Dear all,

I hope I can post a message in English. In fact, your forum has been really useful for me!

I had the following malware on my PC: "der zugang zu ihrem computer wurde gesperrt" preventing me to do anything on it: it is completey block.
Following the post on a related malware (http://www.trojaner-board.de/119468-...t-malware.html), I run OTLPE on the PC and here is the OTL file that resulted from the scan by OTLPE.

Thank you in advance for your help (you can asnwer in German - I kind of understand it but it is too difficult to write in German!)

Fixen mit OTLpe

• Starte den unbootbaren Computer erneut mit der OTLPE-CD,
• warte bis der Reatogo-X-Pe-Desktop erscheint und doppelklicke das OTLPE-Icon.

• Kopiere folgendes Skript in das Textfeld unterhalb von Custom Scans/Fixes:
• Sollte das mangels Internet-Verbindung nicht möglich sein,
• kopiere den Text aus der folgenden Code-Box und speichere ihn als Fix.txt auf einen USB-Stick.
• Schließe den USB-Stick an den Computer an und öffne Fix.txt mit dem Explorer auf dem Reatogo-Desktop.
• Kopiere den Inhalt von Fix.txt in das Textfeld unterhalb von Custom Scans/Fixes:

Code: Alles auswählenAufklappen

ATTFilter

:OTL
SRV - [2012/08/08 04:44:21 | 000,329,216 | ---- | M] (Clevo) [Auto] -- D:\Windows\Installer\{0EAED36A-E2C9-6C0F-A8A0-397887EC4EA6}\syshost.exe -- (syshost32) 

DRV - File not found [Kernel | System] -- -- (MpKsl8ad947c8) 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
IE - HKU\Administrator_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
IE - HKU\Biljana.EAA-BILJANA_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
IE - HKU\Biljana_ON_D\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask) 
IE - HKU\Biljana_ON_D\..\URLSearchHook: {656461ef-40f6-4115-9ff1-bced9812ccbb} - Reg Error: Key error. File not found 
IE - HKU\Biljana_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
FF - prefs.js..browser.search.defaultengine: "Ask.com" 
FF - prefs.js..browser.search.defaultenginename: "Ask.com" 
FF - prefs.js..browser.search.order.1: "Ask.com" 
FF - prefs.js..browser.search.selectedEngine: "Google" 
FF - prefs.js..browser.search.useDBForOrder: true 
FF - prefs.js..browser.startup.homepage: "http://www.google.com/" 
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3045275&SearchSource=2&q=" 
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: File not found 
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask) 
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask) 
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. 
O3 - HKU\Biljana.EAA-BILJANA_ON_D\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask) 
O4 - HKLM..\Run: [] File not found 
O4 - HKLM..\Run: [ApnUpdater] D:\Program Files\Ask.com\Updater\Updater.exe (Ask) 
O4 - HKLM..\Run: [E0FBF1756BB52D] D:\ProgramData\E0FBF1756BB52D\E0FBF1756BB52D.exe () 
O4 - HKLM..\Run: [E0FBF1756BBE32] D:\ProgramData\E0FBF1756BBE32\E0FBF1756BBE32.exe () 
O4 - HKLM..\Run: [E0FBF1756BCC55] D:\ProgramData\E0FBF1756BCC55\E0FBF1756BCC55.exe () 
O4 - HKLM..\Run: [E0FBF1756BD6A1] D:\ProgramData\E0FBF1756BD6A1\E0FBF1756BD6A1.exe () 
O4 - HKU\Biljana_ON_D..\Run: [E0FBF1756BB52D] D:\ProgramData\E0FBF1756BB52D\E0FBF1756BB52D.exe () 
O4 - HKU\Biljana_ON_D..\Run: [E0FBF1756BBE32] D:\ProgramData\E0FBF1756BBE32\E0FBF1756BBE32.exe () 
O4 - HKU\Biljana_ON_D..\Run: [E0FBF1756BCC55] D:\ProgramData\E0FBF1756BCC55\E0FBF1756BCC55.exe () 
O4 - HKU\Biljana_ON_D..\Run: [E0FBF1756BD6A1] D:\ProgramData\E0FBF1756BD6A1\E0FBF1756BD6A1.exe () 
O4 - HKU\LocalService_ON_D..\RunOnce: [mctadmin] D:\Windows\System32\mctadmin.exe (Microsoft Corporation) 
O4 - HKU\NetworkService_ON_D..\RunOnce: [mctadmin] D:\Windows\System32\mctadmin.exe (Microsoft Corporation) 
O4 - Startup: D:\Users\Biljana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk () 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 
O7 - HKU\Administrator_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 
O7 - HKU\Biljana.EAA-BILJANA_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 
O7 - HKU\Biljana_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 
O7 - HKU\Biljana_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1 
O7 - HKU\Biljana_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1 
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) 
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) 
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) 
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found 
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. 
O33 - MountPoints2\{c8638748-d928-11e0-8590-806e6f6e6963}\Shell - "" = AutoRun 
O33 - MountPoints2\{c8638748-d928-11e0-8590-806e6f6e6963}\Shell\AutoRun\command - "" = D:\reatogoMenu.exe 
O34 - HKLM BootExecute: (autocheck autochk *) - File not found 
 
@Alternate Data Stream - 127 bytes -> D:\ProgramData\Temp:430C6D84 
@Alternate Data Stream - 109 bytes -> D:\ProgramData\Temp:DFC5A2B2 


[2012/08/08 04:44:27 | 000,000,000 | ---D | C] -- D:\ProgramData\E0FBF1756BD6A1 
[2012/08/08 04:44:24 | 000,000,000 | ---D | C] -- D:\ProgramData\E0FBF1756BCC55 
[2012/08/08 04:44:21 | 000,000,000 | ---D | C] -- D:\ProgramData\E0FBF1756BBE32 
[2012/08/08 04:44:19 | 000,000,000 | ---D | C] -- D:\ProgramData\E0FBF1756BB52D 
[2012/08/08 04:44:30 | 000,003,072 | ---- | M] () -- D:\Users\Biljana\AppData\Roaming\twain.dll 
[2012/08/08 04:40:00 | 000,000,916 | ---- | M] () -- D:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-36177420-1276735995-1336879462-1249UA.job 
[2012/08/08 04:00:00 | 000,001,110 | ---- | M] () -- D:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4022799231-2890272522-3635118757-500UA.job 

[2012/08/08 01:59:01 | 000,000,440 | -H-- | M] () -- D:\Windows\tasks\Norton Security Scan for biljana.job 
[2012/08/07 10:00:00 | 000,001,058 | ---- | M] () -- D:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4022799231-2890272522-3635118757-500Core.job 
[2012/08/07 09:40:00 | 000,000,864 | ---- | M] () -- D:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-36177420-1276735995-1336879462-1249Core.job 

[2012/07/06 10:02:21 | 004,503,728 | ---- | M] () -- D:\ProgramData\nud0repor.pad 

:Files


ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[emptyflash]
         

• Schließe alle Programme.
• Klicke auf den Fix Button.
• Klick auf .
• Kopiere den Inhalt hier in Code-Tags in Deinen Thread.
  Nachträglich kannst Du das Logfile hier einsehen => C:\OTLpe\MovedFiles\<datum_nummer.log>
• Teste, ob den Computer nun wieder in den normalen Windows-Modus booten kannst und berichte.

Fehlende Rückmeldung

Gibt es Probleme beim Abarbeiten obiger Anleitung?

Um Kapazitäten für andere Hilfesuchende freizumachen, lösche ich dieses Thema aus meinen Benachrichtigungen.

Solltest Du weitermachen wollen, schreibe mir eine PN oder eröffne ein neues Thema.
http://www.trojaner-board.de/69886-a...-beachten.html


Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner sauber ist.