bundestrojaner und verschlüsselung

blocker1 · 20.08.2012, 20:37

Abend zusammen,

ich hatte den Bundestrojaner aufm Rechner den ich mit na Systemwiederherstellung "behoben" bekommen hab.
Jetzt hab ich aba auch mit erschrecken feststellen müssen das auf meiner Partition "Data" alle Dateien umbenannt und nicht mehr lesbar sind.
Ich hoff das bekommt man wieder irgendwie hin!? Da sind Geschäftsinformationen und -daten gespeichert, an die nicht mehr dran zu kommen ist.
Also das erste was ich hab drüber laufen lassen war Malwarebytes.
Die log dazu:
Malwarebytes Anti-Malware (Test) 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.08.20.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Blocks :: BLOCKS-LAPTOP [Administrator]

Schutz: Aktiviert

20.08.2012 19:54:24
mbam-log-2012-08-20 (19-54-24).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 186856
Laufzeit: 7 Minute(n), 32 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 4
HKCR\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\gencrawler_gc.GenCrawler (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 1
C:\Users\Blocks\AppData\Roaming\Media Finder\Extensions\gencrawler_gc.dll (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

Dann hab ich noch OTL drüber laufen lassen:OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 20.08.2012 21:16:42 - Run 2
OTL by OldTimer - Version 3.2.58.1     Folder = C:\Users\Blocks\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,00 Gb Total Physical Memory | 0,94 Gb Available Physical Memory | 31,33% Memory free
5,99 Gb Paging File | 2,71 Gb Available in Paging File | 45,23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 116,21 Gb Total Space | 37,62 Gb Free Space | 32,38% Space Free | Partition Type: NTFS
Drive E: | 115,21 Gb Total Space | 110,46 Gb Free Space | 95,88% Space Free | Partition Type: NTFS
 
Computer Name: BLOCKS-LAPTOP | User Name: Blocks | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2012.08.20 20:52:46 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Blocks\Desktop\OTL.exe
PRC - [2012.08.15 13:53:28 | 001,536,712 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
PRC - [2012.08.08 17:22:20 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.07.30 09:10:42 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe
PRC - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012.07.17 14:49:00 | 001,713,904 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2012.07.17 14:49:00 | 000,194,304 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012.07.03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012.06.07 20:06:33 | 001,053,848 | ---- | M] () -- C:\Windows\System32\ieconfig_1und1_svc.exe
PRC - [2012.05.29 15:50:04 | 000,115,032 | R--- | M] (SweetIM Technologies Ltd.) -- C:\Programme\SweetIM\Messenger\SweetIM.exe
PRC - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.04.24 02:11:55 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012.02.26 16:01:44 | 000,295,728 | ---- | M] (SweetIM Technologies Ltd.) -- C:\Programme\SweetIM\Communicator\SweetPacksUpdateManager.exe
PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009.08.18 02:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009.08.18 02:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009.02.26 18:36:46 | 000,030,040 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008.08.29 15:20:56 | 000,935,208 | ---- | M] (Nero AG) -- C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012.08.15 13:53:27 | 009,465,032 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_3_300_271.dll
MOD - [2012.07.30 09:10:42 | 002,003,424 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2012.08.15 13:53:31 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.07.30 09:10:42 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012.07.17 14:49:00 | 001,713,904 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012.06.07 20:06:33 | 001,053,848 | ---- | M] () [Auto | Running] -- C:\Windows\System32\ieconfig_1und1_svc.exe -- (serviceIEConfig)
SRV - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011.07.20 05:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2009.08.18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009.02.26 18:36:22 | 000,064,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008.08.29 15:20:56 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2012.07.03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012.05.11 12:24:30 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2012.04.27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.04.25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012.04.16 21:17:40 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011.05.26 08:21:18 | 000,144,984 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR)
DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010.01.13 16:36:40 | 006,755,840 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5s32.sys -- (NETw5s32)
DRV - [2009.08.18 03:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009.07.14 01:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009.07.14 00:13:48 | 001,035,776 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009.07.14 00:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32)
DRV - [2007.11.09 05:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.1und1.de/links/home
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = AE E9 12 12 1E 29 CD 01  [binary data]
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes,DefaultScope = {603A3940-8E63-496A-B404-13A6E63D8FEB}
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{089309CC-4704-4804-AE7C-E08B3DA17C39}: "URL" = hxxp://go.web.de/suchbox/ebay?query={searchTerms}
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/?q={searchTerms}&affID=111015&tt=2912_3&babsrc=SP_ss&mntrId=2cf7da7100000000000000216bb352f7
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{5AF3529F-FDEF-40C3-A157-2EFFC4F767BF}: "URL" = hxxp://go.1und1.de/suchbox/amazon?tag=1und1icon-21&field-keywords={searchTerms}
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{603A3940-8E63-496A-B404-13A6E63D8FEB}: "URL" = hxxp://go.1und1.de/suchbox/1und1suche?su={searchTerms}
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{F140AC26-B95C-4CAD-874E-2AA946AA4873}: "URL" = hxxp://go.web.de/suchbox/google?q={searchTerms}
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - prefs.js..keyword.URL: "hxxp://search.babylon.com/?affID=111015&tt=2912_3&babsrc=KW_ss&mntrId=2cf7da7100000000000000216bb352f7&q="
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3503.0728: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.05.10 17:12:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.30 09:10:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.05.10 17:12:39 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.30 09:10:42 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2012.07.18 20:29:11 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Blocks\AppData\Roaming\mozilla\Extensions
[2012.07.23 12:46:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Blocks\AppData\Roaming\mozilla\Firefox\Profiles\qz9xijq9.default\extensions
[2012.06.07 19:44:24 | 000,003,915 | ---- | M] () -- C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\searchplugins\sweetim.xml
[2012.05.03 13:17:27 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2012.07.23 12:46:15 | 000,702,524 | ---- | M] () (No name found) -- C:\USERS\BLOCKS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\QZ9XIJQ9.DEFAULT\EXTENSIONS\{DC572301-7619-498C-A57D-39143191B318}.XPI
[2012.07.30 09:10:42 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.06.27 13:33:30 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.07.18 20:29:02 | 000,002,349 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2012.06.27 13:33:30 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.06.27 13:33:30 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.06.27 13:33:30 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.06.27 13:33:30 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.06.27 13:33:30 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2 - BHO: (1&&1 Internet AG Browser Configuration by mquadr.at) - {D48FF4B4-E68F-47D1-8E25-81A0F0EEB341} - C:\Windows\System32\ieconfig_1und1.dll (mquadr.at software engineering und consulting GmbH)
O2 - BHO: (SweetPacks Browser Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\Toolbar\WebBrowser: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SweetIM] C:\Programme\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [Sweetpacks Communicator] C:\Programme\SweetIM\Communicator\SweetPacksUpdateManager.exe (SweetIM Technologies Ltd.)
O4 - HKU\S-1-5-21-121852881-3908611197-2882621866-1001..\Run: [Media Finder] "C:\Program Files\Media Finder\Media Finder.exe" /opentotray File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Download with &Media Finder - C:\Program Files\Media Finder\hook.html File not found
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Web-Suche - C:\Programme\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 78.42.43.62 82.212.62.62 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{429E4C30-7445-4A25-B2BD-B67CB4714070}: DhcpNameServer = 78.42.43.62 82.212.62.62 192.168.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Programme\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.08.20 20:52:41 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Blocks\Desktop\OTL.exe
[2012.08.20 19:52:33 | 000,000,000 | ---D | C] -- C:\Users\Blocks\AppData\Roaming\Malwarebytes
[2012.08.20 19:52:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012.08.20 19:52:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012.08.20 19:52:19 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012.08.20 19:52:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012.08.20 11:57:29 | 000,000,000 | ---D | C] -- C:\Windows\de
[2012.08.20 11:56:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2012.08.20 11:55:41 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2012.08.20 11:54:58 | 002,106,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_43.dll
[2012.08.20 11:54:58 | 000,527,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_7.dll
[2012.08.20 11:54:58 | 000,248,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_43.dll
[2012.08.20 11:54:58 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_5.dll
[2012.08.20 11:54:39 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll
[2012.08.20 11:53:30 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_32.dll
[2012.08.20 11:52:30 | 000,000,000 | ---D | C] -- C:\Users\Blocks\AppData\Local\Windows Live
[2012.08.20 11:51:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2012.08.18 23:12:56 | 000,000,000 | ---D | C] -- C:\Users\Blocks\AppData\Local\PokerStars.EU
[2012.08.18 23:12:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PokerStars.EU
[2012.08.18 23:12:38 | 000,000,000 | ---D | C] -- C:\Program Files\PokerStars.EU
[2012.08.17 06:58:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2012.08.16 08:14:53 | 000,000,000 | ---D | C] -- C:\Users\Blocks\Documents\Markus
[2012.08.16 07:27:14 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012.08.16 07:27:13 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012.08.16 07:27:13 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012.08.16 07:27:13 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012.08.16 07:27:12 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012.08.16 07:27:10 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012.08.16 07:27:10 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012.08.15 11:12:39 | 000,400,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\srcore.dll
[2012.08.15 11:12:38 | 002,345,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012.08.15 11:12:33 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browcli.dll
[2012.08.13 20:00:55 | 000,000,000 | ---D | C] -- C:\Program Files\IGC
[2012.08.13 20:00:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free DWG Viewer
[2012.07.30 12:59:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2012.07.30 12:59:43 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2012.07.30 12:55:30 | 000,000,000 | ---D | C] -- C:\Users\Blocks\AppData\Roaming\Foxit Software
[2012.07.30 12:33:37 | 000,000,000 | ---D | C] -- C:\Users\Blocks\Documents\Laura
[2012.07.28 02:54:00 | 000,321,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR
[2012.07.26 19:08:06 | 000,862,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcr110.dll
[2012.07.26 19:08:06 | 000,534,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcp110.dll
[2012.07.26 19:08:06 | 000,251,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vccorlib110.dll
[2012.07.26 19:08:06 | 000,153,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\atl110.dll
[2012.07.26 19:08:06 | 000,115,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vcomp110.dll
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012.08.20 20:52:46 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Blocks\Desktop\OTL.exe
[2012.08.20 20:52:11 | 000,000,156 | ---- | M] () -- C:\Users\Blocks\defogger_reenable
[2012.08.20 20:32:43 | 000,013,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.08.20 20:32:43 | 000,013,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.08.20 20:32:42 | 000,654,166 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2012.08.20 20:32:42 | 000,616,008 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012.08.20 20:32:42 | 000,130,006 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2012.08.20 20:32:42 | 000,106,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012.08.20 20:24:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012.08.20 20:24:42 | 2411,896,832 | -HS- | M] () -- C:\hiberfil.sys
[2012.08.20 19:52:20 | 000,001,072 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.08.20 19:25:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.08.20 11:56:59 | 000,000,020 | ---- | M] () -- C:\Windows\¼øÊ
[2012.08.17 06:55:11 | 000,410,120 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012.08.15 13:53:27 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012.08.15 13:53:27 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012.08.14 21:56:45 | 000,060,781 | ---- | M] () -- C:\Users\Blocks\Desktop\taufkerze.jpg
[2012.08.13 20:00:55 | 000,001,728 | ---- | M] () -- C:\Users\Public\Desktop\Free DWG Viewer.lnk
[2012.08.10 18:02:22 | 002,131,664 | ---- | M] () -- C:\Users\Blocks\Documents\CIMG0899.JPG
[2012.08.08 22:12:33 | 000,021,130 | ---- | M] () -- C:\Users\Blocks\Desktop\Haftpflicht - VHV Versicherungen_ Private und gewerbliche Versicherungen vom Experten.pdf
[2012.08.06 02:59:44 | 775,297,024 | ---- | M] () -- C:\Users\Blocks\Desktop\Ted.avi
[2012.08.03 11:38:20 | 1047,965,696 | ---- | M] () -- C:\Users\Blocks\Desktop\Offroad.avi
[2012.07.28 02:54:00 | 000,321,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR
[2012.07.27 08:44:45 | 000,018,070 | ---- | M] () -- C:\Users\Blocks\Desktop\Status-zu-Sendung-JJD1410103475601.pdf
[2012.07.26 19:08:06 | 000,862,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msvcr110.dll
[2012.07.26 19:08:06 | 000,534,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msvcp110.dll
[2012.07.26 19:08:06 | 000,251,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vccorlib110.dll
[2012.07.26 19:08:06 | 000,153,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\atl110.dll
[2012.07.26 19:08:06 | 000,115,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vcomp110.dll
[2012.07.22 13:35:57 | 000,000,125 | ---- | M] () -- C:\Windows\xUninstall.bat
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012.08.20 20:52:10 | 000,000,156 | ---- | C] () -- C:\Users\Blocks\defogger_reenable
[2012.08.20 19:52:20 | 000,001,072 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2012.08.20 11:57:17 | 000,001,256 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
[2012.08.20 11:57:04 | 000,001,325 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
[2012.08.20 11:56:58 | 000,000,020 | ---- | C] () -- C:\Windows\¼øÊ
[2012.08.14 21:56:43 | 000,060,781 | ---- | C] () -- C:\Users\Blocks\Desktop\taufkerze.jpg
[2012.08.13 20:00:55 | 000,001,728 | ---- | C] () -- C:\Users\Public\Desktop\Free DWG Viewer.lnk
[2012.08.10 18:02:22 | 002,131,664 | ---- | C] () -- C:\Users\Blocks\Documents\CIMG0899.JPG
[2012.08.08 22:12:31 | 000,021,130 | ---- | C] () -- C:\Users\Blocks\Desktop\Haftpflicht - VHV Versicherungen_ Private und gewerbliche Versicherungen vom Experten.pdf
[2012.08.08 19:23:24 | 775,297,024 | ---- | C] () -- C:\Users\Blocks\Desktop\Ted.avi
[2012.08.08 19:20:24 | 1047,965,696 | ---- | C] () -- C:\Users\Blocks\Desktop\Offroad.avi
[2012.08.02 20:10:31 | 001,336,632 | R--- | C] () -- C:\Users\Blocks\Documents\LaunchU3.exe
[2012.07.30 13:00:03 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012.07.27 08:44:45 | 000,018,070 | ---- | C] () -- C:\Users\Blocks\Desktop\Status-zu-Sendung-JJD1410103475601.pdf
[2012.06.07 20:06:33 | 001,053,848 | ---- | C] () -- C:\Windows\System32\ieconfig_1und1_svc.exe
[2012.05.11 12:38:22 | 000,004,767 | ---- | C] () -- C:\Windows\Irremote.ini
[2012.05.10 17:04:41 | 000,233,428 | ---- | C] () -- C:\Windows\hpoins47.dat
[2012.05.06 06:59:29 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2012.05.03 11:55:57 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
 
========== LOP Check ==========
 
[2012.06.07 20:07:14 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\1&1
[2012.05.10 14:54:27 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\Babylon
[2012.06.02 08:33:32 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\DAEMON Tools Lite
[2012.07.30 12:55:30 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\Foxit Software
[2012.07.18 20:30:49 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\Media Finder
[2012.05.11 12:23:14 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\OpenCandy
[2012.05.10 14:54:26 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\pdfforge
[2012.06.10 10:38:55 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\WinBatch
[2009.07.14 06:53:46 | 000,014,236 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 

< End of report >

--- --- ---

Für irgend welche Hilfestellungen bin ich euch schonmal dankbar.

mfg markus

t'john · 20.08.2012, 21:06

Die Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen.
Diese Nacheinander abarbeiten und die 4 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen.

1. Schritt

Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
Starte die OTL.exe.
Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:

Code:

ATTFilter

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes,DefaultScope = {603A3940-8E63-496A-B404-13A6E63D8FEB} 
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC 
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{089309CC-4704-4804-AE7C-E08B3DA17C39}: "URL" = http://go.web.de/suchbox/ebay?query={searchTerms} 
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=111015&tt=2912_3&babsrc=SP_ss&mntrId=2cf7da7100000000000000216bb352f7 
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{5AF3529F-FDEF-40C3-A157-2EFFC4F767BF}: "URL" = http://go.1und1.de/suchbox/amazon?tag=1und1icon-21&field-keywords={searchTerms} 
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{603A3940-8E63-496A-B404-13A6E63D8FEB}: "URL" = http://go.1und1.de/suchbox/1und1suche?su={searchTerms} 
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{F140AC26-B95C-4CAD-874E-2AA946AA4873}: "URL" = http://go.web.de/suchbox/google?q={searchTerms} 
IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)" 
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" 
FF - prefs.js..browser.search.selectedEngine: "Google" 
FF - prefs.js..browser.startup.homepage: "www.google.de" 
FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=111015&tt=2912_3&babsrc=KW_ss&mntrId=2cf7da7100000000000000216bb352f7&q=" 
O2 - BHO: (SweetPacks Browser Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) 
O3 - HKLM\..\Toolbar: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) 
O3 - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\Toolbar\WebBrowser: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) 
O4 - HKLM..\Run: [] File not found 
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) 
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 
O8 - Extra context menu item: Download with &Media Finder - C:\Program Files\Media Finder\hook.html File not found 
O8 - Extra context menu item: Web-Suche - C:\Programme\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html () 
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found 
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. 
O32 - HKLM CDRom: AutoRun - 1 
O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] 
O33 - MountPoints2\F\Shell - "" = AutoRun 
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a 
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] 

:Files

ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]

Schließe alle Programme.
Klicke auf den Fix Button.
Wenn OTL einen Neustart verlangt, bitte zulassen.
Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

2. Schritt

Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Malwarebytes Anti-Malware
- Anwendbar auf Windows 2000, XP, Vista und 7.
- Installiere das Programm in den vorgegebenen Pfad.
- Aktualisiere die Datenbank!
- Aktiviere "Komplett Scan durchführen" => Scan.
- Wähle alle verfügbaren Laufwerke (ausser CD/DVD) aus und starte den Scan.
- Funde bitte löschen lassen oder in Quarantäne.
- Wenn der Scan beendet ist, klicke auf "Zeige Resultate".

danach:

3. Schritt

Downloade Dir bitte AdwCleaner auf deinen Desktop.

Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Search.
Nach Ende des Suchlaufs öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[R1].txt.

4. Schritt

Schließe alle offenen Programme und Browser.
Starte die adwcleaner.exe mit einem Doppelklick.
Klicke auf Delete.
Bestätige jeweils mit Ok.
Dein Rechner wird neu gestartet. Nach dem Neustart öffnet sich eine Textdatei.
Poste mir den Inhalt mit deiner nächsten Antwort.
Die Logdatei findest du auch unter C:\AdwCleaner[S1].txt.

blocker1 · 21.08.2012, 06:25

hi t'john,

thx für die schnelle Antwort. So, Schritt1 hab ich hinter mir. Jetzt mach ich mal fröhlich weiter und schau mal was noch so passiert.

Code:

ATTFilter

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{089309CC-4704-4804-AE7C-E08B3DA17C39}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{089309CC-4704-4804-AE7C-E08B3DA17C39}\ not found.
Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{5AF3529F-FDEF-40C3-A157-2EFFC4F767BF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AF3529F-FDEF-40C3-A157-2EFFC4F767BF}\ not found.
Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{603A3940-8E63-496A-B404-13A6E63D8FEB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603A3940-8E63-496A-B404-13A6E63D8FEB}\ not found.
Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{F140AC26-B95C-4CAD-874E-2AA946AA4873}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F140AC26-B95C-4CAD-874E-2AA946AA4873}\ not found.
HKU\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename
Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1
Prefs.js: "Google" removed from browser.search.selectedEngine
Prefs.js: "www.google.de" removed from browser.startup.homepage
Prefs.js: "hxxp://search.babylon.com/?affID=111015&tt=2912_3&babsrc=KW_ss&mntrId=2cf7da7100000000000000216bb352f7&q=" removed from keyword.URL
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}\ deleted successfully.
C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{EEE6C35B-6118-11DC-9C72-001320C79847} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}\ deleted successfully.
File C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll not found.
Registry value HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EEE6C35B-6118-11DC-9C72-001320C79847} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}\ not found.
File C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
File move failed. C:\Windows\System32\mctadmin.exe scheduled to be moved on reboot.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
File move failed. C:\Windows\System32\mctadmin.exe scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Web-Suche\ deleted successfully.
File Suche - C:\Programme\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\autoexec.bat moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
File F:\LaunchU3.exe -a not found.
C:\Windows\System32\gh.tmp deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\Blocks\Desktop\cmd.bat deleted successfully.
C:\Users\Blocks\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Blocks
->Temp folder emptied: 69383403 bytes
->Temporary Internet Files folder emptied: 37839940 bytes
->FireFox cache emptied: 71354225 bytes
->Flash cache emptied: 506 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 39620314 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 208,00 mb
 
 
OTL by OldTimer - Version 3.2.58.1 log created on 08212012_071100

Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\mctadmin.exe scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Sodele, der zweite Schritt währ jetzt auch durch.
Jetzt mach ich mich mal an den dritten.
Vom 2.:

Code:

ATTFilter

 Malwarebytes Anti-Malware  (Test) 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.08.21.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Blocks :: BLOCKS-LAPTOP [Administrator]

Schutz: Aktiviert

21.08.2012 07:41:45
mbam-log-2012-08-21 (07-41-45).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 315889
Laufzeit: 1 Stunde(n), 20 Minute(n), 54 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

Schritt 3 ging ja recht fix.

Code:

ATTFilter

# AdwCleaner v1.801 - Logfile created 08/21/2012 at 09:16:29
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : Blocks - BLOCKS-LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Blocks\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Blocks\AppData\LocalLow\BabylonToolbar
Folder Found : C:\Users\Blocks\AppData\LocalLow\SweetIM
Folder Found : C:\Users\Blocks\AppData\Roaming\Babylon
Folder Found : C:\Users\Blocks\AppData\Roaming\Media Finder
Folder Found : C:\Users\Blocks\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com
Folder Found : C:\Users\Blocks\AppData\Roaming\OpenCandy
Folder Found : C:\Users\Blocks\AppData\Roaming\pdfforge
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\ProgramData\SweetIM
Folder Found : C:\Program Files\SweetIM
Folder Found : C:\Windows\Installer\{FB697452-8CA4-46B4-98B1-165C922A2EF3}
File Found : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\searchplugins\SweetIm.xml
File Found : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
File Found : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Found : C:\user.js

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\MediaFinder
Key Found : HKCU\Software\SweetIm
Key Found : HKLM\SOFTWARE\Babylon
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils
Key Found : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1
Key Found : HKLM\SOFTWARE\Classes\MF
Key Found : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator
Key Found : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator.1
Key Found : HKLM\SOFTWARE\Classes\sim-packages
Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4183178B-4D4E-48A7-9257-454BA90A760E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FB697452-8CA4-46B4-98B1-165C922A2EF3}
Key Found : HKLM\SOFTWARE\SweetIM
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Media Finder]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SweetIM]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Sweetpacks Communicator]

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKCU\Software\Microsoft\Internet Explorer\Main - Secondary Start Pages] = hxxp://search.babylon.com/?affID=111015&tt=2912_3&babsrc=HP_ss&mntrId=2cf7da7100000000000000216bb352f7
hxxp://www.1und1.de/?ref=EasyLogin

-\\ Mozilla Firefox v14.0.1 (de)

Profile name : default 
File : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\prefs.js

Found : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
Found : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Found : user_pref("extensions.BabylonToolbar_i.babExt", "");
Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=111015&tt=2912_3");
Found : user_pref("extensions.BabylonToolbar_i.hardId", "2cf7da7100000000000000216bb352f7");
Found : user_pref("extensions.BabylonToolbar_i.id", "2cf7da7100000000000000216bb352f7");
Found : user_pref("extensions.BabylonToolbar_i.instlDay", "15539");
Found : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Found : user_pref("extensions.BabylonToolbar_i.newTab", true);
Found : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=111015&tt=2912_[...]
Found : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Found : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Found : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
Found : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1720:29:07");
Found : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Found : user_pref("extensions.gencrawler@some.com.install-event-fired", true);

*************************

AdwCleaner[R1].txt - [7152 octets] - [21/08/2012 09:16:29]

########## EOF - C:\AdwCleaner[R1].txt - [7280 octets] ##########

Hier nun die log aus Schritt4:

Code:

ATTFilter

# AdwCleaner v1.801 - Logfile created 08/21/2012 at 09:19:11
# Updated 14/08/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : Blocks - BLOCKS-LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Blocks\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Blocks\AppData\LocalLow\BabylonToolbar
Folder Deleted : C:\Users\Blocks\AppData\LocalLow\SweetIM
Folder Deleted : C:\Users\Blocks\AppData\Roaming\Babylon
Folder Deleted : C:\Users\Blocks\AppData\Roaming\Media Finder
Folder Deleted : C:\Users\Blocks\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com
Folder Deleted : C:\Users\Blocks\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\Blocks\AppData\Roaming\pdfforge
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\SweetIM
Deleted on reboot : C:\Program Files\SweetIM
Folder Deleted : C:\Windows\Installer\{FB697452-8CA4-46B4-98B1-165C922A2EF3}
File Deleted : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\searchplugins\SweetIm.xml
File Deleted : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Deleted : C:\user.js

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\MediaFinder
Key Deleted : HKCU\Software\SweetIm
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils
Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1
Key Deleted : HKLM\SOFTWARE\Classes\MF
Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator
Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator.1
Key Deleted : HKLM\SOFTWARE\Classes\sim-packages
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4183178B-4D4E-48A7-9257-454BA90A760E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FB697452-8CA4-46B4-98B1-165C922A2EF3}
Key Deleted : HKLM\SOFTWARE\SweetIM
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Media Finder]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SweetIM]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Sweetpacks Communicator]

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Secondary Start Pages] = hxxp://search.babylon.com/?affID=111015&tt=2912_3&babsrc=HP_ss&mntrId=2cf7da7100000000000000216bb352f7
hxxp://www.1und1.de/?ref=EasyLogin --> hxxp://www.google.com

-\\ Mozilla Firefox v14.0.1 (de)

Profile name : default 
File : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\prefs.js

C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\user.js ... Deleted !

Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=111015&tt=2912_3");
Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "2cf7da7100000000000000216bb352f7");
Deleted : user_pref("extensions.BabylonToolbar_i.id", "2cf7da7100000000000000216bb352f7");
Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15539");
Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=111015&tt=2912_[...]
Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1720:29:07");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Deleted : user_pref("extensions.gencrawler@some.com.install-event-fired", true);

*************************

AdwCleaner[R1].txt - [7281 octets] - [21/08/2012 09:16:29]
AdwCleaner[R2].txt - [7341 octets] - [21/08/2012 09:19:04]
AdwCleaner[S1].txt - [7577 octets] - [21/08/2012 09:19:11]

########## EOF - C:\AdwCleaner[S1].txt - [7705 octets] ##########

t'john · 21.08.2012, 15:55

Sehr gut!

Wie laeuft der Rechner?

Malware-Scan mit Emsisoft Anti-Malware

Lade die Gratisversion von => Emsisoft Anti-Malware herunter und installiere das Programm.
Lade über Jetzt Updaten die aktuellen Signaturen herunter.
Wähle den Freeware-Modus aus.

Wähle Detail Scan und starte über den Button Scan die Überprüfung des Computers.
Am Ende des Scans nichts loeschen lassen!. Mit Klick auf Bericht speichern das Logfile auf dem Desktop speichern und hier in den Thread posten.

Anleitung: http://www.trojaner-board.de/103809-...i-malware.html

blocker1 · 21.08.2012, 19:05

hi t'john,
momentan bin ich noch nicht von der laufleistung des rechners überzeugt. ich würd meinen das er schon besser geloffen ist.
ich denke zumindest mal das der bundestrojaner nicht mehr drauf ist!?!
jetzt hab ich nur noch das problem mit den ganzen dateien auf dem rechner, die leider noch nicht entschlüsselbar sind.
in meinem bewerbungsordner zum beispiel mit bewerbungen, zeugnissen und sonstigem kram, was alles in word oder pdf dateien war siehts zum beispiel so aus:
aesgXQDNTJJegXuDN
DNaJvegpulraTJsOX
egXulNraJsgXullravsgp
EGyULssAfEGyUn
eOXuDNaavegpulrr
gXullraJsgXuulravsgpp
... und so weiter.
Da sind auch noch nicht gesicherte unterlagen meines gewerbes drauf. ich hoff das ich das wieder hin bekomm.
momentan hab ich grad von c4enigma das Recuva 1.43.623 am laufen. mal gespannt was dabei rum kommt.
aba schonmal vielen dank für die bisherige hilfe.

mfg markus

t'john · 22.08.2012, 00:28

Wichtig ist, dass du die Reihenfolge einhaelst: http://www.trojaner-board.de/116851-...strojaner.html

blocker1 · 22.08.2012, 16:02

danke für die bisherige hilfe, aba hat bis jetzt nichts gebracht. ich weiß ja nicht mal welche hieroglyphen was für ne datei war, xls, pdf... ist jetzt alles einfach nur noch "datei" im explorer.
die daten die betroffen sind liegen zu 95% auf der partition data, für die natürlich die schutzfunktion wiederherstellen nicht aktiviert ist.
hab versucht ne word datei wieder herzustellen, da ich bei der dateigröße einfach mal davon ausgegangen bin und das waren nur unleserliche seiten. das gleiche hab ich mit nem kontoauszug versucht, da ich weiß das in dem ordner nur pdf dateien sind, aba da lässt sich auch nichts öffnen.
ich steh grad kurz davor das ich den rechner in meine wippkreissäge leg und ihn einfach komplett "formatier".
ich les einfach mal weiter was ich noch so finde und ob ich was retten kann.

mfg markus

t'john · 24.08.2012, 01:59

Tut mir leid, das ist echt fies.
(Rechner am besten neu aufsetzen)

Viel Glueck.

22.08.2012, 00:28	#6
t'john /// Helfer-Team	bundestrojaner und verschlüsselung Wichtig ist, dass du die Reihenfolge einhaelst: http://www.trojaner-board.de/116851-...strojaner.html __________________ --> bundestrojaner und verschlüsselung

24.08.2012, 01:59	#8
t'john /// Helfer-Team	bundestrojaner und verschlüsselung Tut mir leid, das ist echt fies. (Rechner am besten neu aufsetzen) Viel Glueck. __________________ Mfg, t'john Das TB unterstützen

bundestrojaner und verschlüsselung

Log-Analyse und Auswertung: bundestrojaner und verschlüsselung