-----w-        c:\documents and settings\nbfa\Bluetooth Software

2012-12-13 15:20 . 2012-12-13 15:20        --------        d-----w-        c:\documents and settings\nbfa\Local Settings\Application Data\Avg2013

2012-12-13 15:19 . 2012-12-13 15:19        --------        d-----w-        c:\documents and settings\nbfa\Local Settings\Application Data\Scansoft

2012-12-13 14:39 . 2012-12-13 14:39        --------        d-----w-        c:\documents and settings\Administrator\Application Data\AVG2013

2012-12-13 14:29 . 2012-12-13 14:29        --------        d-----w-        c:\documents and settings\Administrator\Application Data\TuneUp Software

2012-12-13 14:23 . 2012-12-13 14:23        --------        d-----w-        c:\documents and settings\Administrator\Local Settings\Application Data\MFAData

2012-12-13 14:23 . 2012-12-13 14:23        --------        d-----w-        c:\documents and settings\Administrator\Local Settings\Application Data\Avg2013

2012-11-30 15:20 . 2012-11-30 15:22        --------        d-----w-        c:\documents and settings\Stef\Application Data\PhotoScape

2012-11-28 18:49 . 2012-11-28 18:56        --------        d-----w-        c:\documents and settings\Daniel\Application Data\PhotoScape

2012-11-28 18:39 . 2012-11-28 18:40        --------        d-----w-        c:\program files\PhotoScape

2012-11-28 18:27 . 2012-11-28 18:27        --------        d-----w-        c:\documents and settings\Daniel\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant

2012-11-28 18:27 . 2012-11-28 18:27        --------        d-----w-        c:\program files\Adobe Download Assistant

2012-11-28 18:27 . 2012-11-28 18:27        --------        d-----w-        c:\program files\Common Files\Adobe AIR

2012-11-28 18:25 . 2012-12-21 14:43        --------        d-----w-        c:\documents and settings\Daniel\Application Data\convert

2012-11-28 18:24 . 2012-11-28 18:24        --------        d-----w-        c:\program files\WEB.DE MailCheck

2012-11-28 18:18 . 2012-11-28 18:19        --------        d-----w-        c:\program files\Protected Search

2012-11-28 18:18 . 2012-08-30 02:01        15432        ----a-w-        c:\windows\Launcher.exe

2012-11-28 18:14 . 2012-11-28 18:19        --------        d-----w-        c:\documents and settings\Daniel\Local Settings\Application Data\DownTango

2012-11-28 18:13 . 2012-11-28 18:13        --------        d-----w-        c:\program files\Red Sky

2012-11-27 17:30 . 2012-11-27 17:30        --------        dc-h--w-        c:\documents and settings\All Users\Application Data\{E648CD4D-3307-4213-89B2-9C0E20C77202}

2012-11-27 17:07 . 2012-11-27 17:07        --------        dc-h--w-        c:\documents and settings\All Users\Application Data\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}

2012-11-27 17:05 . 2012-11-27 17:10        --------        d-----w-        c:\program files\Common Files\Native Instruments

2012-11-27 17:01 . 2012-11-27 17:01        --------        dc-h--w-        c:\documents and settings\All Users\Application Data\{C78336EC-F2EB-4640-99A4-DFE96581B90B}

2012-11-27 16:59 . 2012-11-27 17:09        --------        d-----w-        c:\program files\Native Instruments

2012-11-27 16:59 . 2012-11-27 17:09        --------        d-----w-        c:\documents and settings\All Users\Application Data\Native Instruments

2012-11-26 22:28 . 2012-12-21 14:26        --------        d-----w-        c:\documents and settings\Daniel\Application Data\vlc

2012-11-26 18:32 . 2007-01-26 00:00        4352        ----a-w-        c:\windows\system32\drivers\avmeject.sys

2012-11-26 18:30 . 2007-01-26 00:00        74752        ----a-w-        c:\windows\system32\fwlanci.dll

2012-11-26 18:30 . 2012-11-26 18:30        --------        d-----w-        c:\documents and settings\Daniel\AVM_Driver

2012-11-26 17:41 . 2012-11-26 18:12        --------        d-----w-        c:\program files\Common Files\DVDVideoSoft

2012-11-26 17:41 . 2012-11-26 18:11        --------        d-----w-        c:\program files\DVDVideoSoft

2012-11-26 17:40 . 2012-11-26 20:35        --------        d-----w-        c:\documents and settings\Daniel\Application Data\DVDVideoSoft

2012-11-25 11:42 . 2012-11-25 11:42        --------        d-----w-        c:\documents and settings\Daniel\Local Settings\Application Data\MFAData

2012-11-25 11:34 . 2012-11-25 11:34        --------        d-----w-        c:\program files\Common Files\Symantec Shared

2012-11-25 11:30 . 2012-12-21 15:38        --------        d-----w-        c:\documents and settings\All Users\Application Data\Norton

.

.

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-16 12:23 . 2009-05-13 22:57        290560        ----a-w-        c:\windows\system32\atmfd.dll

2012-12-13 16:01 . 2012-08-08 18:49        697272        ----a-w-        c:\windows\system32\FlashPlayerApp.exe

2012-12-13 16:01 . 2012-08-08 18:49        73656        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-13 01:25 . 2009-05-13 22:57        1866368        ----a-w-        c:\windows\system32\win32k.sys

2012-11-08 16:37 . 2012-10-06 15:19        26984        ----a-w-        c:\windows\system32\drivers\avgtpx86.sys

2012-11-02 02:02 . 2009-05-13 22:57        375296        ----a-w-        c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2009-05-13 22:57        916992        ----a-w-        c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2009-05-13 22:57        43520        ------w-        c:\windows\system32\licmgr10.dll

2012-11-01 12:17 . 2009-05-13 22:57        1469440        ------w-        c:\windows\system32\inetcpl.cpl

2012-11-01 00:35 . 2009-05-13 22:57        385024        ------w-        c:\windows\system32\html.iec

2012-10-02 18:04 . 2009-05-13 22:57        58368        ----a-w-        c:\windows\system32\synceng.dll

2012-12-06 23:53 . 2012-12-06 23:52        262112        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BatteryLifeExtender"="c:\program files\Samsung\BatteryLifeExtender\BatteryLifeExtender.exe" [2009-03-13 550912]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-11 149280]

"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2008-12-03 298664]

"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-11-27 2768896]

"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]

"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [BU]

"AVMWlanClient"="c:\program files\avmwlanstick\FRITZWLANMini.exe" [2007-02-02 283136]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-08-02 296096]

"YouCam Service"="c:\program files\CyberLink\YouCam\YouCamService.exe" [2012-03-23 255208]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-23 603488]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

.

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [10/6/2012 4:19 PM 26984]

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [5/14/2009 1:51 AM 4300]

R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [10/12/2011 10:50 AM 4176896]

R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller2.exe [2/19/2009 4:08 AM 74992]

R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [5/13/2009 11:57 PM 14336]

R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\drivers\clwvd.sys [9/7/2012 1:44 PM 27760]

R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [5/14/2009 1:55 AM 238464]

R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2/19/2009 4:08 AM 25560]

S2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/14/2009 1:52 AM 1684736]

S3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [11/26/2012 7:32 PM 4352]

S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [1/22/2010 9:07 PM 112640]

S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [8/2/2012 4:15 PM 265088]

S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [1/23/2010 8:05 AM 102656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

yksvcs        REG_MULTI_SZ           yksvc

.

Inhalt des "geplante Tasks" Ordners

.

2012-12-24 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-08 16:01]

.

2012-12-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2859748474-667080921-3980430596-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]

.

2012-12-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2859748474-667080921-3980430596-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-06-21 16:00]

.

.

------- Zusätzlicher Suchlauf -------

.

uStart Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://www.google.com

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Free YouTube to MP3 Converter - c:\documents and settings\Daniel\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm

IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\

FF - prefs.js: browser.search.selectedEngine - WEB.DE Suche

FF - prefs.js: browser.startup.homepage - hxxp://go.web.de/tb/mff_startpage

FF - prefs.js: keyword.URL - hxxp://go.web.de/tb/mff_keyurl_search/?su=

FF - ExtSQL: 2012-10-24 20:26; crossriderapp5060@crossrider.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\crossriderapp5060@crossrider.com

FF - ExtSQL: 2012-11-26 18:43; {ACAA314B-EEBA-48e4-AD47-84E31C44796C}; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi

FF - ExtSQL: 2012-11-28 19:25; sparpilot@sparpilot.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\sparpilot@sparpilot.com

FF - ExtSQL: 2012-11-28 19:25; software@loadtubes.com; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\software@loadtubes.com

FF - ExtSQL: 2012-11-28 19:26; toolbar@web.de; c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\wlzwr0sm.default\extensions\toolbar@web.de.xpi

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -

.

AddRemove-loadtbs-3.0 - c:\documents and settings\Daniel\Application Data\loadtbs\uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net

Rootkit scan 2012-12-24 12:52

Windows 5.1.2600 Service Pack 3 NTFS

.

Scanne versteckte Prozesse... 

.

Scanne versteckte Autostarteinträge... 

.

Scanne versteckte Dateien... 

.

Scan erfolgreich abgeschlossen

versteckte Dateien: 0

.

**************************************************************************

.

--------------------- Gesperrte Registrierungsschluessel ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

.

- - - - - - - > 'explorer.exe'(2768)

c:\windows\system32\WININET.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Zeit der Fertigstellung: 2012-12-24  12:55:21

ComboFix-quarantined-files.txt  2012-12-24 11:55

ComboFix2.txt  2012-12-21 16:50

ComboFix3.txt  2012-12-21 14:48

ComboFix4.txt  2012-12-13 15:11

.

Vor Suchlauf: 56,868,270,080 bytes free

Nach Suchlauf: 56,845,783,040 bytes free

.

- - End Of File - - 0C175BC72A94707A4E84399402F4CD3F

--- --- ---

Schritt 1:
Warnung: Mehrere Anti-Virus-Programme

Zitat:

Lesestoff:
Mehrere Anti-Virus-Programme
Auch wenn dieser Zustand besser ist als keine solche Software installiert zu haben, so ist er dennoch schlecht. Diese Programme haben einen Hintergrundwächter, der Dateizugriffe überwacht. Zwei solche Hintergrundwächter können und werden sich gegenseitig behindern, dein System ausbremsen und mit hoher Wahrscheinlichkeit im entscheidenen Moment eine Infektion eben nicht verhindern. Eine gute Absicherung besteht aus:
Einem Virenscanner mit Hintergrundwächter. Ich persönlich empfehle derzeit: Avast Free Antivirus

Einem Malwarescanner wie Malwarebytes

ggf. einem Browserschutz (ist bei Avast dabei)

Entscheide dich bitte für eines der folgenden Programme und deinstalliere den Rest über die Systemsteuerung => Software bzw. Programme & Funktionen:

Code:

Avira Avast

Um die Überreste des alten Virenscanner zu entfernen gibt es auf dieser Webseite passende Tools.

Ich würde Avira entfernen.

Schritt 2:
Combofix nochmal laufen lassen und mir dann ALLE Logfiles posten die du unter c:\qoobox findest.

Anhang 47767

Anhang 47768

Anhang 47769

Anhang 47770

Anhang 47771

Anhang 47772

Lieber ryder,

unter Start Systemsteuerung > Programme+Funktionen > ist nach wie vor kein Avira und kein anderes Sicherheitsprogramm mehr.

Die Schritte unter dem empfohlenen Link empfehlen
Start - Control Panel - Uninstall a program
Remove
Press Yes, to confirm the removal and then OK.
Click Next until Finish. The software is removed.

Das hatte ich bereits diese Woche getan daher auch unter dem o.g. Schritt kein Programm mehr.

aswclear.exe (AVAST) folgendes Problem:

Fährt sich herunter (auto), startet neu, meldet das das programm im abges. gestartet wird fragt nach ok, bei ok fährt herunter, startet neu, meldet wieder die safetymodus frage, bestätigt man mit ok das gleiche Spiel von vorne.

Files und ein screenshot anbei.

Zwischendurch: Schöne Weihnachten.

Okay, dann deinstalliere noch Spybot.

Welchen Virenscanner hast du denn jetzt installiert? Avast? AVG?

Ausserdem:

Weißt du zufällig was das hier sein könnte ich finde dazu nichts ...

Zitat:

R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller2.exe [2/19/2009 4:08 AM 74992]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2/19/2009 4:08 AM 25560]

Hat das irgendwas mit deiner DJ-SOftware zu tun?

Zitat:

Zitat von ryder (Beitrag 977629)

Okay, dann deinstalliere noch Spybot.

Welchen Virenscanner hast du denn jetzt installiert? Avast? AVG?

Ist ebenfalls nicht mehr da, schon diese Woche weg gemacht = deinstall.

Zitat:

Zitat von ryder (Beitrag 977630)

Ausserdem:

Weißt du zufällig was das hier sein könnte ich finde dazu nichts ...

Hat das irgendwas mit deiner DJ-SOftware zu tun?

das ist gut möglich. Die Software heisst 'traktor'.

Deinstallieren?