Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Windows-Verschlüsselungs Trojaner

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 25.04.2012, 20:58   #1
Toront
 
Windows-Verschlüsselungs Trojaner - Standard

Windows-Verschlüsselungs Trojaner



Hallo
Ich habe leider auch diesen tollen email anhang geöffnet.(habe die email noch fals weiter leiten gewünscht ist)
Im abgesicherten Modus konnte ich alle sicherheits Prgramme durchlaufen lassen die aber nichts gefunden haben.Darauf hin hatte ich eine Systemwiederherstellung gemacht und dann ging soweit erstmal wieder alles.Bis ich vor einer halben Stunde festgestellt habe das alle eignen Dateien und Bilder usw jetzt ein locked- davor stehen und die eigenartigsten sachen dahinter stehen haben wie zb jjnn , hhbb , zzll , zrss, usw bei jedem steht was anders dahinter.Mir sind nur die Bilder (sind die ersten 3 Jahre meiner Tochter bei) wichtig wenn man die irgentwie retten könnte würde ich mich sehr freuen. Ich hoffe ihr könnt mir helfen.
Ich habe die anderen Beiträge zu diesem Thema gelesen und hab auch gesehen das ich nicht der einziegste bin dem das in den letzten 2Tagen passiert ist :-( .
Und ein zweiter Rechner ist im moment leider nicht vorhanden.

Hi

Ich hatte jetzt die möglichkeit mir bei meinem Nachbar die cd (OTLPE)zu erstellen.Habe mit der jetzt meinen Rechner auch starten können aber wenn ich einen doppelklick auf das Icon OTLPE mache geht ein Fenster auf Browse for Folder und da weiß ich nicht was ich anklicken soll.

Alt 26.04.2012, 07:42   #2
kira
/// Helfer-Team
 
Windows-Verschlüsselungs Trojaner - Standard

Windows-Verschlüsselungs Trojaner



Hallo und Herzlich Willkommen!

Bevor wir unsere Zusammenarbeit beginnen, [Bitte Vollständig lesen]:
Zitat:
  • "Fernbehandlungen/Fernhilfe" und die damit verbundenen Haftungsrisken:
    - da die Fehlerprüfung und Handlung werden über große Entfernungen durchgeführt, besteht keine Haftung unsererseits für die daraus entstehenden Folgen.
    - also, jede Haftung für die daraus entstandene Schäden wird ausgeschlossen, ANWEISUNGEN UND DEREN BEFOLGUNG, ERFOLGT AUF DEINE EIGENE VERANTWORTUNG!
  • Charakteristische Merkmale/Profilinformationen:
    - aus der verwendeten Loglisten oder Logdateien - wie z.B. deinen Realnamen, Seriennummer in Programm etc)- kannst Du durch [X] oder Sternchen (*) ersetzen
  • Die Systemprüfung und Bereinigung:
    - kann einige Zeit in Anspruch nehmen (je nach Art der Infektion), kann aber sogar so stark kompromittiert sein, so dass eine wirkungsvolle technische Säuberung ist nicht mehr möglich bzw Du es neu installieren musst
  • Ich empfehle Dir die Anweisungen erst einmal komplett durchzulesen, bevor du es anwendest, weil wenn du etwas falsch machst, kann es wirklich gefährlich werden. Wenn du meinen Anweisungen Schritt für Schritt folgst, kann eigentlich nichts schief gehen.
  • Innerhalb der Betreuungszeit:
    - ohne Abspräche bitte nicht auf eigene Faust handeln!- bei Problemen nachfragen.
  • Die Reihenfolge:
    - genau so wie beschrieben bitte einhalten, nicht selbst die Reihenfolge wählen!
  • GECRACKTE SOFTWARE werden hier nicht geduldet!!!!
  • Ansonsten unsere Forumsregeln:
    - Bitte erst lesen, dann posten!-> Für alle Hilfesuchenden! Was muss ich vor der Eröffnung eines Themas beachten?
  • Alle Logfile mit einem vBCode Tag eingefügen, das bietet hier eine gute Übersicht, erleichtert mir die Arbeit! Falls das Logfile zu groß, teile es in mehrere Teile auf.

Sobald Du diesen Einführungstext gelesen hast, kannst Du beginnen
Zitat:
Zitat von Toront Beitrag anzeigen
aber wenn ich einen doppelklick auf das Icon OTLPE mache geht ein Fenster auf Browse for Folder und da weiß ich nicht was ich anklicken soll.
wenn Du auf dem Reatago-Desktop die OTLPE.exe doppelt geklickt hast :
wähle bitte My Computer -> C:\Windows -> klicke auf Ok

Zitat:
Damit dein Thread übersichtlicher und schön lesbar bleibt, am besten nutze den Code-Tags für deinen Post:
→ vor dein Log schreibst Du (also am Anfang des Logfiles):[code]
hier kommt dein Logfile rein - z.B OTL-Logfile o. sonstiges
→ dahinter - also am Ende der Logdatei: [/code]
** Möglichst nicht ins internet gehen, kein Online-Banking, File-sharing, Chatprogramme usw
gruß
kira
__________________

__________________

Alt 26.04.2012, 09:54   #3
Toront
 
Windows-Verschlüsselungs Trojaner - Standard

Windows-Verschlüsselungs Trojaner



Hallo Kira erstmal Vielen Dank fuer deine Antwort ich hoffe das ich alles richtig gemacht habe.

Code:
ATTFilter
OTL logfile created on: 4/26/2012 12:36:00 PM - Run 
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 911.48 Gb Total Space | 671.56 Gb Free Space | 73.68% Space Free | Partition Type: NTFS
Drive D: | 20.01 Gb Total Space | 10.77 Gb Free Space | 53.81% Space Free | Partition Type: FAT32
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
 
========== Win32 Services (SafeList) ==========
 
SRV - [2012/03/07 13:05:44 | 000,918,880 | ---- | M] () [Auto] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe -- (vToolbarUpdater10.2.0)
SRV - [2012/02/02 07:26:38 | 000,666,200 | ---- | M] () [Auto] -- C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVScanningService.exe -- (AV Engine Scanning Service)
SRV - [2012/02/02 07:26:38 | 000,204,760 | ---- | M] () [Auto] -- C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVWatchService.exe -- (AV Watch Service)
SRV - [2012/01/23 07:40:12 | 001,324,680 | ---- | M] (SPAMfighter ApS) [Auto] -- C:\Program Files\Fighters\FighterSuiteService.exe -- (Suite Service)
SRV - [2011/06/28 17:03:07 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/05/21 00:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/03/28 10:15:04 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/01/06 20:00:40 | 000,361,288 | ---- | M] (TuneUp Software) [On_Demand] -- C:\Windows\System32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2009/11/26 08:28:22 | 000,604,488 | ---- | M] (TuneUp Software) [Auto] -- C:\Windows\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc)
SRV - [2009/01/26 10:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/10/08 18:19:22 | 000,358,936 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand] --  -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] --  -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] --  -- (IpInIp)
DRV - File not found [Kernel | Auto] --  -- (adfs)
DRV - [2012/03/14 17:28:06 | 000,278,728 | ---- | M] () [Kernel | Auto] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt)
DRV - [2012/03/14 17:28:06 | 000,025,416 | ---- | M] () [Kernel | Auto] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2012/02/09 16:43:00 | 010,816,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2012/02/02 07:26:40 | 000,010,264 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\System32\drivers\avfsfilter.sys -- (AVFSFilter)
DRV - [2011/06/28 17:03:07 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/28 17:03:07 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 09:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/02/13 06:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2007/09/21 04:38:22 | 000,554,496 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2007/04/13 07:22:56 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.medion.com
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.medion.com
IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.babylon.com/?affID=110819&babsrc=HP_ss&mntrId=a2f009d3000000000000002421791008
IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\Wilko_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\System32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0:  File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0:  File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\10.2.0.3\ [2012/04/25 08:06:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/06 08:30:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/16 13:59:39 | 000,000,000 | ---D | M]
 
[2010/03/18 08:12:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/15 21:15:29 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012/03/07 13:05:42 | 000,003,768 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/04/26 03:10:16 | 000,002,313 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2010/01/15 21:15:29 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2010/01/15 21:15:29 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2010/01/15 21:15:29 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2010/01/15 21:15:29 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O2 - BHO: (DealPly) - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files\DealPly\DealPlyIE.dll (DealPly Technologies Ltd)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKU\Wilko_ON_C\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CommonToolkitTray] C:\Program Files\Fighters\Tray\FightersTray.exe (SPAMfighter ApS)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe ()
O4 - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SWPROguard] C:\Program Files\Fighters\SPYWAREfighter\swproTray.exe (SPAMfighter)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKU\LocalService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\UpdatusUser_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\Wilko_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: Error locating startup folders.
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} -  File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} -  File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012/04/26 03:14:28 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Malwarebytes
[2012/04/26 03:14:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/26 03:14:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/04/26 03:14:14 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/04/26 03:14:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/04/26 03:01:52 | 000,000,000 | ---D | C] -- C:\Program Files\DealPly
[2012/04/26 03:01:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Creator
[2012/04/26 03:01:00 | 000,000,000 | ---D | C] -- C:\Program Files\GPLGS
[2012/04/26 03:00:59 | 000,000,000 | ---D | C] -- C:\Program1
[2012/04/26 03:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator
[2012/04/26 03:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\BabylonToolbar
[2012/04/26 03:00:40 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Babylon
[2012/04/26 03:00:40 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Local\Babylon
[2012/04/26 03:00:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
[2012/04/25 09:12:39 | 000,000,000 | ---D | C] -- C:\ProgramData\clp
[2012/04/25 09:12:30 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fighters
[2012/04/25 09:12:30 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Fighters
[2012/04/25 09:12:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Common Toolkit Suite
[2012/04/25 09:12:02 | 000,000,000 | ---D | C] -- C:\Program Files\Fighters
[2012/04/25 09:11:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Common Toolkit Suite
[2012/04/25 09:10:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Fighters
[2012/04/25 08:20:30 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/04/25 06:24:45 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Realtec
[2012/04/11 18:19:08 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/04/11 18:19:07 | 001,799,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/04/11 18:19:07 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2012/04/11 18:19:06 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/04/11 18:19:05 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/04/11 18:19:05 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/04/11 18:19:05 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/04/11 18:17:37 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012/04/11 18:17:37 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012/04/26 05:21:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/26 05:21:42 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/04/26 05:20:28 | 000,000,522 | ---- | M] () -- C:\Windows\tasks\1-Klick-Wartung.job
[2012/04/26 05:20:10 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/26 05:20:10 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/26 05:20:09 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/26 04:34:12 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/26 03:14:17 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012/04/26 03:14:17 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/26 03:10:17 | 000,000,711 | ---- | M] () -- C:\user.js
[2012/04/26 03:01:01 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Creator
[2012/04/26 02:53:18 | 000,628,504 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012/04/26 02:53:18 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/26 02:53:18 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/04/26 02:53:17 | 000,126,248 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012/04/25 09:12:30 | 000,001,931 | ---- | M] () -- C:\Users\Wilko\Desktop\SPYWAREfighter.lnk
[2012/04/25 08:20:32 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/04/25 08:18:00 | 003,077,764 | ---- | M] () -- C:\Users\Wilko\Desktop\MD001764.JPG
[2012/04/25 08:12:31 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft Public Test
[2012/04/25 08:12:31 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
[2012/04/25 06:29:49 | 021,073,936 | ---- | M] () -- C:\Users\Wilko\Documents\locked-vlc-1.1.11-win32.exe.pppw
[2012/04/25 06:29:49 | 020,533,281 | ---- | M] () -- C:\Users\Wilko\Documents\locked-vlc-1.1.9-win32.exe.nnnb
[2012/04/25 06:29:49 | 000,000,348 | ---- | M] () -- C:\Users\Wilko\Documents\locked-test.fdb.aaee
[2012/04/25 06:29:48 | 899,012,795 | ---- | M] () -- C:\Users\Wilko\Documents\locked-ADBEPHSPCS4_LS4.7z.nnni
[2012/04/25 06:29:48 | 001,228,240 | ---- | M] () -- C:\Users\Wilko\Documents\locked-ADBEPHSPCS4_LS4.exe.jjnn
[2012/04/25 06:29:38 | 000,975,140 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\locked-PandaIDProtectHelp_de.chm.eeaa
[2012/04/11 18:18:58 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works
[2012/04/04 09:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012/04/26 03:14:17 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012/04/26 03:01:00 | 000,086,016 | ---- | C] () -- C:\Windows\System32\custmon32i.dll
[2012/04/26 03:00:59 | 000,000,711 | ---- | C] () -- C:\user.js
[2012/04/25 15:16:40 | 003,077,764 | ---- | C] () -- C:\Users\Wilko\Desktop\MD001764.JPG
[2012/04/25 09:12:30 | 000,001,931 | ---- | C] () -- C:\Users\Wilko\Desktop\SPYWAREfighter.lnk
[2012/04/25 08:20:32 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/04/25 08:18:37 | 000,001,096 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/25 08:18:36 | 000,001,092 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/14 17:28:06 | 000,278,728 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2012/03/14 17:28:06 | 000,025,416 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2012/02/02 07:26:40 | 000,010,264 | ---- | C] () -- C:\Windows\System32\drivers\avfsfilter.sys
[2011/06/24 15:01:43 | 000,000,000 | ---- | C] () -- C:\Windows\cdplayer.ini
[2011/01/23 11:59:59 | 000,975,140 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\locked-PandaIDProtectHelp_de.chm.eeaa
[2010/09/05 04:50:28 | 000,000,000 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\wklnhst.dat
[2010/03/26 17:04:41 | 000,000,008 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\jasltw.dat
[2010/01/07 08:53:46 | 000,000,680 | ---- | C] () -- C:\Users\Wilko\AppData\Local\d3d9caps.dat
[2009/12/10 10:50:56 | 000,069,632 | R--- | C] () -- C:\Windows\System32\xmltok.dll
[2009/12/10 10:50:56 | 000,036,864 | R--- | C] () -- C:\Windows\System32\xmlparse.dll
[2009/10/08 10:29:57 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2009/09/03 14:32:17 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2009/08/03 11:46:24 | 000,017,408 | ---- | C] () -- C:\Users\Wilko\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/24 15:59:42 | 000,628,504 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2009/06/24 15:59:42 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2009/06/24 15:59:42 | 000,126,248 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2009/06/24 15:59:42 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2009/06/24 06:43:05 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/06/24 06:42:47 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/06/24 06:29:16 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 002,224,768 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,595,798 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,103,872 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
 
========== LOP Check ==========
 
[2009/08/16 09:20:02 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Acreon
[2012/04/26 03:00:40 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Babylon
[2012/04/25 06:29:09 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\DVDVideoSoftIEHelpers
[2012/04/25 09:12:41 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Fighters
[2012/04/25 06:29:09 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\FRITZ!
[2010/09/19 11:16:30 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\gtk-2.0
[2010/12/27 18:09:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Local
[2012/04/25 08:06:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\MobMapUpdater
[2011/01/07 06:01:17 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Panda Security
[2012/04/25 08:06:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\RIFT
[2012/04/25 06:29:38 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\SurfSecret Privacy Suite
[2012/04/25 08:35:48 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\TS3Client
[2011/11/18 07:24:14 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\TuneUp Software
[2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Anwendungsdaten
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2012/03/07 13:05:47 | 000,000,000 | ---D | M] -- C:\ProgramData\AVG Secure Search
[2012/04/26 03:00:40 | 000,000,000 | ---D | M] -- C:\ProgramData\Babylon
[2009/07/25 10:55:22 | 000,000,000 | ---D | M] -- C:\ProgramData\BullGuard
[2010/05/01 06:00:53 | 000,000,000 | -H-D | M] -- C:\ProgramData\CanonBJ
[2012/04/25 09:42:41 | 000,000,000 | ---D | M] -- C:\ProgramData\clp
[2011/12/21 11:02:26 | 000,000,000 | -H-D | M] -- C:\ProgramData\Common Files
[2012/04/25 09:11:59 | 000,000,000 | ---D | M] -- C:\ProgramData\Common Toolkit Suite
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Dokumente
[2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favoriten
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2012/04/25 09:12:30 | 000,000,000 | ---D | M] -- C:\ProgramData\Fighters
[2011/01/07 06:00:02 | 000,000,000 | ---D | M] -- C:\ProgramData\Panda Security
[2006/11/02 09:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Startmenü
[2006/11/02 09:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2011/11/18 07:24:16 | 000,000,000 | ---D | M] -- C:\ProgramData\TuneUp Software
[2009/07/25 10:37:38 | 000,000,000 | -HSD | M] -- C:\ProgramData\Vorlagen
[2010/08/13 11:41:36 | 000,000,000 | ---D | M] -- C:\ProgramData\Zylom
[2009/06/24 08:11:28 | 000,000,000 | ---D | M] -- C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2011/11/18 07:23:14 | 000,000,000 | -HSD | M] -- C:\ProgramData\{32364CEA-7855-4A3C-B674-53D8E9B97936}
[2009/07/25 16:12:35 | 000,000,000 | -HSD | M] -- C:\ProgramData\{55A29068-F2CE-456C-9148-C869879E2357}
[2010/09/06 15:26:43 | 000,000,000 | -HSD | M] -- C:\ProgramData\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
[2012/04/26 05:20:28 | 000,000,522 | ---- | M] () -- C:\Windows\Tasks\1-Klick-Wartung.job
[2012/04/26 05:21:43 | 000,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
< End of report >
         
__________________

Alt 26.04.2012, 13:05   #4
kira
/// Helfer-Team
 
Windows-Verschlüsselungs Trojaner - Standard

Windows-Verschlüsselungs Trojaner



1.
Zitat:
Achtung wichtig!:
Falls Du selber im Logfile Änderungen vorgenommen hast, musst Du durch die Originalbezeichnung ersetzen und so in Script einfügen! sonst funktioniert nicht!
(Benutzerordner, dein Name oder sonstige Änderungen durch X, Stern oder andere Namen ersetzt)
Fixen mit OTLPE
  • Starte die OTLPE
  • Kopiere folgendes Skript (unverändert inkl. :OTL, also - nach dem "Code", alles was in der Codebox steht -
    :
Code:
ATTFilter
:OTL
SRV - [2009/01/26 10:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.medion.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=110819&babsrc=HP_ss&mntrId=a2f009d3000000000000002421791008
IE - HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\Wilko_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
[2012/03/07 13:05:42 | 000,003,768 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/04/26 03:10:16 | 000,002,313 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2010/01/15 21:15:29 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found.
O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found.
O3 - HKU\Wilko_ON_C\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
[2012/04/26 05:20:10 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/26 04:34:12 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

:Files
C:\ProgramData\BullGuard
C:\Users\Wilko\AppData\Roaming\Panda Security
C:\ProgramData\Panda Security
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
         
  • und füge es hier ein:
  • Schließe alle Programme.
  • Klicke auf den Run Fix Button.
  • Klick auf .
  • OTL verlangt einen Neustart. Bitte zulassen.
  • Nach dem Neustart findest Du ein Textdokument.
    Kopiere den Inhalt hier in Code-Tags in Deinen Thread.

2.
Boote neu und schaue nach, ob Du schon im normalen Modus arbeiten kannst?
wenn ja, so geht es weiter:

3.
Deinstalliere, falls unter Systemsteuerung-> Software/Programme existiert:
AVG Secure Search <- unnötig
Babylon

4.
Systemscan mit OTL - nicht mehr das OTLPE starten!

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop.
  • Doppelklick auf die OTL.exe
  • Vista und Windows 7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen.
  • Oben findest Du ein Kästchen mit Ausgabe.
    Wähle bitte Standard-Ausgabe
  • Unter Extra-Registrierung wähle bitte Benutze SafeList.
  • Mache Häckchen bei LOP- und Purity-Prüfung.
  • Klicke nun auf Scan links oben.


  • Wenn der Scan beendet wurde werden zwei Logfiles erstellt.
    Du findest die Logfiles auf Deinem Desktop => OTL.txt und Extras.txt
  • Poste die Logfiles in Code-Tags hier in den Thread.

5.
Um festzustellen, ob veraltete oder schädliche Software unter Programme installiert sind, ich würde gerne noch all deine installierten Programme sehen:
  • Download den CCleaner - Installer herunter
  • Software-Lizenzvereinbarung lesen, falls irgendeine Toolbar angeboten wird, bitte abwählen!-> starten -> Falls nötig, auf "Deutsch" einstellen.
  • starten-> klick auf `Extras` (um auf deinem System installierte Software zu anzeigen)-> dann auf `Als Textdatei speichern...`
  • ein Textdatei wird automatisch erstellt, poste auch dieses Logfile (also die Liste alle installierten Programme...eine Textdatei)
__________________

Warnung!:
Vorsicht beim Rechnungen per Email mit ZIP-Datei als Anhang! Kann mit einen Verschlüsselungs-Trojaner infiziert sein!
Anhang nicht öffnen, in unserem Forum erst nachfragen!

Sichere regelmäßig deine Daten, auf CD/DVD, USB-Sticks oder externe Festplatten, am besten 2x an verschiedenen Orten!
Bitte diese Warnung weitergeben, wo Du nur kannst!

Alt 26.04.2012, 14:04   #5
Toront
 
Windows-Verschlüsselungs Trojaner - Standard

Windows-Verschlüsselungs Trojaner



Hi Kira

Ich habe den Skript eingefügt,alle Programme geschlossen und den Run Fix Button benutzt.Danach kam auch eine Frage die ich mit ok bestätigt habe aber es wird kein neustart verlangt. Habe es schon zwei mal versucht . Dann habe ich einen neustart gemacht und er fuhr auch ganz normal hoch(normal Modus)Aber ich habe kein Textdokument auf dem Desktop.Sorry aber wie soll ich weiter vorgehen versuche deine anweisung bestmöglich aus zu führen.


Alt 26.04.2012, 14:06   #6
kira
/// Helfer-Team
 
Windows-Verschlüsselungs Trojaner - Standard

Windows-Verschlüsselungs Trojaner



Eine Kopie eines OTL-Fix-Logs wird in einer Textdatei in folgendem Ordner gespeichert:

:\_OTL\Moved Files
In den meisten Fällen wird dies C:\_OTL\Moved Files sein
__________________
--> Windows-Verschlüsselungs Trojaner

Alt 26.04.2012, 14:21   #7
Toront
 
Windows-Verschlüsselungs Trojaner - Standard

Windows-Verschlüsselungs Trojaner



Arbeitsschritt 3

Code:
ATTFilter

========== OTL ==========
Service\Driver key SBSDWSCService not found.
File C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe not found.
Service\Driver key WinDefend not found.
File C:\Program Files\Windows Defender\MpSvc.dll not found.
HKLM\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKU\Wilko_ON_C\Software\Microsoft\Internet Explorer\Main\\StartPageCache| /E : value set successfully!
HKU\Wilko_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=3\ not found.
File C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=9\ not found.
File C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) not found.
File C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml not found.
File C:\Program Files\mozilla firefox\searchplugins\babylon.xml not found.
File C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{326E768D-4182-46FD-9C16-1449A49795F4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326E768D-4182-46FD-9C16-1449A49795F4}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{593DDEC6-7468-4cdd-90E1-42DADAA222E9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{593DDEC6-7468-4cdd-90E1-42DADAA222E9}\ not found.
Registry value HKEY_USERS\Wilko_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}\ not found.
File C:\Windows\tasks\GoogleUpdateTaskMachineCore.job not found.
File C:\Windows\tasks\GoogleUpdateTaskMachineUA.job not found.
========== FILES ==========
File\Folder C:\ProgramData\BullGuard not found.
File\Folder C:\Users\Wilko\AppData\Roaming\Panda Security not found.
File\Folder C:\ProgramData\Panda Security not found.
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: The system cannot find the file specified.
 
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to open registry key for tcpip.
C:\cmd.bat deleted successfully.
C:\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
Empty user temp failed. Cannot find local settings folders.
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1394363 bytes
 
Total Files Cleaned = 1.00 mb
 
 
OTLPE by OldTimer - Version 3.1.48.0 log created on 04262012_184944
         

Ich hoffe es ist das richtige

Danke für deine Mühe

Arbeitsschritt 4/OTL

Code:
ATTFilter
OTL logfile created on: 26.04.2012 19:28:01 - Run 1
OTL by OldTimer - Version 3.2.42.1     Folder = C:\Users\Wilko\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 1,91 Gb Available Physical Memory | 63,67% Memory free
6,22 Gb Paging File | 5,10 Gb Available in Paging File | 82,10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 911,48 Gb Total Space | 673,17 Gb Free Space | 73,85% Space Free | Partition Type: NTFS
Drive D: | 20,01 Gb Total Space | 10,77 Gb Free Space | 53,81% Space Free | Partition Type: FAT32
 
Computer Name: WILKO-PC | User Name: Wilko | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.04.26 19:25:43 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Wilko\Desktop\OTL.exe
PRC - [2012.04.26 12:58:59 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2012.03.07 19:05:44 | 000,918,880 | ---- | M] () -- C:\Programme\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
PRC - [2012.03.07 19:05:43 | 000,982,880 | ---- | M] () -- C:\Programme\AVG Secure Search\vprot.exe
PRC - [2012.02.02 13:58:06 | 001,196,168 | ---- | M] (SPAMfighter) -- C:\Programme\Fighters\SPYWAREfighter\swproTray.exe
PRC - [2012.02.02 13:26:38 | 000,666,200 | ---- | M] (Preventon Technologies Limited) -- C:\Programme\Common Files\Common Toolkit Suite\AVEngine\AVScanningService.exe
PRC - [2012.02.02 13:26:38 | 000,204,760 | ---- | M] (Preventon Technologies Limited) -- C:\Programme\Common Files\Common Toolkit Suite\AVEngine\AVWatchService.exe
PRC - [2012.01.23 13:40:12 | 001,324,680 | ---- | M] (SPAMfighter ApS) -- C:\Programme\Fighters\FighterSuiteService.exe
PRC - [2012.01.18 17:36:46 | 001,452,680 | ---- | M] (SPAMfighter ApS) -- C:\Programme\Fighters\Tray\FightersTray.exe
PRC - [2011.06.28 23:03:07 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2011.05.21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011.05.21 06:01:00 | 000,839,272 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\Display\NvXDSync.exe
PRC - [2011.05.21 06:01:00 | 000,373,864 | ---- | M] (NVIDIA Corporation) -- C:\Programme\NVIDIA Corporation\Display\nvtray.exe
PRC - [2011.03.28 16:15:17 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011.03.28 16:15:04 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2011.03.28 16:14:56 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009.11.26 14:28:22 | 000,604,488 | ---- | M] (TuneUp Software) -- C:\Windows\System32\TUProgSt.exe
PRC - [2009.04.10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.03.05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2007.10.09 00:19:22 | 000,358,936 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007.10.09 00:19:20 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.04.26 12:58:59 | 001,014,744 | ---- | M] () -- C:\Programme\Mozilla Firefox\js3250.dll
MOD - [2012.03.07 19:05:43 | 000,982,880 | ---- | M] () -- C:\Programme\AVG Secure Search\vprot.exe
MOD - [2011.06.16 09:57:49 | 006,271,136 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2008.09.16 20:18:06 | 000,132,608 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2012.03.07 19:05:44 | 000,918,880 | ---- | M] () [Auto | Running] -- C:\Programme\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe -- (vToolbarUpdater10.2.0)
SRV - [2012.02.02 13:26:38 | 000,666,200 | ---- | M] () [Auto | Running] -- C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVScanningService.exe -- (AV Engine Scanning Service)
SRV - [2012.02.02 13:26:38 | 000,204,760 | ---- | M] () [Auto | Running] -- C:/Program Files/Common Files/Common Toolkit Suite/AVEngine/AVWatchService.exe -- (AV Watch Service)
SRV - [2012.01.23 13:40:12 | 001,324,680 | ---- | M] (SPAMfighter ApS) [Auto | Running] -- C:\Programme\Fighters\FighterSuiteService.exe -- (Suite Service)
SRV - [2011.07.20 06:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2011.06.28 23:03:07 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011.05.21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Programme\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011.03.28 16:15:04 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011.01.07 02:00:40 | 000,361,288 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Windows\System32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2009.11.26 14:28:22 | 000,604,488 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Windows\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc)
SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2007.10.09 00:19:22 | 000,358,936 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Auto | Stopped] --  -- (adfs)
DRV - [2012.03.14 23:28:06 | 000,278,728 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt)
DRV - [2012.03.14 23:28:06 | 000,025,416 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2012.02.09 22:43:00 | 010,816,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2012.02.02 13:26:40 | 000,010,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avfsfilter.sys -- (AVFSFilter)
DRV - [2011.06.28 23:03:07 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011.06.28 23:03:07 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010.06.17 15:27:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.02.13 12:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2007.09.21 10:38:22 | 000,554,496 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2007.04.13 13:22:56 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = 
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/?q={searchTerms}&affID=110819&babsrc=SP_ss&mntrId=a2f009d3000000000000002421791008
IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = 
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = hxxp://isearch.avg.com/search?cid={F2E3B8DF-87A0-4600-A9DD-4A4533047630}&mid=19cc6e041dff47d19306d16d679df9fb-e8408699c5a580a42d9153b1ea19a2065cc8677d&lang=de&ds=tt014&pr=sa&d=2011-12-21 16:02:27&v=10.0.0.7&sap=dsp&q={searchTerms}
IE - HKCU\..\SearchScopes\Plasmoo: "URL" = hxxp://plasmoo.com/index.htm?SearchMashine=true&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaultthis.engineName: "Plasmoo"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..browser.startup.homepage: "hxxp://search.babylon.com/?babsrc=HP_Prot"
FF - prefs.js..extensions.enabledItems: engine@plasmoo.com:1.0.0.32
FF - prefs.js..extensions.enabledItems: crossriderapp2258@crossrider.com:0.80.26
FF - prefs.js..extensions.enabledItems: ffxtlbr@babylon.com:1.2.0
FF - prefs.js..extensions.enabledItems: {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}:2.0
FF - prefs.js..keyword.URL: "hxxp://search.babylon.com/?affID=110819&babsrc=KW_ss&mntrId=a2f009d3000000000000002421791008&q="
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX OVS Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\10.2.0.3\ [2012.04.25 14:06:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.04.26 12:59:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.28\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.04.26 12:59:06 | 000,000,000 | ---D | M]
 
[2010.03.18 14:12:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Extensions
[2012.04.26 19:18:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions
[2012.04.25 14:16:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012.04.25 14:06:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2012.04.25 14:06:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2012.04.25 14:06:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2012.04.26 09:02:01 | 000,000,000 | ---D | M] (DealPly) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}
[2012.04.26 09:01:52 | 000,000,000 | ---D | M] ("I Want This") -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com
[2011.06.24 20:23:21 | 000,000,000 | ---D | M] (Plasmoo Search Engine) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com
[2012.04.26 09:00:58 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com
[2012.04.25 12:29:38 | 000,001,975 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\locked-plasmoo.xml.mmww
[2011.04.28 19:42:58 | 000,001,975 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\plasmoo.xml
[2010.03.18 14:12:03 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2012.04.26 12:59:02 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.04.26 12:59:02 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.04.26 12:59:02 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.04.26 12:59:02 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
 
O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found.
O2 - BHO: (Windows Live Anmelde-Hilfsprogramm) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Programme\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O2 - BHO: (DealPly) - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Programme\DealPly\DealPlyIE.dll (DealPly Technologies Ltd)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Programme\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CommonToolkitTray] C:\Programme\Fighters\Tray\FightersTray.exe (SPAMfighter ApS)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe ()
O4 - HKLM..\Run: [Skytel] C:\Programme\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SWPROguard] C:\Programme\Fighters\SPYWAREfighter\swproTray.exe (SPAMfighter)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Users\Wilko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\Wilko\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: fritz.box ([]* in Local intranet)
O15 - HKCU\..Trusted Ranges: Range1 ([*] in Local intranet)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4E86B437-C739-441A-8278-65540A0B6C17}: DhcpNameServer = 192.168.178.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Programme\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll ()
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: 
O24 - Desktop BackupWallPaper: 
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.04.26 23:30:44 | 000,000,000 | ---D | C] -- C:\_OTL
[2012.04.26 23:30:44 | 000,000,000 | ---D | C] -- \_OTL
[2012.04.26 19:25:41 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Wilko\Desktop\OTL.exe
[2012.04.26 09:14:28 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Malwarebytes
[2012.04.26 09:14:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.04.26 09:14:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.04.26 09:14:14 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.04.26 09:14:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.04.26 09:01:52 | 000,000,000 | ---D | C] -- C:\Program Files\DealPly
[2012.04.26 09:01:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Creator
[2012.04.26 09:01:00 | 000,000,000 | ---D | C] -- C:\Program Files\GPLGS
[2012.04.26 09:00:59 | 000,000,000 | ---D | C] -- C:\Program1
[2012.04.26 09:00:59 | 000,000,000 | ---D | C] -- \Program1
[2012.04.26 09:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator
[2012.04.26 09:00:40 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Babylon
[2012.04.26 09:00:40 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Local\Babylon
[2012.04.26 09:00:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
[2012.04.25 15:12:39 | 000,000,000 | ---D | C] -- C:\ProgramData\clp
[2012.04.25 15:12:30 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Fighters
[2012.04.25 15:12:30 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Fighters
[2012.04.25 15:12:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Common Toolkit Suite
[2012.04.25 15:12:02 | 000,000,000 | ---D | C] -- C:\Program Files\Fighters
[2012.04.25 15:11:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Common Toolkit Suite
[2012.04.25 15:10:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Fighters
[2012.04.25 14:20:30 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012.04.25 12:24:45 | 000,000,000 | ---D | C] -- C:\Users\Wilko\AppData\Roaming\Realtec
[2012.04.12 00:19:08 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012.04.12 00:19:07 | 001,799,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012.04.12 00:19:06 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012.04.12 00:19:05 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012.04.12 00:19:05 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012.04.12 00:19:05 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012.04.12 00:17:37 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012.04.12 00:17:37 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
 
========== Files - Modified Within 30 Days ==========
 
[2012.04.26 19:25:43 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Wilko\Desktop\OTL.exe
[2012.04.26 19:20:11 | 000,628,504 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.04.26 19:20:11 | 000,595,798 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.04.26 19:20:11 | 000,126,248 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.04.26 19:20:11 | 000,103,872 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.04.26 19:15:43 | 000,000,522 | ---- | M] () -- C:\Windows\tasks\1-Klick-Wartung.job
[2012.04.26 19:15:23 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012.04.26 19:15:23 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012.04.26 19:15:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.04.26 17:35:38 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012.04.26 09:14:17 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.04.26 09:10:17 | 000,000,711 | ---- | M] () -- C:\user.js
[2012.04.25 15:12:30 | 000,001,931 | ---- | M] () -- C:\Users\Wilko\Desktop\SPYWAREfighter.lnk
[2012.04.25 14:20:32 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012.04.25 14:18:00 | 003,077,764 | ---- | M] () -- C:\Users\Wilko\Desktop\MD001764.JPG
[2012.04.25 12:29:49 | 021,073,936 | ---- | M] () -- C:\Users\Wilko\Documents\locked-vlc-1.1.11-win32.exe.pppw
[2012.04.25 12:29:49 | 020,533,281 | ---- | M] () -- C:\Users\Wilko\Documents\locked-vlc-1.1.9-win32.exe.nnnb
[2012.04.25 12:29:49 | 000,000,348 | ---- | M] () -- C:\Users\Wilko\Documents\locked-test.fdb.aaee
[2012.04.25 12:29:48 | 899,012,795 | ---- | M] () -- C:\Users\Wilko\Documents\locked-ADBEPHSPCS4_LS4.7z.nnni
[2012.04.25 12:29:48 | 001,228,240 | ---- | M] () -- C:\Users\Wilko\Documents\locked-ADBEPHSPCS4_LS4.exe.jjnn
[2012.04.25 12:29:38 | 000,975,140 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\locked-PandaIDProtectHelp_de.chm.eeaa
[2012.04.25 12:28:28 | 000,005,199 | ---- | M] () -- C:\Users\Wilko\locked-.recently-used.xbel.kwpp
[2012.04.25 12:28:28 | 000,001,024 | ---- | M] () -- C:\Users\Wilko\locked-.rnd.lllr
[2012.04.04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
 
========== Files Created - No Company Name ==========
 
[2012.04.26 09:14:17 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.04.26 09:01:00 | 000,086,016 | ---- | C] () -- C:\Windows\System32\custmon32i.dll
[2012.04.26 09:00:59 | 000,000,711 | ---- | C] () -- C:\user.js
[2012.04.26 09:00:59 | 000,000,711 | ---- | C] () -- \user.js
[2012.04.25 21:16:40 | 003,077,764 | ---- | C] () -- C:\Users\Wilko\Desktop\MD001764.JPG
[2012.04.25 15:12:30 | 000,001,931 | ---- | C] () -- C:\Users\Wilko\Desktop\SPYWAREfighter.lnk
[2012.04.25 14:20:32 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012.03.14 23:28:06 | 000,278,728 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2012.03.14 23:28:06 | 000,025,416 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2012.02.02 13:26:40 | 000,010,264 | ---- | C] () -- C:\Windows\System32\drivers\avfsfilter.sys
[2011.06.24 21:01:43 | 000,000,000 | ---- | C] () -- C:\Windows\cdplayer.ini
[2011.01.23 17:59:59 | 000,975,140 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\locked-PandaIDProtectHelp_de.chm.eeaa
[2010.09.05 10:50:28 | 000,000,000 | ---- | C] () -- C:\Users\Wilko\AppData\Roaming\wklnhst.dat
 
========== LOP Check ==========
 
[2009.08.16 15:20:02 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Acreon
[2012.04.26 09:00:40 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Babylon
[2012.04.25 12:29:09 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\DVDVideoSoftIEHelpers
[2012.04.25 15:12:41 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Fighters
[2012.04.25 12:29:09 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\FRITZ!
[2010.09.19 17:16:30 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\gtk-2.0
[2010.12.28 00:09:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\Local
[2012.04.25 14:06:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\MobMapUpdater
[2012.04.25 14:06:16 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\RIFT
[2012.04.25 12:29:38 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\SurfSecret Privacy Suite
[2012.04.25 14:35:48 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\TS3Client
[2011.11.18 13:24:14 | 000,000,000 | ---D | M] -- C:\Users\Wilko\AppData\Roaming\TuneUp Software
[2012.04.26 19:15:43 | 000,000,522 | ---- | M] () -- C:\Windows\Tasks\1-Klick-Wartung.job
[2012.04.26 17:35:38 | 000,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 

< End of report >
         

Arbeitsschritt 4/Extras

Code:
ATTFilter
OTL Extras logfile created on: 26.04.2012 19:28:01 - Run 1
OTL by OldTimer - Version 3.2.42.1     Folder = C:\Users\Wilko\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 1,91 Gb Available Physical Memory | 63,67% Memory free
6,22 Gb Paging File | 5,10 Gb Available in Paging File | 82,10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 911,48 Gb Total Space | 673,17 Gb Free Space | 73,85% Space Free | Partition Type: NTFS
Drive D: | 20,01 Gb Total Space | 10,77 Gb Free Space | 53,81% Space Free | Partition Type: FAT32
 
Computer Name: WILKO-PC | User Name: Wilko | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [scan_with_SPYWAREfighter] -- C:\Program Files\Fighters\SPYWAREfighter\swproTray.exe /scan "%1" (SPAMfighter)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0576484B-CFDF-4578-938E-BA37897346F9}" = rport=445 | protocol=6 | dir=out | app=system | 
"{0FD94D0D-A4DF-4168-AE74-D22A00E48FA4}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{2681CE1A-C4D6-471B-B5B7-0894CAC6DB53}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 | 
"{26C1D7EA-940A-4124-9E6E-5CB7C909047F}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{559BBAC4-D482-4A7A-B6D6-4C3B00B0F17A}" = rport=138 | protocol=17 | dir=out | app=system | 
"{65525969-717A-44D4-AE69-ADA9B6573838}" = lport=137 | protocol=17 | dir=in | app=system | 
"{90F842E7-65A8-420D-838F-6C99FCEB45FF}" = lport=139 | protocol=6 | dir=in | app=system | 
"{925EB8A1-F219-45F4-BBF2-26F589EB34B9}" = rport=137 | protocol=17 | dir=out | app=system | 
"{C2533CE6-01EE-4C29-B674-2259A26F5F5B}" = lport=138 | protocol=17 | dir=in | app=system | 
"{D1E2B418-1654-499F-AF12-C8A2FFCB0D5F}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader: 3724 | 
"{DE025F95-B9B6-4380-B434-D8590FF9CE20}" = lport=445 | protocol=6 | dir=in | app=system | 
"{F2FB3BB9-213F-4295-AE0F-75AB1A5C0AF4}" = rport=139 | protocol=6 | dir=out | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02AB6182-D21C-4BBF-9909-7E0E4B416CFB}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft public test\launcher.exe | 
"{294D2D70-8E03-43F0-BF94-1BEA03D83C14}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{2D7ED276-8504-4DFB-BE11-F58CBA20A4A0}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-dede-downloader.exe | 
"{39E6641B-70BA-41F4-B317-4DDE9D5341CE}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10192-to-3.2.0.10314-dede-downloader.exe | 
"{4CE0D565-E626-4D6F-BB0E-887FF92BEA05}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft public test\launcher.exe | 
"{5327DE85-2141-4473-8B13-DC851EA37CBC}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{59583D79-806A-4852-B716-E12C7C0B35B8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{5F2079AF-FC02-4D10-B544-33B3CEB7C030}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | 
"{6747681A-80FD-456C-86BB-252E671571CA}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-dede-downloader.exe | 
"{68320C18-5129-4CAF-B925-E20B2D3169FF}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-dede-downloader.exe | 
"{6C3FDFDF-9EF2-4693-B13A-7BE49248DFE7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{6FF565E2-1756-463F-B5EB-9C2CC85DA4B2}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | 
"{736F6E3D-F158-4451-B0A4-17BC2E176E8D}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-dede-downloader.exe | 
"{7C1F5820-76BE-4824-8D80-FCF846369930}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.2.10482-to-3.2.2.10505-dede-downloader.exe | 
"{8390C588-0905-4B22-BDA9-486A0B88CEE6}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{8AF6042F-44E6-4CF4-AA02-571EA07B79A9}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{9067DCC7-1091-4812-9544-E07E05B880E9}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | 
"{92930DC7-B3A4-4052-861B-904A2444B657}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\fboxupd.exe | 
"{9399F18A-F449-4691-B8B5-02CD6814BD2F}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | 
"{946BC3A3-0A7C-45FA-8345-13900A4DBE6E}" = protocol=17 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | 
"{A38FE3B4-EAA4-4FDF-A1B1-A91AB7A940C9}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.3.0.10522-dede-ptr-downloader.exe | 
"{A45BC1A1-BC30-4DDB-9597-A7ED7C83E19C}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.2.0.10314-to-3.2.2.10482-dede-downloader.exe | 
"{B52F6506-9B41-4120-8860-40CEE06BA907}" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.patch.exe | 
"{B7285437-C0A4-4FE3-A4ED-23A4FAA7BEBB}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\igdctrl.exe | 
"{BD0D44AC-C225-44AC-A669-DB927626DDBF}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{C1F1BB38-1BD3-4DA0-A838-C27DF1E92AB1}" = protocol=6 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-0.3.0.10522-dede-ptr-downloader.exe | 
"{CC590FEC-8E46-4B5F-8B3F-46F6B419E138}" = protocol=17 | dir=in | app=c:\users\public\documents\blizzard entertainment\world of warcraft\wow-3.1.3.9947-to-3.2.0.10192-dede-downloader.exe | 
"{D6C8855E-A738-49F0-9E5A-355DDF448582}" = protocol=6 | dir=in | app=c:\program files\fritz!dsl\webwaigd.exe | 
"{E1E217FA-3A0E-4508-8897-8E5591D01053}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{E510A1C7-1EB3-4B1B-927B-24BFF6F1D89B}" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.patch.exe | 
"{FFC3EB0B-B88A-4AC0-8F85-E76D8F068EB6}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"TCP Query User{036B3229-B927-4A26-BF9A-ABD2D2A451E5}C:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-dede-downloader.exe | 
"TCP Query User{04F528B8-A11B-4A6E-AE0E-45516BD15A52}C:\users\public\games\world of warcraft\blizzard downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\blizzard downloader.exe | 
"TCP Query User{0BB4E001-2EB2-49B5-8B92-9D5DA1374436}C:\users\public\games\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-dede-downloader.exe | 
"TCP Query User{0C76E885-CDAE-443B-9889-411D4116086A}C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-dede-downloader.exe | 
"TCP Query User{21B2A59F-0872-46D7-84CE-997BEE7019DB}C:\users\public\games\world of warcraft\repair.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\repair.exe | 
"TCP Query User{31241318-CDA1-4E48-A08D-B94FD1203220}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | 
"TCP Query User{47BE296B-AECB-4927-9262-5A248B15F6A9}C:\users\public\games\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe | 
"TCP Query User{59D4DEAF-F870-422D-A35A-0F05340EE54D}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-dede-downloader.exe | 
"TCP Query User{6BE3C736-280E-44F3-BB47-1B54934921E7}C:\users\public\games\world of warcraft\launcher.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | 
"TCP Query User{7CA71000-EEFC-4B6A-9C4A-ED8F4521DE7C}C:\users\public\games\world of warcraft\temp\wow-4.0.0.1807-to-4.0.0.1987-enus-tools-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\temp\wow-4.0.0.1807-to-4.0.0.1987-enus-tools-downloader.exe | 
"TCP Query User{7D330FEB-F041-4757-86AD-C8127BC0F0D8}C:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-dede-downloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-dede-downloader.exe | 
"TCP Query User{7E6D6AD4-8853-4479-9A99-606C36F3815D}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe | 
"TCP Query User{E6ACB204-84F8-466D-AB9E-92971061F8AB}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | 
"TCP Query User{F83FF41E-ABE2-40DE-AACD-458C3B02869F}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=6 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe | 
"UDP Query User{0C8BCE82-801F-4872-8F4E-0CD039BA8FCC}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | 
"UDP Query User{34AB392B-DFB6-4973-BFBD-00BC3DBEF053}C:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.2.11403-to-3.3.3.11685-dede-downloader.exe | 
"UDP Query User{3F2DD4BB-371E-4107-ABE0-90D4EFFC330E}C:\users\public\games\world of warcraft\temp\wow-4.0.0.1807-to-4.0.0.1987-enus-tools-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\temp\wow-4.0.0.1807-to-4.0.0.1987-enus-tools-downloader.exe | 
"UDP Query User{4B87675B-29B4-4E8F-8C3B-A7AD897C31EE}C:\users\public\games\world of warcraft\repair.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\repair.exe | 
"UDP Query User{56697D47-352C-4989-A8BA-A8E67D12FB3A}C:\users\public\games\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.2.2.10505-to-3.3.0.10958-dede-downloader.exe | 
"UDP Query User{5A6B024F-7BA7-4629-A927-0A8C1831590C}C:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.3.11723-to-3.3.5.12213-dede-downloader.exe | 
"UDP Query User{5B7444B1-6D08-4561-99FA-C6C3C8DDE5DE}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe | 
"UDP Query User{6DA3A4F2-EFDB-44B7-95D9-6821242FB8E1}C:\users\public\games\world of warcraft\launcher.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\launcher.exe | 
"UDP Query User{6E16473C-0D40-4466-9ABB-F41DFBDA1401}C:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.10958-to-3.3.0.11159-dede-downloader.exe | 
"UDP Query User{8CB7A0DA-6CC0-486C-897A-AF4C17BC963F}C:\users\public\games\world of warcraft\blizzard downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\blizzard downloader.exe | 
"UDP Query User{9766B614-0D24-4B0C-B1AA-D17AB31141F1}C:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-dede-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.0.11159-to-3.3.2.11403-dede-downloader.exe | 
"UDP Query User{E50789E4-BB9A-47F0-8779-7839BE9AC599}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe | 
"UDP Query User{EDA0633E-6733-49EC-AF9B-B5E7A22A5B3B}C:\users\public\games\world of warcraft\backgrounddownloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\backgrounddownloader.exe | 
"UDP Query User{F188E26F-F376-4D92-93EF-029298BB8989}C:\users\public\games\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe" = protocol=17 | dir=in | app=c:\users\public\games\world of warcraft\wow-3.3.5.12340-x86-win-dede-bkgnd-downloader.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live-Uploadtool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 14
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{55A29068-F2CE-456C-9148-C869879E2357}" = TuneUp Utilities 2009
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5A166C0B-9557-4364-A057-F946D674E6AC}" = Windows Live Mail
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6B96DADA-1A27-4A04-8CB2-CC45168D05FA}" = Windows Live Fotogalerie
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel(R) PRO Network Connections 12.1.12.0
"{81821BF8-DA20-4F8C-AA87-F70A274828D4}" = Windows Live Writer
"{835686C5-8650-49EB-8CA0-4528B4035495}" = Windows Live Call
"{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60}" = Windows Live Anmelde-Assistent
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C1E2925-14F8-45AA-B999-1E2A74BF5607}" = Windows Live Sync
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
"{90120000-0016-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
"{90120000-0018-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
"{90120000-001B-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_HOMESTUDENTR_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
"{90120000-001F-0410-0000-0000000FF1CE}_HOMESTUDENTR_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
"{90120000-006E-0407-0000-0000000FF1CE}_HOMESTUDENTR_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007
"{90120000-00A1-0407-0000-0000000FF1CE}_HOMESTUDENTR_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A4D182C-35C7-4791-8484-4304EBC9101A}" = Windows 7 Upgrade Advisor
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-A94000000001}" = Adobe Reader 9.4.5 - Deutsch
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B108EF72-A5F3-4C9E-AA47-3E8474D1B5A2}" = Fighters
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX-Systemsoftware 9.10.0514
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
"{BAC80EF3-E106-4AEA-8C57-F217F9BC7358}" = Microsoft SQL Server 2005 Compact Edition [DEU]
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DF5F687F-8018-4542-9F98-7084E9022917}" = Windows Live Essentials
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AVG Secure Search" = AVG Security Toolbar
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"DealPly" = DealPly
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.61.0.1400
"Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.28)" = Mozilla Firefox (3.6.28)
"PDF Creator" = PDF Creator
"PROSetDX" = Intel(R) PRO Network Connections 12.1.12.0
"SPYWAREfighter" = SPYWAREfighter
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"VLC media player" = VLC media player 1.1.11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
"World of Warcraft" = World of Warcraft
"World of Warcraft Public Test" = World of Warcraft Public Test
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 27.10.2011 10:08:56 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 28.10.2011 05:00:56 | Computer Name = Wilko-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 28.10.2011 05:01:09 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 28.10.2011 05:01:09 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 28.10.2011 11:16:47 | Computer Name = Wilko-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 28.10.2011 11:16:59 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 28.10.2011 11:16:59 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.10.2011 04:21:06 | Computer Name = Wilko-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 29.10.2011 04:21:26 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
Error - 29.10.2011 04:21:26 | Computer Name = Wilko-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description = 
 
[ System Events ]
Error - 26.04.2012 02:48:46 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 26.04.2012 02:48:56 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 26.04.2012 05:20:18 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 26.04.2012 05:20:27 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 26.04.2012 06:57:42 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 26.04.2012 06:57:51 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 26.04.2012 11:34:12 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 26.04.2012 11:34:12 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 26.04.2012 13:15:54 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7000
Description = 
 
Error - 26.04.2012 13:15:54 | Computer Name = Wilko-PC | Source = Service Control Manager | ID = 7026
Description = 
 
[ TuneUp Events ]
Error - 21.12.2011 11:00:06 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description = 
 
Error - 21.12.2011 15:24:38 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description = 
 
Error - 22.12.2011 04:54:20 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description = 
 
Error - 22.12.2011 11:29:35 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description = 
 
Error - 23.12.2011 04:14:21 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description = 
 
Error - 23.12.2011 12:10:55 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description = 
 
Error - 25.12.2011 06:31:00 | Computer Name = Wilko-PC | Source = TuneUp.UtilitiesSvc | ID = 300
Description = 
 
Error - 26.04.2012 03:14:31 | Computer Name = Wilko-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2012-04-26 09:14:31', '\device\harddiskvolume1\program
 files\malwarebytes' anti-malware\mbam.exe','2204',0)
 
Error - 26.04.2012 03:15:11 | Computer Name = Wilko-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2012-04-26 09:15:11', '\device\harddiskvolume1\program
 files\malwarebytes' anti-malware\mbam.exe','2380',0)
 
Error - 26.04.2012 04:14:37 | Computer Name = Wilko-PC | Source = TuneUp Program Statistics | ID = 131840
Description = SQL Error: near "anti": syntax error; when executing SQL: INSERT INTO
 ActiveApps (Started, Exe, ProcID, Resumed) VALUES ('2012-04-26 10:14:37', '\device\harddiskvolume1\program
 files\malwarebytes' anti-malware\mbam.exe','3608',0)
 
 
< End of report >
         

Vielen Dank


Arbeitsschritt 5/meine Programme

Code:
ATTFilter
Activation Assistant for the 2007 Microsoft Office suites	Microsoft Corporation	24.07.2009	14,0MB	
Adobe AIR	Adobe Systems Inc.	02.10.2009		1.1.0.5790
Adobe Flash Player 10 ActiveX	Adobe Systems Incorporated	28.05.2011		10.3.181.14
Adobe Flash Player 10 Plugin	Adobe Systems Incorporated	15.06.2011	2,95MB	10.3.181.26
Adobe Reader 9.4.5 - Deutsch	Adobe Systems Incorporated	15.06.2011	167,4MB	9.4.5
Adobe Shockwave Player 11.5	Adobe Systems, Inc.	15.12.2010	8,95MB	11.5.9.615
AVG Security Toolbar	AVG Technologies	06.03.2012	10,00MB	10.2.0.3
Avira AntiVir Personal - Free Antivirus	Avira GmbH	13.02.2012	73,0MB	10.2.0.707
CCleaner	Piriform	24.04.2012	4,46MB	3.17
Compatibility Pack für 2007 Office System	Microsoft Corporation	19.03.2012	70,6MB	12.0.6612.1000
Curse Client	Curse	20.02.2012		4.0.1.180
DealPly	DealPly	25.04.2012	0,46MB	
Intel(R) Matrix Storage Manager		24.07.2009	3,77MB	
Intel(R) PRO Network Connections 12.1.12.0	Intel	23.06.2009	8,21MB	
Java(TM) 6 Update 14	Sun Microsystems, Inc.	23.06.2009	97,5MB	6.0.140
Malwarebytes Anti-Malware Version 1.61.0.1400	Malwarebytes Corporation	25.04.2012	11,7MB	1.61.0.1400
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU	Microsoft Corporation	23.06.2009	37,6MB	
Microsoft .NET Framework 3.5 SP1	Microsoft Corporation	23.06.2009	37,6MB	
Microsoft .NET Framework 4 Client Profile	Microsoft Corporation	25.06.2010	120,3MB	4.0.30319
Microsoft Office File Validation Add-In	Microsoft Corporation	15.09.2011	7,95MB	14.0.5130.5003
Microsoft Office Home and Student 2007	Microsoft Corporation	20.03.2012	320MB	12.0.6612.1000
Microsoft Office Live Add-in 1.3	Microsoft Corporation	23.06.2009	0,48MB	2.0.2313.0
Microsoft Office PowerPoint Viewer 2007 (German)	Microsoft Corporation	19.03.2012	62,2MB	12.0.6612.1000
Microsoft Silverlight	Microsoft Corporation	14.02.2012	25,9MB	4.1.10111.0
Microsoft SQL Server 2005 Compact Edition [DEU]	Microsoft Corporation	23.06.2009	0,32MB	3.1.0000
Microsoft SQL Server 2005 Compact Edition [ENU]	Microsoft Corporation	23.06.2009	1,74MB	3.1.0000
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053	Microsoft Corporation	05.09.2010	0,25MB	8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable	Microsoft Corporation	16.06.2011	0,29MB	8.0.61001
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148	Microsoft Corporation	05.09.2010	0,19MB	9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570	Microsoft Corporation	11.04.2011	0,58MB	9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022	Microsoft Corporation	30.06.2011	1,41MB	9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17	Microsoft Corporation	24.07.2009	0,58MB	9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161	Microsoft Corporation	16.06.2011	0,58MB	9.0.30729.6161
Microsoft Works	Microsoft Corporation	11.04.2012	711MB	9.7.0621
Mozilla Firefox (3.6.28)	Mozilla	25.04.2012	28,3MB	3.6.28 (de)
MSXML 4.0 SP2 (KB936181)	Microsoft Corporation	23.06.2009	1,28MB	4.20.9848.0
MSXML 4.0 SP2 (KB941833)	Microsoft Corporation	23.06.2009	1,28MB	4.20.9849.0
MSXML 4.0 SP2 (KB954430)	Microsoft Corporation	23.06.2009	1,29MB	4.20.9870.0
MSXML 4.0 SP2 (KB973688)	Microsoft Corporation	25.11.2009	1,35MB	4.20.9876.0
NVIDIA Grafiktreiber 275.33	NVIDIA Corporation	18.07.2011	89,7MB	275.33
NVIDIA PhysX-Systemsoftware 9.10.0514	NVIDIA Corporation	06.01.2011	73,3MB	9.10.0514
NVIDIA Update 1.3.5	NVIDIA Corporation	18.07.2011	6,37MB	1.3.5
PDF Creator		25.04.2012		
Realtek High Definition Audio Driver	Realtek Semiconductor Corp.	23.06.2009	9,79MB	6.0.1.5783
Spelling Dictionaries Support For Adobe Reader 9	Adobe Systems Incorporated	20.01.2011	29,7MB	9.0.0
Spybot - Search & Destroy	Safer Networking Limited	16.01.2010	59,9MB	1.6.2
SPYWAREfighter	SPAMFIGHTER ApS	24.04.2012	17,3MB	4.1.133
TeamSpeak 3 Client	TeamSpeak Systems GmbH	26.01.2010	27,9MB	
TuneUp Utilities 2009	TuneUp Software	25.11.2009	47,0MB	8.0.3310.3
VLC media player 1.1.11	VideoLAN	23.08.2011	78,1MB	1.1.11
Windows 7 Upgrade Advisor	Microsoft Corporation	02.01.2010	8,77MB	2.0.5000.0
Windows Live Anmelde-Assistent	Microsoft Corporation	23.06.2009	1,93MB	5.000.818.6
Windows Live Essentials	Microsoft Corporation	23.06.2009	136,5MB	14.0.8050.1202
Windows Live Sync	Microsoft Corporation	23.06.2009	2,80MB	14.0.8050.1202
Windows Live-Uploadtool	Microsoft Corporation	23.06.2009	0,22MB	14.0.8014.1029
WinRAR		24.07.2009	3,73MB	
World of Warcraft	Blizzard Entertainment	28.02.2012	29.377MB	4.3.3.15354
World of Warcraft Public Test	Blizzard Entertainment	16.01.2011	12.762MB	0.0.0.0
         

Geändert von Toront (26.04.2012 um 14:46 Uhr)

Alt 26.04.2012, 16:46   #8
kira
/// Helfer-Team
 
Windows-Verschlüsselungs Trojaner - Standard

Windows-Verschlüsselungs Trojaner



Systemreinigung und Prüfung:

1.
Ich vermute, dass Du nicht absichtlich installiert hast? Auf jeden Fall absolut unnötig, ich würde an deiner Stelle deinstallieren:
Zitat:
AVG Security Toolbar
2.
Zitat:
Spybot
- würde ich nicht mehr empfehlen, da erfüllt nicht die neue Schutzanforderungen und Lösungen Schutz vor Malware bzw gegenüber ganz neuen Herausforderungen arbeitet nicht zufriedenstellend
meiner Meinung nach bietet nicht mehr ausreichenden Schutz gegen "moderne Malwarearten"...
► Falls Du doch es behalten möchtest:
Stelle bitte den TeaTimer ab:
Gehe bei Spybot-S&D in den Erweiterten Modus und wähle dort Werkzeuge -> Resident.
Deaktiviere hier den "Resident TeaTimer aktiv".
(Tea Timer versucht positive änderungen auch zu blockieren) - soll für immer deaktiviert bleiben!

3.
Zitat:
Achtung wichtig!:
Falls Du selber im Logfile Änderungen vorgenommen hast, musst Du durch die Originalbezeichnung ersetzen und so in Script einfügen! sonst funktioniert nicht!
(Benutzerordner, dein Name oder sonstige Änderungen durch X, Stern oder andere Namen ersetzt)
Fixen mit OTL
  • Starte die OTL.exe.
  • Vista und Windows 7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen.
  • Kopiere folgendes Skript also - nach dem "Code", alles was in der Codebox steht:
Code:
ATTFilter
:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=110819&babsrc=SP_ss&mntrId=a2f009d3000000000000002421791008
IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = 
IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MEDC
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={F2E3B8DF-87A0-4600-A9DD-4A4533047630}&mid=19cc6e041dff47d19306d16d679df9fb-e8408699c5a580a42d9153b1ea19a2065cc8677d&lang=de&ds=tt014&pr=sa&d=2011-12-21 16:02:27&v=10.0.0.7&sap=dsp&q={searchTerms}
IE - HKCU\..\SearchScopes\Plasmoo: "URL" = hxxp://plasmoo.com/index.htm?SearchMashine=true&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaultthis.engineName: "Plasmoo"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..browser.startup.homepage: "hxxp://search.babylon.com/?babsrc=HP_Prot"
FF - prefs.js..extensions.enabledItems: engine@plasmoo.com:1.0.0.32
prefs.js..extensions.enabledItems: ffxtlbr@babylon.com:1.2.0
prefs.js..extensions.enabledItems: {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}:2.0
FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=110819&babsrc=KW_ss&mntrId=a2f009d3000000000000002421791008&q="
[2012.04.26 09:01:52 | 000,000,000 | ---D | M] ("I Want This") -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com
[2011.06.24 20:23:21 | 000,000,000 | ---D | M] (Plasmoo Search Engine) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com
[2012.04.26 09:00:58 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com
[2012.04.25 12:29:38 | 000,001,975 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\locked-plasmoo.xml.mmww
[2011.04.28 19:42:58 | 000,001,975 | ---- | M] () -- C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\plasmoo.xml
O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found.
O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found.

:Files
C:\Users\Wilko\AppData\Roaming\Babylon
C:\Users\Wilko\AppData\Local\Babylon
C:\ProgramData\Babylon

ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
         
  • und füge es hier ein:
  • Schließe alle Programme.
  • Klicke auf den Fix Button.
  • Klick auf .
  • OTL verlangt einen Neustart. Bitte zulassen.
  • Nach dem Neustart findest Du ein Textdokument.
    Kopiere den Inhalt hier in Deinen Thread.

4.
Aktualisieren: Alte Version deinstallieren und neue herunterladen:-> http://filepony.de/download-firefox/
Code:
ATTFilter
Mozilla Firefox
         
aber Achtung!:
..falls nötig, vorher für dich wichtige (Benutzerdefinierte) Einstellungen zu speichern:-> Mozilla Firefox Backup erstellen

5.
Deine Javaversion ist nicht aktuell!
Da aufgrund alter Sicherheitslücken ist Java sehr anfällig, deinstalliere zunächst alle vorhandenen Java-Versionen:
→ Systemsteuerung → Software → deinstallieren...
→ Rechner neu aufstarten
→ Downloade nun die Offline-Version von Java "Empfohlen Version 6 Update 31 " von Oracle herunter
Achte darauf, eventuell angebotene Toolbars abwählen (den Haken bei der Toolbar entfernen)!

6.
Adobe Reader aktualisieren :
- Bei Installation aufpassen/mitlesen!: Wenn irgendeine Software, Toolbar etc angeboten wird, bitte abwählen! - (z.B "McAfee Security Scan Plus")
Adobe Reader
Oder: Adobe starten-> gehe auf "Hilfe"-> "Nach Update suchen..."

7.
Tipps (unabhängig davon ob man ihn benutzt oder nicht!):
-> Tipps zu Internet Explorer
-> Standard Suchmaschine des Explorers ändern
-> Wie kann ich den Cache im Internet Explorer leeren?
-> Verwalten von Add-Ons in Internet Explorer
-> Firefox mit Add-ons anpassen
-> Firefox Add-Ons endgültig löschen | PcBeirat.de

8.
reinige dein System mit CCleaner:
  • "CCleaner"→ "Analysieren"→ Klick auf den Button "Start CCleaner"
  • "Registry""Fehler suchen"→ "Fehler beheben"→ "Alle beheben"
  • Starte dein System neu auf

9.
läuft unter XP, Vista mit (32Bit) und Windows 7 (32Bit)
Achtung!:
WENN GMER NICHT AUSGEFÜHRT WERDEN KANN ODER PROBMLEME VERURSACHT, fahre mit dem nächsten Punkt fort!- Es ist NICHT sinnvoll einen zweiten Versuch zu starten!
Um einen tieferen Einblick in dein System, um eine mögliche Infektion mit einem Rootkit/Info v.wikipedia.org) aufzuspüren, werden wir ein Tool - Gmer - einsetzen :
  • - also lade Dir Gmer herunter und entpacke es auf deinen Desktop
    - starte gmer.exe
    - [b]schließe alle Programme, ausserdem Antiviren und andere Schutzprogramme usw müssen deaktiviert sein, keine Verbindung zum Internet, WLAN auch trennen)
    - bitte nichts am Pc machen während der Scan läuft!
    - klicke auf "Scan", um das Tool zu starten
    - wenn der Scan fertig ist klicke auf "Copy" (das Log wird automatisch in die Zwischenablage kopiert) und mit STRG + V musst Du gleich da einfügen
    - mit "Ok" wird GMER beendet.
    - das Log aus der Zwischenablage hier in Deinem Thread vollständig hineinkopieren

** keine Verbindung zu einem Netzwerk und Internet - WLAN nicht vergessen
Wenn der Scan beendet ist, bitte alle Programme und Tools wieder aktivieren!
Anleitung:-> GMER - Rootkit Scanner

10.
Kontrolle mit MBR -t, ob Master Boot Record in Ordnung ist (MBR-Rootkit)

Mit dem folgenden Tool prüfen wir, ob sich etwas Schädliches im Master Boot Record eingenistet hat.
  • Downloade die MBR.exe von Gmer und
    kopiere die Datei mbr.exe in den Ordner C:\Windows\system32.
    Falls Du den Ordner nicht sehen kannst, diese Einstellungen in den Ordneroptionen vornehmen.
  • Start => ausführen => cmd (da reinschreiben) => OK
    es öffnet sich eine Eingabeaufforderung.

    Vista- und Windows 7-User: Start => Alle Programme => Zubehör => Rechtsklick auf Eingabeaufforderung und wähle Als Administrator ausführen.
  • Nach dem Prompt (>_) folgenden

    aus der Codebox manuell eingeben oder alternativ den mit STRG + C ins Clipboard kopieren und einfügen.
    Einfügen in der Eingabeaufforderung: in der Titelleiste einen Rechtsklick machen => Bearbeiten => einfügen.

    Code:
    ATTFilter
    mbr.exe -t > C:\mbr.log & C:\mbr.log
             
    (Enter drücken)
  • Nach kurzer Zeit wird sich Dein Editor öffnen und die Datei C:\mbr.log beinhalten.
    Bitte kopiere den Inhalt hier in Deinen Thread.
__________________

Warnung!:
Vorsicht beim Rechnungen per Email mit ZIP-Datei als Anhang! Kann mit einen Verschlüsselungs-Trojaner infiziert sein!
Anhang nicht öffnen, in unserem Forum erst nachfragen!

Sichere regelmäßig deine Daten, auf CD/DVD, USB-Sticks oder externe Festplatten, am besten 2x an verschiedenen Orten!
Bitte diese Warnung weitergeben, wo Du nur kannst!

Alt 26.04.2012, 17:31   #9
Toront
 
Windows-Verschlüsselungs Trojaner - Standard

Windows-Verschlüsselungs Trojaner



Hallo Kira

Arbeitsschritt 1 Deinstalliert

Arbeitsschritt 2 Deinstalliert

Arbeitsschritt 3
Code:
ATTFilter
All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ not found.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{searchTerms}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{searchTerms}\ not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename
Prefs.js: "Plasmoo" removed from browser.search.defaultthis.engineName
Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1
Prefs.js: "Search the web (Babylon)" removed from browser.search.selectedEngine
Prefs.js: "hxxp://search.babylon.com/?babsrc=HP_Prot" removed from browser.startup.homepage
Prefs.js: engine@plasmoo.com:1.0.0.32 removed from extensions.enabledItems
Prefs.js: "hxxp://search.babylon.com/?affID=110819&babsrc=KW_ss&mntrId=a2f009d3000000000000002421791008&q=" removed from keyword.URL
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\skin folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\locale\en-US folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\locale folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\defaults\preferences folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\defaults folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\chrome\content\lib folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\chrome\content folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com\chrome folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\crossriderapp2258@crossrider.com folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com\skin folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com\searchplugin folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com\chrome\content folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com\chrome folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\engine@plasmoo.com folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\defaults\preferences folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\defaults folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\content\imgs\flgs folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\content\imgs folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\content folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com\components folder moved successfully.
C:\Users\Wilko\AppData\Roaming\mozilla\Firefox\Profiles\daafiv2v.default\extensions\ffxtlbr@babylon.com folder moved successfully.
C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\locked-plasmoo.xml.mmww moved successfully.
C:\Users\Wilko\AppData\Roaming\Mozilla\Firefox\Profiles\daafiv2v.default\searchplugins\plasmoo.xml moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{326E768D-4182-46FD-9C16-1449A49795F4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{326E768D-4182-46FD-9C16-1449A49795F4}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{593DDEC6-7468-4cdd-90E1-42DADAA222E9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{593DDEC6-7468-4cdd-90E1-42DADAA222E9}\ not found.
========== FILES ==========
C:\Users\Wilko\AppData\Roaming\Babylon folder moved successfully.
C:\Users\Wilko\AppData\Local\Babylon\Setup\HtmlScreens folder moved successfully.
C:\Users\Wilko\AppData\Local\Babylon\Setup folder moved successfully.
C:\Users\Wilko\AppData\Local\Babylon folder moved successfully.
C:\ProgramData\Babylon folder moved successfully.
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\Wilko\Desktop\cmd.bat deleted successfully.
C:\Users\Wilko\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 83 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 83 bytes
 
User: Wilko
->Temp folder emptied: 21803909 bytes
->Temporary Internet Files folder emptied: 61385263 bytes
->Java cache emptied: 8711320 bytes
->FireFox cache emptied: 58428103 bytes
->Flash cache emptied: 2328 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2808998 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 146,00 mb
 
 
OTL by OldTimer - Version 3.2.42.1 log created on 04262012_222553

Files\Folders moved on Reboot...
C:\Windows\temp\h1p6f1zp.vbt moved successfully.

Registry entries deleted on Reboot...
         
rest arbeite ich gleich ab :-)

Arbeitsschritt 9

Code:
ATTFilter
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-04-27 00:21:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.ST6O
Running: tfptc0hf.exe; Driver: C:\Users\Wilko\AppData\Local\Temp\uwloqpoc.sys


---- System - GMER 1.0.15 ----

SSDT   8B62EAFE                                                                                         ZwCreateSection
SSDT   8B62EB03                                                                                         ZwSetContextThread
SSDT   8B62EA9F                                                                                         ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text  ntkrnlpa.exe!KeSetEvent + 215                                                                    81EB4998 4 Bytes  JMP FD2F8B62 
.text  ntkrnlpa.exe!KeSetEvent + 56D                                                                    81EB4CF0 4 Bytes  [03, EB, 62, 8B]
.text  ntkrnlpa.exe!KeSetEvent + 621                                                                    81EB4DA4 4 Bytes  [9F, EA, 62, 8B]
.text  C:\Windows\system32\DRIVERS\atksgt.sys                                                           section is writeable [0x9E683300, 0x3ACC8, 0xE8000020]
.text  C:\Windows\system32\DRIVERS\lirsgt.sys                                                           section is writeable [0x9E6C6300, 0x1B7E, 0xE8000020]

---- Registry - GMER 1.0.15 ----

Reg    HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a9413a527                      
Reg    HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a9413a527 (not active ControlSet)  

---- EOF - GMER 1.0.15 ----
         
Arbeitsschritt 4 neue Version installiert
Arbeitsschritt 5 neue Version installiert
Arbeitsschritt 6 ebenfals deinstalliert und neue istalliert
Arbeitsschritt 7 Tipps angeschaut und teilweise genutzt
Arbeitsschritt 8 von CCleaner alle Fehler beheben lassen

Arbeitsschritt 10 ist gerade in Arbeit

Hm Kira mit Arbeitsschritt 10 siehts schlecht aus, sobald ich die mbr.exe downloaden will springt mein Spywarefighter an und meldet gefundene infektion - Trojan.Kryptik!zdyqs+PkYQ4

Antwort

Themen zu Windows-Verschlüsselungs Trojaner
abgesicherten, andere, anderen, anhang, beiträge, bilder, dahinter, dateien, email, email anhang, festgestellt, hoffe, jahre, konnte, modus, nichts, rechner, retten, sache, sachen, systemwiederherstellung, systemwiederherstellung gemacht, thema, trojane, trojaner, vorhanden, wichtig, würde




Ähnliche Themen: Windows-Verschlüsselungs Trojaner


  1. Verschlüsselungs Trojaner Windows XP
    Plagegeister aller Art und deren Bekämpfung - 19.07.2012 (1)
  2. Windows-Verschlüsselungs-Trojaner unter Windows 7 auf einem MAC
    Log-Analyse und Auswertung - 14.06.2012 (3)
  3. Windows Verschlüsselungs Trojaner
    Plagegeister aller Art und deren Bekämpfung - 13.06.2012 (1)
  4. (2x) Windows Verschlüsselungs Trojaner
    Mülltonne - 08.06.2012 (1)
  5. Willkomen bei Windows Update, Sie haben sich mit einen Windows-Verschlüsselungs Trojaner infiziert.
    Log-Analyse und Auswertung - 06.06.2012 (1)
  6. Windows Verschlüsselungs Trojaner
    Log-Analyse und Auswertung - 06.06.2012 (3)
  7. Windows Verschlüsselungs Trojaner
    Plagegeister aller Art und deren Bekämpfung - 06.06.2012 (45)
  8. Windows Verschlüsselungs Trojaner
    Plagegeister aller Art und deren Bekämpfung - 05.06.2012 (3)
  9. Windows Verschlüsselungs Trojaner
    Plagegeister aller Art und deren Bekämpfung - 22.05.2012 (1)
  10. Windows Verschlüsselungs Trojaner
    Log-Analyse und Auswertung - 07.05.2012 (1)
  11. Windows 7 (64bit) Virus/Trojaner (evtl. Windows Verschlüsselungs Trojaner)
    Plagegeister aller Art und deren Bekämpfung - 07.05.2012 (19)
  12. Infiziert mit Windows-Verschlüsselungs Trojaner -Mail mit Telefonrechnung - windows vista
    Plagegeister aller Art und deren Bekämpfung - 06.05.2012 (12)
  13. Windows verschlüsselungs trojaner
    Plagegeister aller Art und deren Bekämpfung - 06.05.2012 (11)
  14. Windows Verschlüsselungs-Trojaner
    Plagegeister aller Art und deren Bekämpfung - 04.05.2012 (1)
  15. Windows-Verschlüsselungs Trojaner
    Log-Analyse und Auswertung - 28.04.2012 (3)
  16. "Willkommen bei Windows Update Sie haben sich mit einen Windows-Verschlüsselungs Trojaner infiziert.
    Log-Analyse und Auswertung - 27.04.2012 (3)
  17. Windows Verschlüsselungs Trojaner
    Log-Analyse und Auswertung - 27.04.2012 (3)

Zum Thema Windows-Verschlüsselungs Trojaner - Hallo Ich habe leider auch diesen tollen email anhang geöffnet.(habe die email noch fals weiter leiten gewünscht ist) Im abgesicherten Modus konnte ich alle sicherheits Prgramme durchlaufen lassen die aber - Windows-Verschlüsselungs Trojaner...
Archiv
Du betrachtest: Windows-Verschlüsselungs Trojaner auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.