GEMA-Virus auf Win Vista

AlexG · 09.12.2011, 10:36

Hallo Trojaner-Team!

Auch ich bin nun seit gestern Opfer dieses Virus', oder Trojaners, oder was es auch immer ist worüber hier schon so viel zu lesen ist.
Es erscheint nach dem Booten ein GEMA Bildschirm mit einer Zahlungsaufforderung (50€) wegen angeblich illegal erworbener Musiktitel. Mit dem "Affengriff" kann ich den Laptop zwar runterfahren, leider kann ich aber nicht auf den Taskmanager zugreifen.
Beim Runterfahren kommt die Meldung, dass "hrt54is56ijfgte" das Runterfahren verhindert..
Ich habe schon Eure Hilfestellungen gelesen (ISO-Burner, OTPLE runterladen, usw.). Leider geht das Problem da schon los - ich bekomme keinen Zugang zur Downloadseite für die OTPLE-exe.
Für Eure Hilfe wäre ich sehr dankbar!

AlexG

markusg · 09.12.2011, 12:44

hi,
nur um sicher zu gehen, hast du diesen link genutzt?
http://filepony.de/download-otlpe/

AlexG · 09.12.2011, 13:09

Scheinbar nicht, denn jetzt klappt der Download. Danke erstmal!

AlexG · 10.12.2011, 13:43

Das nächste Problem: Ich hab die CD mit ISO gebrannt, aber der Laptop übergeht sie beim Booten einfach, obwohl ich das Laufwerk als Primär eingestellt habe...

AlexG · 10.12.2011, 13:52

Den letzten Post bitte ignorieren - die CD startet..

AlexG · 10.12.2011, 14:38

Hier die OTL.txt:OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 12/10/2011 2:31:55 PM - Run 
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.99 Gb Total Space | 267.39 Gb Free Space | 58.64% Space Free | Partition Type: NTFS
Drive D: | 1.84 Gb Total Space | 0.35 Gb Free Space | 18.80% Space Free | Partition Type: FAT
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
 
========== Win32 Services (SafeList) ==========
 
SRV - [2011/06/28 09:37:17 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/06/06 05:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/03/28 18:15:04 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/02/11 19:38:40 | 000,354,840 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2008/10/16 10:26:20 | 000,860,160 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008/10/16 09:54:34 | 000,466,944 | ---- | M] (Intel(R) Corporation) [Auto] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand] --  -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] --  -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] --  -- (IpInIp)
DRV - [2011/06/28 09:37:18 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/28 09:37:18 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 17:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/02/22 11:27:40 | 000,049,664 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\L1C60x86.sys -- (L1C)
DRV - [2008/11/17 00:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Alex_und_Stephie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKU\Alex_und_Stephie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\Alex_und_Stephie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\Alex_und_Stephie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B4 BA 2B FE 17 15 CC 01  [binary data]
IE - HKU\Alex_und_Stephie_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Alex_und_Stephie_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
 
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "hxxp://www.google.de"
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/04 02:03:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2011/05/18 00:11:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Alex und Stephie\AppData\Roaming\Mozilla\Extensions
[2011/06/21 08:17:52 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/05/17 05:12:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
[2011/06/21 08:17:52 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
File not found (No name found) -- 
[2011/05/13 10:34:52 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/08/04 02:03:10 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 03:00:00 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 03:00:00 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2010/01/01 03:00:00 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2010/01/01 03:00:00 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2010/01/01 03:00:00 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O4 - HKLM..\Run: [6zvcaxR5ls4KB9Y] C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe (sbavi traumi)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\Alex_und_Stephie_ON_C..\Run: [6zvcaxR5ls4KB9Y] C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe (sbavi traumi)
O4 - HKU\Alex_und_Stephie_ON_C..\Run: [sr5tuhsrt6xhjudry6] C:\Users\Alex und Stephie\AppData\Roaming\hsr5uyhrxt\serhur45hu.exe (sbavi traumi)
O4 - HKU\LocalService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O7 - HKU\Alex_und_Stephie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 1
O7 - HKU\Alex_und_Stephie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\Alex_und_Stephie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe) - C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe (sbavi traumi)
O20 - HKU\Alex_und_Stephie_ON_C Winlogon: Shell - (C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe) - C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe (sbavi traumi)
O24 - Desktop WallPaper: 
O24 - Desktop BackupWallPaper: 
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2011/12/08 06:01:35 | 000,095,744 | ---- | C] (Kassl GmbH) -- C:\Users\Alex und Stephie\AppData\Roaming\dwlGina3.dll
[2011/12/08 05:58:14 | 000,417,792 | ---- | C] (sbavi traumi) -- C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe
[2011/12/08 05:57:47 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Roaming\hsr5uyhrxt
[2011/12/08 04:45:59 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Local\{4324D63C-B837-40E1-A24E-ED6745B8225F}
[2011/12/08 04:45:48 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Local\{B0AB5895-6025-4BB1-B1EE-1A1FC3F2B475}
[2011/12/05 16:59:15 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Roaming\Intel
[2011/11/22 14:40:38 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Roaming\Skype
[2011/11/22 14:40:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2011/11/22 14:40:31 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2011/11/22 14:40:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2011/11/22 05:35:21 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Local\{EA037402-BB8E-4B9D-8EFD-F69D93184B3C}
[2011/11/22 05:35:11 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Local\{FAB4CF83-1A8B-4F33-A5F7-0CC836275980}
[2011/11/21 15:35:44 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Roaming\Apple Computer
[2011/11/21 15:35:44 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Local\Apple Computer
[2011/11/21 15:35:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/11/21 15:34:21 | 000,107,368 | ---- | C] (GEAR Software Inc.) -- C:\Windows\System32\GEARAspi.dll
[2011/11/21 15:34:21 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2011/11/21 15:33:25 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/11/21 15:33:23 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/11/21 15:33:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2011/11/21 15:33:23 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/11/21 15:32:22 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Local\Apple
[2011/11/21 15:32:18 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2011/11/21 15:30:21 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/11/21 15:30:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
[2011/11/21 15:30:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2011/11/14 06:51:06 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Local\{704D9F5D-D0C1-49C8-82C1-126688884CB6}
[2011/11/14 06:50:55 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Local\{C6A7A906-3D2C-420E-A490-D8D6B9BD479F}
[2011/02/11 20:40:40 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
 
========== Files - Modified Within 30 Days ==========
 
[2011/12/10 07:51:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/10 07:50:59 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/10 07:50:59 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/10 07:46:46 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/10 07:46:46 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/08 06:01:35 | 000,095,744 | ---- | M] (Kassl GmbH) -- C:\Users\Alex und Stephie\AppData\Roaming\dwlGina3.dll
[2011/12/08 05:57:47 | 000,417,792 | ---- | M] (sbavi traumi) -- C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe
[2011/11/22 14:40:33 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2011/11/21 15:35:40 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/11/21 15:32:20 | 000,001,830 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
 
========== Files Created - No Company Name ==========
 
[2011/12/05 10:29:14 | 004,799,817 | ---- | C] () -- C:\Users\Alex und Stephie\Desktop\TM602_Users_Guide_DE.pdf
[2011/11/21 15:32:20 | 000,001,830 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2011/05/17 09:58:40 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2011/05/17 08:17:50 | 000,000,095 | ---- | C] () -- C:\Windows\winamp.ini
[2011/05/16 02:26:30 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/05/13 11:08:13 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/05/13 11:08:12 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/05/13 10:28:57 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/05/13 07:06:14 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/02/11 21:10:52 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2011/02/11 21:10:50 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2011/02/11 21:10:50 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2011/02/11 20:38:44 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2009/03/31 19:46:06 | 000,872,448 | ---- | C] () -- C:\Windows\iconv.dll
[2009/03/31 19:46:06 | 000,743,424 | ---- | C] () -- C:\Windows\libxml2.dll
[2009/03/31 19:46:05 | 000,000,058 | ---- | C] () -- C:\Windows\Prelaunch.ini
[2009/03/31 19:46:05 | 000,000,028 | ---- | C] () -- C:\Windows\WisLangCode.ini
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,231,016 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,595,996 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,070 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
 
========== LOP Check ==========
 
[2011/05/13 15:03:39 | 000,000,000 | ---D | M] -- C:\Users\Alex und Stephie\AppData\Roaming\Acer GameZone Console
[2011/12/08 05:58:14 | 000,000,000 | ---D | M] -- C:\Users\Alex und Stephie\AppData\Roaming\hsr5uyhrxt
[2011/05/13 15:03:39 | 000,000,000 | ---D | M] -- C:\ProgramData\Acer GameZone Console
[2011/08/17 05:03:12 | 000,000,000 | ---D | M] -- C:\ProgramData\AirportMania
[2011/05/17 10:57:51 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2011/05/17 10:57:51 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2011/05/17 10:57:51 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2011/05/17 10:57:51 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2011/12/08 04:40:35 | 000,000,000 | ---D | M] -- C:\ProgramData\Soulseek
[2011/05/17 10:57:51 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2011/08/17 05:03:13 | 000,000,000 | ---D | M] -- C:\ProgramData\TEMP
[2011/05/17 10:57:52 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2011/11/21 15:34:19 | 000,000,000 | ---D | M] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/12/10 07:50:58 | 000,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:CDFF58FE
< End of report >

--- --- ---

und hier die Extras.txt:OTL Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 12/10/2011 2:31:55 PM - Run 
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.99 Gb Total Space | 267.39 Gb Free Space | 58.64% Space Free | Partition Type: NTFS
Drive D: | 1.84 Gb Total Space | 0.35 Gb Free Space | 18.80% Space Free | Partition Type: FAT
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 26
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3127F76D-5335-4AC7-BD1E-2F5247A23C24}" = iTunes
"{35C0A1E4-D02A-412C-841F-266DBB116ABB}" = Intel(R) PROSet/Wireless WiFi-Software
"{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F4BA3A2-7BE0-48EA-B4BC-CA4D842A409A}" = Cisco EAP-FAST Module
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{873E4648-6F6E-47F6-A7B2-A6F8DFABDCE6}" = Windows Live Messenger
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{934B3B19-8193-467A-B356-E73F82647D38}" = Cisco LEAP Module
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.0) - Deutsch
"{BAD1449B-DF0C-4118-B76D-68C54009576C}" = Cisco PEAP Module
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EBBB1DEF-8878-4CB8-BC0D-1196B30E7527}" = ANNO 1503
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CDex" = CDex extraction audio
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 5.0 (x86 de)" = Mozilla Firefox 5.0 (x86 de)
"PokerStars" = PokerStars
"Premium Skat Deluxe" = Premium Skat Deluxe
"ProInst" = Intel PROSet Wireless
"Soulseek2" = SoulSeek 157 NS 13e
"VLC media player" = VLC media player 1.0.2
"Winamp" = Winamp (nur entfernen)
"WinLiveSuite" = Windows Live Essentials
 
< End of report >

--- --- ---

Ich hoffe sehr, dass Ihr mir damit helfen könnt.
Danke schonmal!

AlexG

markusg · 10.12.2011, 20:15

auf deinem zweiten pc gehe auf start, programme zubehör editor, kopiere dort
rein:

Code:

ATTFilter

:OTL
O4 - HKLM..\Run: [6zvcaxR5ls4KB9Y] C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe (sbavi traumi)
O4 - HKU\Alex_und_Stephie_ON_C..\Run: [6zvcaxR5ls4KB9Y] C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe (sbavi traumi)
O4 - HKU\Alex_und_Stephie_ON_C..\Run: [sr5tuhsrt6xhjudry6] C:\Users\Alex und Stephie\AppData\Roaming\hsr5uyhrxt\serhur45hu.exe (sbavi traumi)
O7 - HKU\Alex_und_Stephie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 1
O7 - HKU\Alex_und_Stephie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\Alex_und_Stephie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O20 - HKLM Winlogon: Shell - (C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe) - C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe
(sbavi traumi)
O20 - HKU\Alex_und_Stephie_ON_C Winlogon: Shell - (C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe) - C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe
(sbavi traumi)
[2011/12/08 06:01:35 | 000,095,744 | ---- | C] (Kassl GmbH) -- C:\Users\Alex und Stephie\AppData\Roaming\dwlGina3.dll
[2011/12/08 05:58:14 | 000,417,792 | ---- | C] (sbavi traumi) -- C:\Users\Alex und Stephie\AppData\Roaming\hrt54is56ijfgte.exe
[2011/12/08 05:57:47 | 000,000,000 | ---D | C] -- C:\Users\Alex und Stephie\AppData\Roaming\hsr5uyhrxt
:Files
C:\Users\Alex und Stephie\AppData\Roaming\hsr5uyhrxt
:Commands
[purity]
[EMPTYFLASH] 
[emptytemp]
[Reboot]

dieses speicherst du auf nem usb stick als fix.txt
nutze nun wieder OTLPENet.exe (starte also von der erstellten cd) und hake alles an, wie es bereits im post zu OTLPENet.exe beschrieben ist.
• Klicke nun bitte auf den Fix Button.
es sollte nun eine meldung ähnlich dieser: "load fix from file" erscheinen, lade also die fix.txt von deinem stick.
wenn dies nicht funktioniert, bitte den fix manuell eintragen.
dann klicke erneut den fix buton. pc startet evtl. neu. wenn ja, nimm die cd aus dem laufwerk, windows sollte nun normal starten und die otl.txt öffnen,
log posten bitte.
falls dies geklappt hatt:
falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden

öffne computer, öffne C: dann _OTL
dort rechtsklick auf moved files
wähle zu moved files.rar oder zip hinzufügen.
folge dem link, und lade das archiv im upload channel hoch
http://www.trojaner-board.de/54791-a...ner-board.html

AlexG · 11.12.2011, 13:22

Hallo Markus.

Habe die Schritte bis zum Einfügen der Fix.txt genau befolgt.
Nach dem Einfügen der Datei in OTPLE reagiert dieses scheinbar nicht mehr, ich kann den "Run Fix" nicht starten..
Was nun..?

AlexG

markusg · 12.12.2011, 16:07

vllt mal bis zum ende lesen, da steht das du es auch mal mit manuellem eintragen versuchen sollst

09.12.2011, 12:44	#2
markusg /// Malware-holic	GEMA-Virus auf Win Vista hi, nur um sicher zu gehen, hast du diesen link genutzt? http://filepony.de/download-otlpe/ __________________ __________________

GEMA-Virus auf Win Vista

Plagegeister aller Art und deren Bekämpfung: GEMA-Virus auf Win Vista