|
Plagegeister aller Art und deren Bekämpfung: Trojaner BundespolizeiWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
24.07.2012, 21:04 | #1 |
| Trojaner Bundespolizei Guten Abend, ich sitze hier gerade am Rechner meines Vaters, der sich den Bundespolizei-Trojaner eingefangen hat. Der Rechner ist ein Netbook, also ohne CD-Laufwerk. Folgendes Verhalten trat laut seinen Aussagen auf: - es war die seite von ukash zu sehen, mit einer Zahlungsaufforderung - irgendwie hat er es geschafft über den task-manager die blockierung aufzuheben und den rechner zurückzusetzen - beim scanen mit avira antivir wurden auch 2 Trojaner gefunden, einer davon hieß irgendetwas mit glomo.exe Ich habe ihm gesagt, dass ich mir den Rechner vorsichtshalber nochmal (mit eurer Hilfe) angucken möchte. Leider hat mein Vater kein richtiges Gespür dafür, auf welchen Seiten Trojaner lauern, daher ist er viel auf freeware-games seiten unterwegs. Könnt ihr mir helfen, den Rechner nochmal zu checken? Die LOG-Files der scans habe ich angehangen. Leider hat der scan mit GMER nicht richtig funktioniert und der Rechner ist irgendwann immer abgestürzt und hat sich neu gestartet. Grüße, dke |
25.07.2012, 02:24 | #2 |
/// Helfer-Team | Trojaner BundespolizeiFixen mit OTL Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).
Code:
ATTFilter :OTL DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\btwrchid.sys -- (btwrchid) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\btwl2cap.sys -- (btwl2cap) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\btwavdt.sys -- (btwavdt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\btwaudio.sys -- (btwaudio) IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=NP07&src=IE-SearchBox IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms} IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=ASUTDF&pc=NP07&src=IE-SearchBox IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012.07.09 19:13:44 | 000,000,000 | ---D | M] O2 - BHO: (SweetPacks Browser Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKLM\..\Toolbar: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4 - HKLM..\Run: [Boingo Wi-Fi] C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk () O4 - HKLM..\Run: [EeeSplendidAgent] C:\Program Files\ASUS\EPC\EeeSplendid\AsAgent.exe File not found O4 - HKLM..\Run: [HotkeyService] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [LiveUpdate] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [SuperHybridEngine] C:\windows\System32\AsusSender.exe (ASUSTek Computer Inc.) O4 - HKLM..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 [2012.07.08 13:55:19 | 004,503,728 | ---- | M] () -- C:\ProgramData\go_0molg.pad [2030.01.02 12:20:36 | 000,383,786 | RHS- | C] () -- C:\bootmgr [2012.07.06 23:17:46 | 004,503,728 | ---- | C] () -- C:\ProgramData\go_0molg.pad [2012.05.01 15:24:44 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.05.01 15:24:36 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.05.01 15:24:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.05.01 15:24:36 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.05.01 15:24:36 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.05.01 15:24:36 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.05.01 15:24:36 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml [2012.07.14 19:14:30 | 000,000,884 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job [2012.07.14 19:06:41 | 000,001,092 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job [2012.07.14 19:06:24 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat [2012.07.14 18:43:13 | 000,001,096 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job [2012.07.08 13:55:19 | 004,503,728 | ---- | M] () -- C:\ProgramData\go_0molg.pad [2030.01.02 12:20:35 | 000,000,000 | -HSD | C] -- C:\Boot [2030.01.02 12:20:36 | 000,383,786 | RHS- | C] () -- C:\bootmgr [2012.07.06 23:17:46 | 004,503,728 | ---- | C] () -- C:\ProgramData\go_0molg.pad :Files C:\windows\System32\AsusSender.exe C:\windows\tasks\Adobe Flash Player Updater.job C:\windows\tasks\GoogleUpdateTaskMachineCore.job C:\windows\tasks\GoogleUpdateTaskMachineUA.job C:\ProgramData\go_0molg.pad C:\bootmgr ipconfig /flushdns /c :Commands [purity] [emptytemp] [emptyflash]
Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!
__________________ |
25.07.2012, 09:42 | #3 |
| Trojaner Bundespolizei guten morgen,
__________________hab ich soweit alles gemacht - allerdings kann er jetzt nicht megr booten, nachdem OTL den Neustart verlangt hat: BOOTMGR is missing Press CTRL+ALT+DEL to restart ???? grüße dke |
25.07.2012, 15:43 | #4 |
/// Helfer-Team | Trojaner Bundespolizei hi, boote von der Windows cd und fuehre Systemstartreparatur aus! |
25.07.2012, 16:03 | #5 |
| Trojaner Bundespolizei hallo, soweit war ich auch schon, aber es handelt sich ja um ein netbook (ohne cd-laufwerk). ich muss daher ein bootable usb-stick erstellen, was ich nach dieser anleitung getan habe: hxxp://mintywhite.com/windows-7/7maintenance/windows-wont-load-system-repair-disc-fix-pc/ Leider funktioniert dass nicht und er erkennt den stick nicht als bootfähig... dke |
25.07.2012, 16:09 | #6 |
/// Helfer-Team | Trojaner Bundespolizei Probiere es so: hxtp://www.chip.de/downloads/Windows-7-USB_DVD-Download-Tool_38589636.html http://www.trojaner-board.de/100776-...-download.html
__________________ --> Trojaner Bundespolizei |
07.08.2012, 11:53 | #7 |
| Trojaner Bundespolizei moin moin, sorry dass das so lange gedauert hat. ich hatte anfangsprobleme mit meinem usb-stick usw. letztendlich habe ich alles hinbekommen. hier das OTL-Log: Code:
ATTFilter All processes killed ========== OTL ========== Service btwrchid stopped successfully! Service btwrchid deleted successfully! File C:\windows\system32\drivers\btwrchid.sys not found. Service btwl2cap stopped successfully! Service btwl2cap deleted successfully! File system32\DRIVERS\btwl2cap.sys not found. Service btwavdt stopped successfully! Service btwavdt deleted successfully! File C:\windows\system32\drivers\btwavdt.sys not found. Service btwaudio stopped successfully! Service btwaudio deleted successfully! File system32\drivers\btwaudio.sys not found. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C360-6118-11DC-9C72-001320C79847}\ not found. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C360-6118-11DC-9C72-001320C79847}\ not found. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=3\ deleted successfully. File C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll not found. Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=9\ deleted successfully. File C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll not found. File HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}\ deleted successfully. C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll moved successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{EEE6C35B-6118-11DC-9C72-001320C79847} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}\ deleted successfully. File C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Boingo Wi-Fi deleted successfully. C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk moved successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\EeeSplendidAgent deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HotkeyService deleted successfully. C:\Windows\System32\AsusSender.exe moved successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\LiveUpdate deleted successfully. File C:\windows\System32\AsusSender.exe not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SuperHybridEngine deleted successfully. File C:\windows\System32\AsusSender.exe not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SweetIM deleted successfully. C:\Program Files\SweetIM\Messenger\SweetIM.exe moved successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully! C:\ProgramData\go_0molg.pad moved successfully. C:\bootmgr moved successfully. File C:\ProgramData\go_0molg.pad not found. C:\Program Files\mozilla firefox\components\browsercomps.dll moved successfully. C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml moved successfully. C:\Program Files\mozilla firefox\searchplugins\bing.xml moved successfully. C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml moved successfully. C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml moved successfully. C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml moved successfully. C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml moved successfully. C:\Windows\Tasks\Adobe Flash Player Updater.job moved successfully. C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job moved successfully. C:\Windows\bootstat.dat moved successfully. C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job moved successfully. File C:\ProgramData\go_0molg.pad not found. Folder move failed. C:\Boot\zh-TW scheduled to be moved on reboot. Folder move failed. C:\Boot\zh-HK scheduled to be moved on reboot. Folder move failed. C:\Boot\zh-CN scheduled to be moved on reboot. Folder move failed. C:\Boot\tr-TR scheduled to be moved on reboot. Folder move failed. C:\Boot\sv-SE scheduled to be moved on reboot. Folder move failed. C:\Boot\ru-RU scheduled to be moved on reboot. Folder move failed. C:\Boot\pt-PT scheduled to be moved on reboot. Folder move failed. C:\Boot\pt-BR scheduled to be moved on reboot. Folder move failed. C:\Boot\pl-PL scheduled to be moved on reboot. Folder move failed. C:\Boot\nl-NL scheduled to be moved on reboot. Folder move failed. C:\Boot\nb-NO scheduled to be moved on reboot. Folder move failed. C:\Boot\ko-KR scheduled to be moved on reboot. Folder move failed. C:\Boot\ja-JP scheduled to be moved on reboot. Folder move failed. C:\Boot\it-IT scheduled to be moved on reboot. Folder move failed. C:\Boot\hu-HU scheduled to be moved on reboot. Folder move failed. C:\Boot\fr-FR scheduled to be moved on reboot. Folder move failed. C:\Boot\Fonts scheduled to be moved on reboot. Folder move failed. C:\Boot\fi-FI scheduled to be moved on reboot. Folder move failed. C:\Boot\es-ES scheduled to be moved on reboot. Folder move failed. C:\Boot\en-US scheduled to be moved on reboot. Folder move failed. C:\Boot\el-GR scheduled to be moved on reboot. Folder move failed. C:\Boot\de-DE scheduled to be moved on reboot. Folder move failed. C:\Boot\da-DK scheduled to be moved on reboot. Folder move failed. C:\Boot\cs-CZ scheduled to be moved on reboot. Folder move failed. C:\Boot scheduled to be moved on reboot. File C:\bootmgr not found. File C:\ProgramData\go_0molg.pad not found. ========== FILES ========== File\Folder C:\windows\System32\AsusSender.exe not found. File\Folder C:\windows\tasks\Adobe Flash Player Updater.job not found. File\Folder C:\windows\tasks\GoogleUpdateTaskMachineCore.job not found. File\Folder C:\windows\tasks\GoogleUpdateTaskMachineUA.job not found. File\Folder C:\ProgramData\go_0molg.pad not found. File\Folder C:\bootmgr not found. < ipconfig /flushdns /c > Windows-IP-Konfiguration Der DNS-Aufl”sungscache wurde geleert. C:\Users\peter\Desktop\cmd.bat deleted successfully. C:\Users\peter\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 327990 bytes ->Flash cache emptied: 56818 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: peter ->Temp folder emptied: 165049140 bytes ->Temporary Internet Files folder emptied: 21493059 bytes ->Java cache emptied: 617094 bytes ->FireFox cache emptied: 870536963 bytes ->Google Chrome cache emptied: 1976120 bytes ->Flash cache emptied: 57303 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 193062462 bytes RecycleBin emptied: 4192 bytes Total Files Cleaned = 1.195,00 mb [EMPTYFLASH] User: Administrator User: All Users User: Default ->Flash cache emptied: 0 bytes User: Default User ->Flash cache emptied: 0 bytes User: peter ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 0,00 mb OTL by OldTimer - Version 3.2.54.0 log created on 07252012_102837 Files\Folders moved on Reboot... Folder move failed. C:\Boot\zh-TW scheduled to be moved on reboot. Folder move failed. C:\Boot\zh-HK scheduled to be moved on reboot. Folder move failed. C:\Boot\zh-CN scheduled to be moved on reboot. Folder move failed. C:\Boot\tr-TR scheduled to be moved on reboot. Folder move failed. C:\Boot\sv-SE scheduled to be moved on reboot. Folder move failed. C:\Boot\ru-RU scheduled to be moved on reboot. Folder move failed. C:\Boot\pt-PT scheduled to be moved on reboot. Folder move failed. C:\Boot\pt-BR scheduled to be moved on reboot. Folder move failed. C:\Boot\pl-PL scheduled to be moved on reboot. Folder move failed. C:\Boot\nl-NL scheduled to be moved on reboot. Folder move failed. C:\Boot\nb-NO scheduled to be moved on reboot. Folder move failed. C:\Boot\ko-KR scheduled to be moved on reboot. Folder move failed. C:\Boot\ja-JP scheduled to be moved on reboot. Folder move failed. C:\Boot\it-IT scheduled to be moved on reboot. Folder move failed. C:\Boot\hu-HU scheduled to be moved on reboot. Folder move failed. C:\Boot\fr-FR scheduled to be moved on reboot. Folder move failed. C:\Boot\Fonts scheduled to be moved on reboot. Folder move failed. C:\Boot\fi-FI scheduled to be moved on reboot. Folder move failed. C:\Boot\es-ES scheduled to be moved on reboot. Folder move failed. C:\Boot\en-US scheduled to be moved on reboot. Folder move failed. C:\Boot\el-GR scheduled to be moved on reboot. Folder move failed. C:\Boot\de-DE scheduled to be moved on reboot. Folder move failed. C:\Boot\da-DK scheduled to be moved on reboot. Folder move failed. C:\Boot\cs-CZ scheduled to be moved on reboot. Folder move failed. C:\Boot\zh-TW scheduled to be moved on reboot. Folder move failed. C:\Boot\zh-HK scheduled to be moved on reboot. Folder move failed. C:\Boot\zh-CN scheduled to be moved on reboot. Folder move failed. C:\Boot\tr-TR scheduled to be moved on reboot. Folder move failed. C:\Boot\sv-SE scheduled to be moved on reboot. Folder move failed. C:\Boot\ru-RU scheduled to be moved on reboot. Folder move failed. C:\Boot\pt-PT scheduled to be moved on reboot. Folder move failed. C:\Boot\pt-BR scheduled to be moved on reboot. Folder move failed. C:\Boot\pl-PL scheduled to be moved on reboot. Folder move failed. C:\Boot\nl-NL scheduled to be moved on reboot. Folder move failed. C:\Boot\nb-NO scheduled to be moved on reboot. Folder move failed. C:\Boot\ko-KR scheduled to be moved on reboot. Folder move failed. C:\Boot\ja-JP scheduled to be moved on reboot. Folder move failed. C:\Boot\it-IT scheduled to be moved on reboot. Folder move failed. C:\Boot\hu-HU scheduled to be moved on reboot. Folder move failed. C:\Boot\fr-FR scheduled to be moved on reboot. Folder move failed. C:\Boot\Fonts scheduled to be moved on reboot. Folder move failed. C:\Boot\fi-FI scheduled to be moved on reboot. Folder move failed. C:\Boot\es-ES scheduled to be moved on reboot. Folder move failed. C:\Boot\en-US scheduled to be moved on reboot. Folder move failed. C:\Boot\el-GR scheduled to be moved on reboot. Folder move failed. C:\Boot\de-DE scheduled to be moved on reboot. Folder move failed. C:\Boot\da-DK scheduled to be moved on reboot. Folder move failed. C:\Boot\cs-CZ scheduled to be moved on reboot. Folder move failed. C:\Boot scheduled to be moved on reboot. C:\windows\temp\HS.log moved successfully. PendingFileRenameOperations files... File C:\Boot\zh-TW not found! File C:\Boot\zh-HK not found! File C:\Boot\zh-CN not found! File C:\Boot\tr-TR not found! File C:\Boot\sv-SE not found! File C:\Boot\ru-RU not found! File C:\Boot\pt-PT not found! File C:\Boot\pt-BR not found! File C:\Boot\pl-PL not found! File C:\Boot\nl-NL not found! File C:\Boot\nb-NO not found! File C:\Boot\ko-KR not found! File C:\Boot\ja-JP not found! File C:\Boot\it-IT not found! File C:\Boot\hu-HU not found! File C:\Boot\fr-FR not found! File C:\Boot\Fonts not found! File C:\Boot\fi-FI not found! File C:\Boot\es-ES not found! File C:\Boot\en-US not found! File C:\Boot\el-GR not found! File C:\Boot\de-DE not found! File C:\Boot\da-DK not found! File C:\Boot\cs-CZ not found! File C:\Boot not found! File C:\windows\temp\HS.log not found! Registry entries deleted on Reboot... Geändert von dke (07.08.2012 um 11:55 Uhr) Grund: falscher BB-Code |
07.08.2012, 13:16 | #8 |
/// Helfer-Team | Trojaner Bundespolizei Sehr gut! 1. Schritt Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.danach: 2. Schritt Downloade Dir bitte AdwCleaner auf deinen Desktop.
|
07.08.2012, 15:33 | #9 |
| Trojaner Bundespolizei danke, malwarebytes hat nichts gefunden. hier der log vom adwcleaner: Code:
ATTFilter # AdwCleaner v1.800 - Logfile created 08/07/2012 at 16:32:09 # Updated 01/08/2012 by Xplode # Operating system : Windows 7 Starter Service Pack 1 (32 bits) # User : peter - PETER-PC # Running from : C:\Users\peter\Downloads\adwcleaner.exe # Option [Search] ***** [Services] ***** ***** [Files / Folders] ***** Folder Found : C:\Users\peter\AppData\Roaming\pdfforge Folder Found : C:\ProgramData\SweetIM Folder Found : C:\Program Files\SweetIM File Found : C:\Users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\tbxsp5aj.default\searchplugins\SweetIm.xml ***** [Registry] ***** Key Found : HKCU\Software\SweetIm Key Found : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils Key Found : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1 Key Found : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator Key Found : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator.1 Key Found : HKLM\SOFTWARE\Classes\sim-packages Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1 Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1 Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1 Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2F603A45-D956-496B-81B5-50D782424976} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B85C4CB2-B352-4BD8-818C-BCE353599107} Key Found : HKLM\SOFTWARE\SweetIM ***** [Registre - GUID] ***** Key Found : HKLM\SOFTWARE\Classes\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A} Key Found : HKLM\SOFTWARE\Classes\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064} Key Found : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289} Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847} ***** [Internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Registry is clean. -\\ Mozilla Firefox v12.0 (de) Profile name : default File : C:\Users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\tbxsp5aj.default\prefs.js [OK] File is clean. -\\ Google Chrome v21.0.1180.60 File : C:\Users\peter\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [3596 octets] - [07/08/2012 16:32:09] ########## EOF - C:\AdwCleaner[R1].txt - [3724 octets] ########## |
07.08.2012, 15:36 | #10 |
/// Helfer-Team | Trojaner Bundespolizei Sehr gut!
danach: Malware-Scan mit Emsisoft Anti-Malware Lade die Gratisversion von => Emsisoft Anti-Malware herunter und installiere das Programm. Lade über Jetzt Updaten die aktuellen Signaturen herunter. Wähle den Freeware-Modus aus. Wähle Detail Scan und starte über den Button Scan die Überprüfung des Computers. Am Ende des Scans nichts loeschen lassen!. Mit Klick auf Bericht speichern das Logfile auf dem Desktop speichern und hier in den Thread posten. Anleitung: http://www.trojaner-board.de/103809-...i-malware.html |
07.08.2012, 21:16 | #11 |
| Trojaner Bundespolizei Adwcleaner: Code:
ATTFilter # AdwCleaner v1.800 - Logfile created 08/07/2012 at 22:08:13 # Updated 01/08/2012 by Xplode # Operating system : Windows 7 Starter Service Pack 1 (32 bits) # User : peter - PETER-PC # Running from : C:\Users\peter\Downloads\adwcleaner.exe # Option [Delete] ***** [Services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Users\peter\AppData\Roaming\pdfforge Folder Deleted : C:\ProgramData\SweetIM Folder Deleted : C:\Program Files\SweetIM File Deleted : C:\Users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\tbxsp5aj.default\searchplugins\SweetIm.xml ***** [Registry] ***** Key Deleted : HKCU\Software\SweetIm Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1 Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator.1 Key Deleted : HKLM\SOFTWARE\Classes\sim-packages Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1 Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1 Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1 Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2F603A45-D956-496B-81B5-50D782424976} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B85C4CB2-B352-4BD8-818C-BCE353599107} Key Deleted : HKLM\SOFTWARE\SweetIM ***** [Registre - GUID] ***** Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847} ***** [Internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Registry is clean. -\\ Mozilla Firefox v12.0 (de) Profile name : default File : C:\Users\peter\AppData\Roaming\Mozilla\Firefox\Profiles\tbxsp5aj.default\prefs.js [OK] File is clean. -\\ Google Chrome v21.0.1180.60 File : C:\Users\peter\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [3725 octets] - [07/08/2012 16:32:09] AdwCleaner[S1].txt - [3728 octets] - [07/08/2012 22:08:13] ########## EOF - C:\AdwCleaner[S1].txt - [3856 octets] ########## Code:
ATTFilter Emsisoft Anti-Malware - Version 6.6 Letztes Update: 07.08.2012 20:41:15 Scan Einstellungen: Scan Methode: Detail Scan Objekte: Rootkits, Speicher, Traces, C:\, D:\, Q:\ Archiv Scan: An ADS Scan: An Scan Beginn: 07.08.2012 20:41:53 C:\Users\peter\Downloads\PDFCreator-1_2_3_setup.exe gefunden: Riskware.Win32.Toolbar.Widgi.AMN!E1 C:\Users\peter\AppData\LocalLow\pdfEngine\CHROME\pdfEngine.crx -> background.html gefunden: Trojan-Downloader.JS.Agent!E2 C:\Users\peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffkfifglkblfdjhokijnhaggggpjoai\2.19.7_0\background.html gefunden: Trojan-Downloader.JS.Agent!E2 Gescannt 525062 Gefunden 3 Scan Ende: 07.08.2012 22:04:41 Scan Zeit: 1:22:48 C:\Users\peter\AppData\LocalLow\pdfEngine\CHROME\pdfEngine.crx -> background.html Quarantäne Trojan-Downloader.JS.Agent!E2 C:\Users\peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffkfifglkblfdjhokijnhaggggpjoai\2.19.7_0\background.html Quarantäne Trojan-Downloader.JS.Agent!E2 C:\Users\peter\Downloads\PDFCreator-1_2_3_setup.exe Quarantäne Riskware.Win32.Toolbar.Widgi.AMN!E1 Quarantäne 3 |
07.08.2012, 23:38 | #12 |
/// Helfer-Team | Trojaner Bundespolizei Sehr gut! Deinstalliere: Emsisoft Anti-Malware ESET Online Scanner Vorbereitung
|
09.08.2012, 23:52 | #13 |
| Trojaner BundespolizeiCode:
ATTFilter ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=c6a15322a83775428491e158e6c729ea # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-08-08 09:51:02 # local_time=2012-08-08 11:51:02 (+0100, Mitteleuropäische Sommerzeit) # country="Germany" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=1792 16777215 100 0 15684687 15684687 0 0 # compatibility_mode=5893 16776573 100 94 37090 96038475 0 0 # compatibility_mode=8192 67108863 100 0 258 258 0 0 # scanned=86172 # found=12 # cleaned=12 # scan_time=12199 D:\PETER-PC\Backup Set 2012-02-23 081256\Backup Files 2012-02-23 081256\Backup files 8.zip Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-03-19 223027\Backup Files 2012-03-19 223027\Backup files 1.zip Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-03-19 223027\Backup Files 2012-03-19 223027\Backup files 4.zip HTML/ScrInject.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-04-15 190010\Backup Files 2012-04-15 190010\Backup files 1.zip Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-04-15 190010\Backup Files 2012-04-29 190006\Backup files 1.zip a variant of Java/Exploit.CVE-2012-1723.AF trojan (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-05-20 221213\Backup Files 2012-05-20 221213\Backup files 1.zip Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-05-20 221213\Backup Files 2012-06-03 231204\Backup files 3.zip a variant of Java/Exploit.CVE-2012-1723.AF trojan (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-06-24 215643\Backup Files 2012-06-24 215643\Backup files 1.zip Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-07-09 175143\Backup Files 2012-07-09 175143\Backup files 1.zip Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-07-09 175143\Backup Files 2012-07-09 175143\Backup files 7.zip multiple threats (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-07-09 192457\Backup Files 2012-07-09 192457\Backup files 1.zip Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C D:\PETER-PC\Backup Set 2012-07-09 192457\Backup Files 2012-07-09 192457\Backup files 7.zip multiple threats (deleted - quarantined) 00000000000000000000000000000000 C ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6583 # api_version=3.0.2 # EOSSerial=c6a15322a83775428491e158e6c729ea # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2012-08-09 04:16:50 # local_time=2012-08-09 06:16:50 (+0100, Mitteleuropäische Sommerzeit) # country="Germany" # lang=1033 # osver=6.1.7601 NT Service Pack 1 # compatibility_mode=1792 16777215 100 0 15788311 15788311 0 0 # compatibility_mode=5893 16776573 100 94 89407 96142099 0 0 # compatibility_mode=8192 67108863 100 0 103882 103882 0 0 # scanned=88232 # found=0 # cleaned=0 # scan_time=18122 |
10.08.2012, 12:24 | #14 |
/// Helfer-Team | Trojaner Bundespolizei Java aktualisieren Dein Java ist nicht mehr aktuell. Älter Versionen enthalten Sicherheitslücken, die von Malware missbraucht werden können.
Dann so einstellen: http://www.trojaner-board.de/105213-...tellungen.html |
02.09.2012, 10:38 | #15 |
/// Helfer-Team | Trojaner Bundespolizei Fehlende Rückmeldung Gibt es Probleme beim Abarbeiten obiger Anleitung? Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen. Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema. http://www.trojaner-board.de/69886-a...-beachten.html Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist. |
Themen zu Trojaner Bundespolizei |
antivir, avira, avira antivir, checken, eingefangen, folge, folgendes, funktioniert, gefangen, gen, gmer, gucken, guten, irgendetwas, neu, rechner, richtiges, rojaner gefunden, scanen, seite, seiten, task-manager, troja, trojaner, verhalten |