Malware im System,trotz permanenter Avast Internet Security Überwachung

[hohell]

Nun, da ich leider keine besonderen PC Fähigkeiten habe, möchte ich versuchen, hier von Experten, Hilfe zu bekommen. Nachdem ich einen Artikel von "ASYN" gelesen hatte, der mich mächtig interessierte, habe ich einmal seinem Vorschlag zur Aufspürung von Malware, zu folgen und habe folgendes festgestellt.
1.)  Habe einen "Browser Manager" entdeckt, welcher nie von mir installiert wurde und der sich tgl. zur selben Zeit selbstständig macht.
2.)  Einige weitere Einträge der "Claro Toolbar", welche ich schon vor einiger Zeit, ausgemerzt glaubte.
Ich habe also mit "Adware Cleaner" , mit MBAM und mit OTL einen Durchlauf gemacht. ASWMBR, brachte ich nicht zum Ende, da er sich wie bekannt am MS Programm Visual Studio verabschiedete. (zeigte genau wie im Bild ersichtlich um 12:17.41, dass er bei VisualStudio.Tools.Applications, hängen blieb. Deshalb, habe ich es mit dem TDSSKiller versucht. welcher bei 466 geprüften Objekten, nichts gefunden hat.
Beim MBAM Log, wurden im Ordner 3 und 5 nur Babylon Einträge gefunden.
Da ich nun nicht genau weiß, welche Einträge der mitgesandten Logs ich Löschen oder in Quarantäne setzen soll, bitte ich hier um Hilfe.
Mit besonderen Dank für die Mühe, hohell

[Asyn]

Ein Experte ist informiert, bitte etwas Geduld.

Willkommen im Forum,
Asyn

[essexboy]

Good afternoon, please run AdwCleaner again and delete all that it finds
Then you will need to uninstall either Avast or McAfee, let me know which you wish to keep and I will link to the correct removal tool for the other

Once the OTL fix has run could you let me know what problems remain 

Guten Tag, bitte führen Sie AdwCleaner erneut aus und löschen Sie alles, was es findet
Dann müssen entweder Avast oder McAfee deinstallieren, lassen mich wissen, welche Sie behalten möchten und ich werde auf das richtige Tool für den anderen link

Sobald die OTL-Fix ausgeführt hat kann lass es mich wissen was Probleme bleiben

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2736476
IE - HKU\S-1-5-21-4017763817-4129695140-58862105-1001\..\URLSearchHook: {7e111a5c-3d11-4f56-9463-5310c3c69025} - No CLSID value found
IE - HKU\S-1-5-21-4017763817-4129695140-58862105-1001\..\SearchScopes,DefaultScope = {A032DEB2-B12B-4B17-8B8B-44B60C5B72EE}
IE - HKU\S-1-5-21-4017763817-4129695140-58862105-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.claro-search.com/?q={searchTerms}&affID=110824&tt=261112_clro_4812_8&babsrc=SP_ss&mntrId=fe3589e0000000000000f46d047c9e60
IE - HKU\S-1-5-21-4017763817-4129695140-58862105-1001\..\SearchScopes\{5FC8B805-C0C2-4847-88DE-2B9F75987758}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=crm&q={searchTerms}&locale=de_US&apn_ptnrs=U3&apn_dtid=OSJ000YYAT&apn_uid=C76C755E-5700-43AF-B2D4-05F47F47BBD4&apn_sauid=E418C151-067A-4343-B3AC-08095899A052&
IE - HKU\S-1-5-21-4017763817-4129695140-58862105-1001\..\SearchScopes\{A032DEB2-B12B-4B17-8B8B-44B60C5B72EE}: "URL" = http://go.gmx.at/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-4017763817-4129695140-58862105-1001\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2736476
IE - HKU\S-1-5-21-4017763817-4129695140-58862105-1001\..\SearchScopes\{CBA078DE-5747-4554-82A4-82851A1BFF58}: "URL" = http://go.web.de/tb/ie_searchplugin/?su={searchTerms}
IE - HKU\S-1-5-21-4017763817-4129695140-58862105-1001\..\SearchScopes\{D985B659-276F-4A13-9809-6D1F9FE42C62}: "URL" = http://search.gmx.com/web?q={searchTerms}&origin=tb_splugin_ie
FF - prefs.js..browser.search.defaultenginename: "Claro Search"
FF - prefs.js..browser.search.order.1: "Claro Search"
FF - prefs.js..browser.search.selectedEngine: "Claro Search"
FF - prefs.js..browser.startup.homepage: "http://www.claro-search.com/?affID=110824&tt=261112_clro_4812_8&babsrc=HP_ss&mntrId=fe3589e0000000000000f46d047c9e60"
FF - prefs.js..keyword.URL: "http://www.claro-search.com/?affID=110824&tt=261112_clro_4812_8&babsrc=KW_ss&mntrId=fe3589e0000000000000f46d047c9e60&q="
[2012.11.28 07:28:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Horst\AppData\Roaming\mozilla\Firefox\Profiles\eyhqqeru.default\extensions\ffxtlbr@babylon.com
[2012.11.28 07:29:16 | 000,002,526 | ---- | M] () -- C:\Users\Horst\AppData\Roaming\mozilla\firefox\profiles\eyhqqeru.default\searchplugins\mngr.xml
[2013.02.22 18:10:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions
[2012.04.09 11:49:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions\quickstores@quickstores.de
O3:64bit: - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} - No CLSID value found.
O20 - AppInit_DLLs: (c:\progra~3\browse~1\261339~1.144\{c16c1~1\mngr.dll) - File not found
[2013.01.16 19:35:12 | 000,000,384 | ---- | C] () -- C:\Windows\Tasks\SLOW-PCfighter64-Horst-Notification.job

:Files
c:\progra~3\browse~1
:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[hohell]

Hello,
First of all, thank you very much for your help. I did exactly as advised and I add the results of the new OTL Run as attachment, to this reply. Refering to the System, I would like to keep....that will be for sure AVAST. When it is absolutely neccessary to remove the McAfee , so be it.
Best Regards,
hohell
Hallo,
Zuerst, möchte ich mich für Ihre Hilfe bedanken. Ich habe die Anwendung genau so ausgeführt wie vorgeschlagen und lege die OTL Logs, diesem Schreiben bei. Das System betreffend, welches ich behalten will, ist sicherlich AVAST. Wenn es absolut nötig ist, ein System zu entfernen, so soll dies McAfee sein.
mit freundlichen Grüßen,
hohell

[essexboy]

That looks better how is the computer behaving now ?

Download and run the McAfee removal tool from here

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Sieht das besser aus, wie der Computer heute verhält?

Herunterladen Sie und führen Sie des McAfee-Tools zum Entfernen von hier aus

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

[hohell]

Of course, it not only looks better, it is behaving normally and much quicker than before. I tried to search for any remainings for e.g. claro or other malware. Nothing could be found anymore. Everything is fine by now. Just one thing, the removal of the McAfee program, did not behave normally (see the attached files). Please advise.
Furthermore, I would be very pleased, if you could give me the instruction, how to remove the cache and temp files, (which have been cleared during the advised process), so that I'll be able to follow that in the future (see attached). That was quite a big stone on my PC's leg. I'm sorry but I can't send more than 512 kB, so how I could possibly send a file with 673 bytes? (in ANSI), when sending it as a textfile, it has a capacity of 1,31 MB. Regarding product, all info refering to product, ended : "to be removed from system". At INFO "Removing registry keys",all found keys, ended in : "does not exist" Same for files. Some files and entrys of "Site Advisor" had  been removed wheras others also shown as "not exist".
ProgramData\McAfee\\MSC...failed to remove, as well %COMMONAPPDATA%\McAfee\.
FAIL   Product MSC was not successfully removed.
FAIL   Incomplete uninstallation.

April 13, 2014 09:45:21
INFO   Cleanup finished running using Task Scheduler.
FAIL   The products were not successfully removed by the scheduled cleanup.

There where no other fails in the log.
Please advise.

Thank you very much again,
hohell

[essexboy]

For temporary file cleaning I would recommend TFC

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

The two McAfee folders can be deleted manually
The keys that do not exist means they had already been removed


Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Download and run Delfix




: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave: