PC durch Trojaner gesperrt "Bundespolizei"

cosinus · 09.03.2012, 09:54

Mach einen OTL-Fix, beende alle evtl. geöffneten Programme, auch Virenscanner deaktivieren (!), starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Code:

ATTFilter

:OTL
IE - HKU\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.msn.com
IE - HKU\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkcentre [binary data]
IE - HKU\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home
IE - HKU\S-1-5-21-204789925-431152404-2132317803-1000\..\SearchScopes,DefaultScope = {675D5716-69F3-4527-A1A8-52BB2D5D4E7A}
IE - HKU\S-1-5-21-204789925-431152404-2132317803-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaulturl: "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://de.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:de:official"
FF - prefs.js..keyword.URL: "http://utils.babylon.com/abt/index.php?url="
FF - prefs.js..network.proxy.type: 2
[2012.01.10 09:13:51 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\baeumker\AppData\Roaming\mozilla\Firefox\Profiles\phplfz3n.default\extensions\ffxtlbr@babylon.com
[2010.10.21 13:35:15 | 000,002,191 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-204789925-431152404-2132317803-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKU\S-1-5-21-204789925-431152404-2132317803-1000..\Run: []  File not found
O4 - HKU\S-1-5-21-204789925-431152404-2132317803-1000..\Run: [fsm]  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O32 - AutoRun File - [2007.09.28 09:37:36 | 002,009,642 | ---- | M] () - T:\AutoHotkey104704.zip -- [ NTFS ]
O33 - MountPoints2\{e71be3a3-7e45-11df-8a8d-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{e71be3a3-7e45-11df-8a8d-806e6f6e6963}\Shell\AutoRun\command - "" = Q:\LenovoQDrive.exe -- [2009.08.10 22:01:24 | 000,267,576 | -HS- | M] (Lenovo Group Limited)
:Commands
[emptytemp]
[resethosts]

Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt.

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!

trythis · 12.03.2012, 17:02

ok, erledigt...hier der was ausgespruckt wird:

Code:

ATTFilter

 All processes killed
========== OTL ==========
HKU\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKU\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Secondary_Page_URL| /E : value set successfully!
HKU\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Secondary Start Pages| /E : value set successfully!
HKU\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKEY_USERS\S-1-5-21-204789925-431152404-2132317803-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-204789925-431152404-2132317803-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename
Prefs.js: "hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch" removed from browser.search.defaulturl
Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1
Prefs.js: "Google" removed from browser.search.selectedEngine
Prefs.js: "hxxp://de.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:de:official" removed from browser.startup.homepage
Prefs.js: "hxxp://utils.babylon.com/abt/index.php?url=" removed from keyword.URL
Prefs.js: 2 removed from network.proxy.type
C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\phplfz3n.default\extensions\ffxtlbr@babylon.com\defaults\preferences folder moved successfully.
C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\phplfz3n.default\extensions\ffxtlbr@babylon.com\defaults folder moved successfully.
C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\phplfz3n.default\extensions\ffxtlbr@babylon.com\content\imgs\flgs folder moved successfully.
C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\phplfz3n.default\extensions\ffxtlbr@babylon.com\content\imgs folder moved successfully.
C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\phplfz3n.default\extensions\ffxtlbr@babylon.com\content folder moved successfully.
C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\phplfz3n.default\extensions\ffxtlbr@babylon.com\components folder moved successfully.
C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\phplfz3n.default\extensions\ffxtlbr@babylon.com folder moved successfully.
C:\Programme\Mozilla Firefox\searchplugins\babylon.xml moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-204789925-431152404-2132317803-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-204789925-431152404-2132317803-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-204789925-431152404-2132317803-1000\Software\Microsoft\Windows\CurrentVersion\Run\\fsm deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\PromptOnSecureDesktop deleted successfully.
Registry value HKEY_USERS\S-1-5-21-204789925-431152404-2132317803-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
T:\AutoHotkey104704.zip moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e71be3a3-7e45-11df-8a8d-806e6f6e6963}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e71be3a3-7e45-11df-8a8d-806e6f6e6963}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e71be3a3-7e45-11df-8a8d-806e6f6e6963}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e71be3a3-7e45-11df-8a8d-806e6f6e6963}\ not found.
Q:\LenovoQDrive.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: ***
->Temp folder emptied: 13390132084 bytes
->Temporary Internet Files folder emptied: 61310665 bytes
->Java cache emptied: 867060 bytes
->FireFox cache emptied: 52360453 bytes
->Google Chrome cache emptied: 6446448 bytes
->Flash cache emptied: 644 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: ***
->Temp folder emptied: 65472231 bytes
->Temporary Internet Files folder emptied: 6038343 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 571 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1901811939 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 14.767,00 mb
 
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.35.1 log created on 03122012_134604

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\gnserv.dat scheduled to be moved on reboot.
File move failed. C:\Windows\temp\spserv.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

cosinus · 12.03.2012, 17:16

Bitte nun (im normalen Windows-Modus) dieses Tool von Kaspersky (TDSS-Killer) ausführen und das Log posten => http://www.trojaner-board.de/82358-t...entfernen.html

Hinweis: Bitte den Virenscanner abstellen bevor du den TDSS-Killer ausführst, denn v.a. Avira meldet im TDSS-Tool oft einen Fehalalrm!

Das Tool so einstellen wie unten im Bild angegeben - klick auf change parameters und setze die Haken wie im folgenden Screenshot abgebildet,
Dann auf Start Scan klicken und wenn es durch ist auf den Button Report klicken um das Log anzuzeigen. Dieses bitte komplett posten.
Wenn du das Log nicht findest oder den Inhalt kopieren und in dein Posting übertragen kannst, dann schau bitte direkt auf deiner Windows-Systempartition (meistens Laufwerk C

nach, da speichert der TDSS-Killer seine Logs.

Hinweis: Bitte nichts voreilig mit dem TDSS-Killer löschen! Falls Objekte vom TDSS-Killer bemängelt werden, alle mit der Aktion "skip" behandeln und hier nur das Log posten!

PC durch Trojaner gesperrt "Bundespolizei"

Plagegeister aller Art und deren Bekämpfung: PC durch Trojaner gesperrt "Bundespolizei"