|
Log-Analyse und Auswertung: bundestrojaner und verschlüsselungWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
20.08.2012, 20:37 | #1 |
| bundestrojaner und verschlüsselung Abend zusammen, ich hatte den Bundestrojaner aufm Rechner den ich mit na Systemwiederherstellung "behoben" bekommen hab. Jetzt hab ich aba auch mit erschrecken feststellen müssen das auf meiner Partition "Data" alle Dateien umbenannt und nicht mehr lesbar sind. Ich hoff das bekommt man wieder irgendwie hin!? Da sind Geschäftsinformationen und -daten gespeichert, an die nicht mehr dran zu kommen ist. Also das erste was ich hab drüber laufen lassen war Malwarebytes. Die log dazu: Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.08.20.08 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Blocks :: BLOCKS-LAPTOP [Administrator] Schutz: Aktiviert 20.08.2012 19:54:24 mbam-log-2012-08-20 (19-54-24).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 186856 Laufzeit: 7 Minute(n), 32 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 4 HKCR\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCR\gencrawler_gc.GenCrawler (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 1 C:\Users\Blocks\AppData\Roaming\Media Finder\Extensions\gencrawler_gc.dll (Trojan.Downloader) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) Dann hab ich noch OTL drüber laufen lassen:OTL Logfile: Code:
ATTFilter OTL logfile created on: 20.08.2012 21:16:42 - Run 2 OTL by OldTimer - Version 3.2.58.1 Folder = C:\Users\Blocks\Desktop Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 0,94 Gb Available Physical Memory | 31,33% Memory free 5,99 Gb Paging File | 2,71 Gb Available in Paging File | 45,23% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 116,21 Gb Total Space | 37,62 Gb Free Space | 32,38% Space Free | Partition Type: NTFS Drive E: | 115,21 Gb Total Space | 110,46 Gb Free Space | 95,88% Space Free | Partition Type: NTFS Computer Name: BLOCKS-LAPTOP | User Name: Blocks | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.08.20 20:52:46 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Blocks\Desktop\OTL.exe PRC - [2012.08.15 13:53:28 | 001,536,712 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe PRC - [2012.08.08 17:22:20 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.07.30 09:10:42 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Programme\Mozilla Firefox\firefox.exe PRC - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2012.07.17 14:49:00 | 001,713,904 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE PRC - [2012.07.17 14:49:00 | 000,194,304 | ---- | M] (Microsoft Corp.) -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE PRC - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012.07.03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012.06.07 20:06:33 | 001,053,848 | ---- | M] () -- C:\Windows\System32\ieconfig_1und1_svc.exe PRC - [2012.05.29 15:50:04 | 000,115,032 | R--- | M] (SweetIM Technologies Ltd.) -- C:\Programme\SweetIM\Messenger\SweetIM.exe PRC - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2012.04.24 02:11:55 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2012.02.26 16:01:44 | 000,295,728 | ---- | M] (SweetIM Technologies Ltd.) -- C:\Programme\SweetIM\Communicator\SweetPacksUpdateManager.exe PRC - [2011.06.24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe PRC - [2011.02.25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2010.11.20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe PRC - [2009.08.18 02:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe PRC - [2009.08.18 02:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe PRC - [2009.02.26 18:36:46 | 000,030,040 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe PRC - [2008.08.29 15:20:56 | 000,935,208 | ---- | M] (Nero AG) -- C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe ========== Modules (No Company Name) ========== MOD - [2012.08.15 13:53:27 | 009,465,032 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_3_300_271.dll MOD - [2012.07.30 09:10:42 | 002,003,424 | ---- | M] () -- C:\Programme\Mozilla Firefox\mozjs.dll ========== Win32 Services (SafeList) ========== SRV - [2012.08.15 13:53:31 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.07.30 09:10:42 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.07.27 22:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012.07.17 14:49:00 | 001,713,904 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Programme\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE -- (wlidsvc) SRV - [2012.07.03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012.06.07 20:06:33 | 001,053,848 | ---- | M] () [Auto | Running] -- C:\Windows\System32\ieconfig_1und1_svc.exe -- (serviceIEConfig) SRV - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.07.20 05:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2010.11.20 14:17:56 | 001,121,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2009.08.18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility) SRV - [2009.07.14 03:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc) SRV - [2009.07.14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc) SRV - [2009.07.14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc) SRV - [2009.07.14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2009.02.26 18:36:22 | 000,064,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service) SRV - [2008.08.29 15:20:56 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0) SRV - [2006.10.26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - [2012.07.03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012.05.11 12:24:30 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV - [2012.04.27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.04.25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.04.16 21:17:40 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2011.05.26 08:21:18 | 000,144,984 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR) DRV - [2010.11.20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus) DRV - [2010.11.20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt) DRV - [2010.11.20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc) DRV - [2010.11.20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV - [2010.11.20 11:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb) DRV - [2010.11.20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID) DRV - [2010.11.20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap) DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2010.01.13 16:36:40 | 006,755,840 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5s32.sys -- (NETw5s32) DRV - [2009.08.18 03:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag) DRV - [2009.07.14 01:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp) DRV - [2009.07.14 00:13:48 | 001,035,776 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2009.07.14 00:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) DRV - [2007.11.09 05:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes] IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.1und1.de/links/home IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = AE E9 12 12 1E 29 CD 01 [binary data] IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes,DefaultScope = {603A3940-8E63-496A-B404-13A6E63D8FEB} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{089309CC-4704-4804-AE7C-E08B3DA17C39}: "URL" = hxxp://go.web.de/suchbox/ebay?query={searchTerms} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = hxxp://search.babylon.com/?q={searchTerms}&affID=111015&tt=2912_3&babsrc=SP_ss&mntrId=2cf7da7100000000000000216bb352f7 IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{5AF3529F-FDEF-40C3-A157-2EFFC4F767BF}: "URL" = hxxp://go.1und1.de/suchbox/amazon?tag=1und1icon-21&field-keywords={searchTerms} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{603A3940-8E63-496A-B404-13A6E63D8FEB}: "URL" = hxxp://go.1und1.de/suchbox/1und1suche?su={searchTerms} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{F140AC26-B95C-4CAD-874E-2AA946AA4873}: "URL" = hxxp://go.web.de/suchbox/google?q={searchTerms} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)" FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.startup.homepage: "www.google.de" FF - prefs.js..keyword.URL: "hxxp://search.babylon.com/?affID=111015&tt=2912_3&babsrc=KW_ss&mntrId=2cf7da7100000000000000216bb352f7&q=" FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll () FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3503.0728: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.05.10 17:12:39 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.30 09:10:42 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012.05.10 17:12:39 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.07.30 09:10:42 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.07.18 20:29:11 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Blocks\AppData\Roaming\mozilla\Extensions [2012.07.23 12:46:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Blocks\AppData\Roaming\mozilla\Firefox\Profiles\qz9xijq9.default\extensions [2012.06.07 19:44:24 | 000,003,915 | ---- | M] () -- C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\searchplugins\sweetim.xml [2012.05.03 13:17:27 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.07.23 12:46:15 | 000,702,524 | ---- | M] () (No name found) -- C:\USERS\BLOCKS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\QZ9XIJQ9.DEFAULT\EXTENSIONS\{DC572301-7619-498C-A57D-39143191B318}.XPI [2012.07.30 09:10:42 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012.06.27 13:33:30 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.07.18 20:29:02 | 000,002,349 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml [2012.06.27 13:33:30 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.06.27 13:33:30 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.06.27 13:33:30 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.27 13:33:30 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.27 13:33:30 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 23:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) O2 - BHO: (1&&1 Internet AG Browser Configuration by mquadr.at) - {D48FF4B4-E68F-47D1-8E25-81A0F0EEB341} - C:\Windows\System32\ieconfig_1und1.dll (mquadr.at software engineering und consulting GmbH) O2 - BHO: (SweetPacks Browser Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKLM\..\Toolbar: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\Toolbar\WebBrowser: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [SweetIM] C:\Programme\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.) O4 - HKLM..\Run: [Sweetpacks Communicator] C:\Programme\SweetIM\Communicator\SweetPacksUpdateManager.exe (SweetIM Technologies Ltd.) O4 - HKU\S-1-5-21-121852881-3908611197-2882621866-1001..\Run: [Media Finder] "C:\Program Files\Media Finder\Media Finder.exe" /opentotray File not found O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8 - Extra context menu item: Download with &Media Finder - C:\Program Files\Media Finder\hook.html File not found O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Web-Suche - C:\Programme\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html () O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Programme\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 78.42.43.62 82.212.62.62 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{429E4C30-7445-4A25-B2BD-B67CB4714070}: DhcpNameServer = 78.42.43.62 82.212.62.62 192.168.0.1 O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Programme\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\F\Shell - "" = AutoRun O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.08.20 20:52:41 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Blocks\Desktop\OTL.exe [2012.08.20 19:52:33 | 000,000,000 | ---D | C] -- C:\Users\Blocks\AppData\Roaming\Malwarebytes [2012.08.20 19:52:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2012.08.20 19:52:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2012.08.20 19:52:19 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2012.08.20 19:52:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012.08.20 11:57:29 | 000,000,000 | ---D | C] -- C:\Windows\de [2012.08.20 11:56:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition [2012.08.20 11:55:41 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live [2012.08.20 11:54:58 | 002,106,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_43.dll [2012.08.20 11:54:58 | 000,527,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_7.dll [2012.08.20 11:54:58 | 000,248,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_43.dll [2012.08.20 11:54:58 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_5.dll [2012.08.20 11:54:39 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll [2012.08.20 11:53:30 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_32.dll [2012.08.20 11:52:30 | 000,000,000 | ---D | C] -- C:\Users\Blocks\AppData\Local\Windows Live [2012.08.20 11:51:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live [2012.08.18 23:12:56 | 000,000,000 | ---D | C] -- C:\Users\Blocks\AppData\Local\PokerStars.EU [2012.08.18 23:12:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PokerStars.EU [2012.08.18 23:12:38 | 000,000,000 | ---D | C] -- C:\Program Files\PokerStars.EU [2012.08.17 06:58:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2012.08.16 08:14:53 | 000,000,000 | ---D | C] -- C:\Users\Blocks\Documents\Markus [2012.08.16 07:27:14 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2012.08.16 07:27:13 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2012.08.16 07:27:13 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2012.08.16 07:27:13 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2012.08.16 07:27:12 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll [2012.08.16 07:27:10 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2012.08.16 07:27:10 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll [2012.08.15 11:12:39 | 000,400,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\srcore.dll [2012.08.15 11:12:38 | 002,345,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2012.08.15 11:12:33 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\browcli.dll [2012.08.13 20:00:55 | 000,000,000 | ---D | C] -- C:\Program Files\IGC [2012.08.13 20:00:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free DWG Viewer [2012.07.30 12:59:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe [2012.07.30 12:59:43 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe [2012.07.30 12:55:30 | 000,000,000 | ---D | C] -- C:\Users\Blocks\AppData\Roaming\Foxit Software [2012.07.30 12:33:37 | 000,000,000 | ---D | C] -- C:\Users\Blocks\Documents\Laura [2012.07.28 02:54:00 | 000,321,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR [2012.07.26 19:08:06 | 000,862,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcr110.dll [2012.07.26 19:08:06 | 000,534,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcp110.dll [2012.07.26 19:08:06 | 000,251,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vccorlib110.dll [2012.07.26 19:08:06 | 000,153,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\atl110.dll [2012.07.26 19:08:06 | 000,115,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vcomp110.dll [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.08.20 20:52:46 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Blocks\Desktop\OTL.exe [2012.08.20 20:52:11 | 000,000,156 | ---- | M] () -- C:\Users\Blocks\defogger_reenable [2012.08.20 20:32:43 | 000,013,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.08.20 20:32:43 | 000,013,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.08.20 20:32:42 | 000,654,166 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.08.20 20:32:42 | 000,616,008 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.08.20 20:32:42 | 000,130,006 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.08.20 20:32:42 | 000,106,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.08.20 20:24:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.08.20 20:24:42 | 2411,896,832 | -HS- | M] () -- C:\hiberfil.sys [2012.08.20 19:52:20 | 000,001,072 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.08.20 19:25:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.08.20 11:56:59 | 000,000,020 | ---- | M] () -- C:\Windows\¼øÊ [2012.08.17 06:55:11 | 000,410,120 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.08.15 13:53:27 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe [2012.08.15 13:53:27 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl [2012.08.14 21:56:45 | 000,060,781 | ---- | M] () -- C:\Users\Blocks\Desktop\taufkerze.jpg [2012.08.13 20:00:55 | 000,001,728 | ---- | M] () -- C:\Users\Public\Desktop\Free DWG Viewer.lnk [2012.08.10 18:02:22 | 002,131,664 | ---- | M] () -- C:\Users\Blocks\Documents\CIMG0899.JPG [2012.08.08 22:12:33 | 000,021,130 | ---- | M] () -- C:\Users\Blocks\Desktop\Haftpflicht - VHV Versicherungen_ Private und gewerbliche Versicherungen vom Experten.pdf [2012.08.06 02:59:44 | 775,297,024 | ---- | M] () -- C:\Users\Blocks\Desktop\Ted.avi [2012.08.03 11:38:20 | 1047,965,696 | ---- | M] () -- C:\Users\Blocks\Desktop\Offroad.avi [2012.07.28 02:54:00 | 000,321,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR [2012.07.27 08:44:45 | 000,018,070 | ---- | M] () -- C:\Users\Blocks\Desktop\Status-zu-Sendung-JJD1410103475601.pdf [2012.07.26 19:08:06 | 000,862,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msvcr110.dll [2012.07.26 19:08:06 | 000,534,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msvcp110.dll [2012.07.26 19:08:06 | 000,251,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vccorlib110.dll [2012.07.26 19:08:06 | 000,153,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\atl110.dll [2012.07.26 19:08:06 | 000,115,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vcomp110.dll [2012.07.22 13:35:57 | 000,000,125 | ---- | M] () -- C:\Windows\xUninstall.bat [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.08.20 20:52:10 | 000,000,156 | ---- | C] () -- C:\Users\Blocks\defogger_reenable [2012.08.20 19:52:20 | 000,001,072 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk [2012.08.20 11:57:17 | 000,001,256 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk [2012.08.20 11:57:04 | 000,001,325 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk [2012.08.20 11:56:58 | 000,000,020 | ---- | C] () -- C:\Windows\¼øÊ [2012.08.14 21:56:43 | 000,060,781 | ---- | C] () -- C:\Users\Blocks\Desktop\taufkerze.jpg [2012.08.13 20:00:55 | 000,001,728 | ---- | C] () -- C:\Users\Public\Desktop\Free DWG Viewer.lnk [2012.08.10 18:02:22 | 002,131,664 | ---- | C] () -- C:\Users\Blocks\Documents\CIMG0899.JPG [2012.08.08 22:12:31 | 000,021,130 | ---- | C] () -- C:\Users\Blocks\Desktop\Haftpflicht - VHV Versicherungen_ Private und gewerbliche Versicherungen vom Experten.pdf [2012.08.08 19:23:24 | 775,297,024 | ---- | C] () -- C:\Users\Blocks\Desktop\Ted.avi [2012.08.08 19:20:24 | 1047,965,696 | ---- | C] () -- C:\Users\Blocks\Desktop\Offroad.avi [2012.08.02 20:10:31 | 001,336,632 | R--- | C] () -- C:\Users\Blocks\Documents\LaunchU3.exe [2012.07.30 13:00:03 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk [2012.07.27 08:44:45 | 000,018,070 | ---- | C] () -- C:\Users\Blocks\Desktop\Status-zu-Sendung-JJD1410103475601.pdf [2012.06.07 20:06:33 | 001,053,848 | ---- | C] () -- C:\Windows\System32\ieconfig_1und1_svc.exe [2012.05.11 12:38:22 | 000,004,767 | ---- | C] () -- C:\Windows\Irremote.ini [2012.05.10 17:04:41 | 000,233,428 | ---- | C] () -- C:\Windows\hpoins47.dat [2012.05.06 06:59:29 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe [2012.05.03 11:55:57 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin ========== LOP Check ========== [2012.06.07 20:07:14 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\1&1 [2012.05.10 14:54:27 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\Babylon [2012.06.02 08:33:32 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\DAEMON Tools Lite [2012.07.30 12:55:30 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\Foxit Software [2012.07.18 20:30:49 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\Media Finder [2012.05.11 12:23:14 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\OpenCandy [2012.05.10 14:54:26 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\pdfforge [2012.06.10 10:38:55 | 000,000,000 | ---D | M] -- C:\Users\Blocks\AppData\Roaming\WinBatch [2009.07.14 06:53:46 | 000,014,236 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > Für irgend welche Hilfestellungen bin ich euch schonmal dankbar. mfg markus |
20.08.2012, 21:06 | #2 |
/// Helfer-Team | bundestrojaner und verschlüsselungDie Bereinigung besteht aus mehreren Schritten, die ausgefuehrt werden muessen. Diese Nacheinander abarbeiten und die 4 Logs, die dabei erstellt werden bitte in deine naechste Antwort einfuegen. 1. Schritt Fixen mit OTL Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).
Code:
ATTFilter :OTL IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes,DefaultScope = {603A3940-8E63-496A-B404-13A6E63D8FEB} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{089309CC-4704-4804-AE7C-E08B3DA17C39}: "URL" = http://go.web.de/suchbox/ebay?query={searchTerms} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=111015&tt=2912_3&babsrc=SP_ss&mntrId=2cf7da7100000000000000216bb352f7 IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{5AF3529F-FDEF-40C3-A157-2EFFC4F767BF}: "URL" = http://go.1und1.de/suchbox/amazon?tag=1und1icon-21&field-keywords={searchTerms} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{603A3940-8E63-496A-B404-13A6E63D8FEB}: "URL" = http://go.1und1.de/suchbox/1und1suche?su={searchTerms} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\SearchScopes\{F140AC26-B95C-4CAD-874E-2AA946AA4873}: "URL" = http://go.web.de/suchbox/google?q={searchTerms} IE - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)" FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.startup.homepage: "www.google.de" FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=111015&tt=2912_3&babsrc=KW_ss&mntrId=2cf7da7100000000000000216bb352f7&q=" O2 - BHO: (SweetPacks Browser Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKLM\..\Toolbar: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKU\S-1-5-21-121852881-3908611197-2882621866-1001\..\Toolbar\WebBrowser: (SweetPacks Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O4 - HKLM..\Run: [] File not found O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8 - Extra context menu item: Download with &Media Finder - C:\Program Files\Media Finder\hook.html File not found O8 - Extra context menu item: Web-Suche - C:\Programme\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html () O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\F\Shell - "" = AutoRun O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] :Files ipconfig /flushdns /c :Commands [purity] [emptytemp]
Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen! 2. Schritt Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.danach: 3. Schritt Downloade Dir bitte AdwCleaner auf deinen Desktop.
4. Schritt
__________________ |
21.08.2012, 06:25 | #3 |
| bundestrojaner und verschlüsselung hi t'john,
__________________thx für die schnelle Antwort. So, Schritt1 hab ich hinter mir. Jetzt mach ich mal fröhlich weiter und schau mal was noch so passiert. Code:
ATTFilter All processes killed ========== OTL ========== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{089309CC-4704-4804-AE7C-E08B3DA17C39}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{089309CC-4704-4804-AE7C-E08B3DA17C39}\ not found. Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found. Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{5AF3529F-FDEF-40C3-A157-2EFFC4F767BF}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AF3529F-FDEF-40C3-A157-2EFFC4F767BF}\ not found. Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{603A3940-8E63-496A-B404-13A6E63D8FEB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603A3940-8E63-496A-B404-13A6E63D8FEB}\ not found. Registry key HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\SearchScopes\{F140AC26-B95C-4CAD-874E-2AA946AA4873}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F140AC26-B95C-4CAD-874E-2AA946AA4873}\ not found. HKU\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1 Prefs.js: "Google" removed from browser.search.selectedEngine Prefs.js: "www.google.de" removed from browser.startup.homepage Prefs.js: "hxxp://search.babylon.com/?affID=111015&tt=2912_3&babsrc=KW_ss&mntrId=2cf7da7100000000000000216bb352f7&q=" removed from keyword.URL Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}\ deleted successfully. C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll moved successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{EEE6C35B-6118-11DC-9C72-001320C79847} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}\ deleted successfully. File C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll not found. Registry value HKEY_USERS\S-1-5-21-121852881-3908611197-2882621866-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EEE6C35B-6118-11DC-9C72-001320C79847} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}\ not found. File C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully. Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully. File move failed. C:\Windows\System32\mctadmin.exe scheduled to be moved on reboot. Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully. File move failed. C:\Windows\System32\mctadmin.exe scheduled to be moved on reboot. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder\ deleted successfully. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Web-Suche\ deleted successfully. File Suche - C:\Programme\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully! C:\autoexec.bat moved successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found. File F:\LaunchU3.exe -a not found. C:\Windows\System32\gh.tmp deleted successfully. ========== FILES ========== < ipconfig /flushdns /c > Windows-IP-Konfiguration Der DNS-Aufl”sungscache wurde geleert. C:\Users\Blocks\Desktop\cmd.bat deleted successfully. C:\Users\Blocks\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Blocks ->Temp folder emptied: 69383403 bytes ->Temporary Internet Files folder emptied: 37839940 bytes ->FireFox cache emptied: 71354225 bytes ->Flash cache emptied: 506 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 39620314 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 208,00 mb OTL by OldTimer - Version 3.2.58.1 log created on 08212012_071100 Files\Folders moved on Reboot... File move failed. C:\Windows\System32\mctadmin.exe scheduled to be moved on reboot. PendingFileRenameOperations files... Registry entries deleted on Reboot... Jetzt mach ich mich mal an den dritten. Vom 2.: Code:
ATTFilter Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.08.21.02 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Blocks :: BLOCKS-LAPTOP [Administrator] Schutz: Aktiviert 21.08.2012 07:41:45 mbam-log-2012-08-21 (07-41-45).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 315889 Laufzeit: 1 Stunde(n), 20 Minute(n), 54 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter # AdwCleaner v1.801 - Logfile created 08/21/2012 at 09:16:29 # Updated 14/08/2012 by Xplode # Operating system : Windows 7 Professional Service Pack 1 (32 bits) # User : Blocks - BLOCKS-LAPTOP # Boot Mode : Normal # Running from : C:\Users\Blocks\Desktop\adwcleaner.exe # Option [Search] ***** [Services] ***** ***** [Files / Folders] ***** Folder Found : C:\Users\Blocks\AppData\LocalLow\BabylonToolbar Folder Found : C:\Users\Blocks\AppData\LocalLow\SweetIM Folder Found : C:\Users\Blocks\AppData\Roaming\Babylon Folder Found : C:\Users\Blocks\AppData\Roaming\Media Finder Folder Found : C:\Users\Blocks\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com Folder Found : C:\Users\Blocks\AppData\Roaming\OpenCandy Folder Found : C:\Users\Blocks\AppData\Roaming\pdfforge Folder Found : C:\ProgramData\Babylon Folder Found : C:\ProgramData\SweetIM Folder Found : C:\Program Files\SweetIM Folder Found : C:\Windows\Installer\{FB697452-8CA4-46B4-98B1-165C922A2EF3} File Found : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\searchplugins\SweetIm.xml File Found : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi File Found : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml File Found : C:\user.js ***** [Registry] ***** Key Found : HKCU\Software\AppDataLow\Software\PriceGong Key Found : HKCU\Software\MediaFinder Key Found : HKCU\Software\SweetIm Key Found : HKLM\SOFTWARE\Babylon Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL Key Found : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils Key Found : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1 Key Found : HKLM\SOFTWARE\Classes\MF Key Found : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator Key Found : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator.1 Key Found : HKLM\SOFTWARE\Classes\sim-packages Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar Key Found : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1 Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook Key Found : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1 Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie Key Found : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1 Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4183178B-4D4E-48A7-9257-454BA90A760E} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FB697452-8CA4-46B4-98B1-165C922A2EF3} Key Found : HKLM\SOFTWARE\SweetIM Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Media Finder] Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SweetIM] Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Sweetpacks Communicator] ***** [Registre - GUID] ***** Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Found : HKLM\SOFTWARE\Classes\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A} Key Found : HKLM\SOFTWARE\Classes\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064} Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1} Key Found : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289} Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847} ***** [Internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [HKCU\Software\Microsoft\Internet Explorer\Main - Secondary Start Pages] = hxxp://search.babylon.com/?affID=111015&tt=2912_3&babsrc=HP_ss&mntrId=2cf7da7100000000000000216bb352f7 hxxp://www.1und1.de/?ref=EasyLogin -\\ Mozilla Firefox v14.0.1 (de) Profile name : default File : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\prefs.js Found : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com"); Found : user_pref("extensions.BabylonToolbar_i.aflt", "babsst"); Found : user_pref("extensions.BabylonToolbar_i.babExt", ""); Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=111015&tt=2912_3"); Found : user_pref("extensions.BabylonToolbar_i.hardId", "2cf7da7100000000000000216bb352f7"); Found : user_pref("extensions.BabylonToolbar_i.id", "2cf7da7100000000000000216bb352f7"); Found : user_pref("extensions.BabylonToolbar_i.instlDay", "15539"); Found : user_pref("extensions.BabylonToolbar_i.instlRef", "sst"); Found : user_pref("extensions.BabylonToolbar_i.newTab", true); Found : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=111015&tt=2912_[...] Found : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar"); Found : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon"); Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none"); Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss"); Found : user_pref("extensions.BabylonToolbar_i.tlbrId", "base"); Found : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17"); Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1720:29:07"); Found : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17"); Found : user_pref("extensions.gencrawler@some.com.install-event-fired", true); ************************* AdwCleaner[R1].txt - [7152 octets] - [21/08/2012 09:16:29] ########## EOF - C:\AdwCleaner[R1].txt - [7280 octets] ########## Code:
ATTFilter # AdwCleaner v1.801 - Logfile created 08/21/2012 at 09:19:11 # Updated 14/08/2012 by Xplode # Operating system : Windows 7 Professional Service Pack 1 (32 bits) # User : Blocks - BLOCKS-LAPTOP # Boot Mode : Normal # Running from : C:\Users\Blocks\Desktop\adwcleaner.exe # Option [Delete] ***** [Services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Users\Blocks\AppData\LocalLow\BabylonToolbar Folder Deleted : C:\Users\Blocks\AppData\LocalLow\SweetIM Folder Deleted : C:\Users\Blocks\AppData\Roaming\Babylon Folder Deleted : C:\Users\Blocks\AppData\Roaming\Media Finder Folder Deleted : C:\Users\Blocks\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com Folder Deleted : C:\Users\Blocks\AppData\Roaming\OpenCandy Folder Deleted : C:\Users\Blocks\AppData\Roaming\pdfforge Folder Deleted : C:\ProgramData\Babylon Folder Deleted : C:\ProgramData\SweetIM Deleted on reboot : C:\Program Files\SweetIM Folder Deleted : C:\Windows\Installer\{FB697452-8CA4-46B4-98B1-165C922A2EF3} File Deleted : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\searchplugins\SweetIm.xml File Deleted : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml File Deleted : C:\user.js ***** [Registry] ***** Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong Key Deleted : HKCU\Software\MediaFinder Key Deleted : HKCU\Software\SweetIm Key Deleted : HKLM\SOFTWARE\Babylon Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1 Key Deleted : HKLM\SOFTWARE\Classes\MF Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator.1 Key Deleted : HKLM\SOFTWARE\Classes\sim-packages Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1 Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1 Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1 Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4183178B-4D4E-48A7-9257-454BA90A760E} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FB697452-8CA4-46B4-98B1-165C922A2EF3} Key Deleted : HKLM\SOFTWARE\SweetIM Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Media Finder] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SweetIM] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Sweetpacks Communicator] ***** [Registre - GUID] ***** Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847} ***** [Internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Secondary Start Pages] = hxxp://search.babylon.com/?affID=111015&tt=2912_3&babsrc=HP_ss&mntrId=2cf7da7100000000000000216bb352f7 hxxp://www.1und1.de/?ref=EasyLogin --> hxxp://www.google.com -\\ Mozilla Firefox v14.0.1 (de) Profile name : default File : C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\prefs.js C:\Users\Blocks\AppData\Roaming\Mozilla\Firefox\Profiles\qz9xijq9.default\user.js ... Deleted ! Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com"); Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst"); Deleted : user_pref("extensions.BabylonToolbar_i.babExt", ""); Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=111015&tt=2912_3"); Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "2cf7da7100000000000000216bb352f7"); Deleted : user_pref("extensions.BabylonToolbar_i.id", "2cf7da7100000000000000216bb352f7"); Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15539"); Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst"); Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true); Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=111015&tt=2912_[...] Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar"); Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon"); Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none"); Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss"); Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "base"); Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17"); Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1720:29:07"); Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17"); Deleted : user_pref("extensions.gencrawler@some.com.install-event-fired", true); ************************* AdwCleaner[R1].txt - [7281 octets] - [21/08/2012 09:16:29] AdwCleaner[R2].txt - [7341 octets] - [21/08/2012 09:19:04] AdwCleaner[S1].txt - [7577 octets] - [21/08/2012 09:19:11] ########## EOF - C:\AdwCleaner[S1].txt - [7705 octets] ########## |
21.08.2012, 15:55 | #4 |
/// Helfer-Team | bundestrojaner und verschlüsselung Sehr gut! Wie laeuft der Rechner? Malware-Scan mit Emsisoft Anti-Malware Lade die Gratisversion von => Emsisoft Anti-Malware herunter und installiere das Programm. Lade über Jetzt Updaten die aktuellen Signaturen herunter. Wähle den Freeware-Modus aus. Wähle Detail Scan und starte über den Button Scan die Überprüfung des Computers. Am Ende des Scans nichts loeschen lassen!. Mit Klick auf Bericht speichern das Logfile auf dem Desktop speichern und hier in den Thread posten. Anleitung: http://www.trojaner-board.de/103809-...i-malware.html |
21.08.2012, 19:05 | #5 |
| bundestrojaner und verschlüsselung hi t'john, momentan bin ich noch nicht von der laufleistung des rechners überzeugt. ich würd meinen das er schon besser geloffen ist. ich denke zumindest mal das der bundestrojaner nicht mehr drauf ist!?! jetzt hab ich nur noch das problem mit den ganzen dateien auf dem rechner, die leider noch nicht entschlüsselbar sind. in meinem bewerbungsordner zum beispiel mit bewerbungen, zeugnissen und sonstigem kram, was alles in word oder pdf dateien war siehts zum beispiel so aus: aesgXQDNTJJegXuDN DNaJvegpulraTJsOX egXulNraJsgXullravsgp EGyULssAfEGyUn eOXuDNaavegpulrr gXullraJsgXuulravsgpp ... und so weiter. Da sind auch noch nicht gesicherte unterlagen meines gewerbes drauf. ich hoff das ich das wieder hin bekomm. momentan hab ich grad von c4enigma das Recuva 1.43.623 am laufen. mal gespannt was dabei rum kommt. aba schonmal vielen dank für die bisherige hilfe. mfg markus |
22.08.2012, 00:28 | #6 |
/// Helfer-Team | bundestrojaner und verschlüsselung Wichtig ist, dass du die Reihenfolge einhaelst: http://www.trojaner-board.de/116851-...strojaner.html
__________________ --> bundestrojaner und verschlüsselung |
22.08.2012, 16:02 | #7 |
| bundestrojaner und verschlüsselung danke für die bisherige hilfe, aba hat bis jetzt nichts gebracht. ich weiß ja nicht mal welche hieroglyphen was für ne datei war, xls, pdf... ist jetzt alles einfach nur noch "datei" im explorer. die daten die betroffen sind liegen zu 95% auf der partition data, für die natürlich die schutzfunktion wiederherstellen nicht aktiviert ist. hab versucht ne word datei wieder herzustellen, da ich bei der dateigröße einfach mal davon ausgegangen bin und das waren nur unleserliche seiten. das gleiche hab ich mit nem kontoauszug versucht, da ich weiß das in dem ordner nur pdf dateien sind, aba da lässt sich auch nichts öffnen. ich steh grad kurz davor das ich den rechner in meine wippkreissäge leg und ihn einfach komplett "formatier". ich les einfach mal weiter was ich noch so finde und ob ich was retten kann. mfg markus |
24.08.2012, 01:59 | #8 |
/// Helfer-Team | bundestrojaner und verschlüsselung Tut mir leid, das ist echt fies. (Rechner am besten neu aufsetzen) Viel Glueck. |
Themen zu bundestrojaner und verschlüsselung |
78.42.43.62, administrator, adobe, adobe flash player, antivir, autorun, avg, avira, bho, browser, defender, explorer, firefox, flash player, helper, langs, log, logfile, microsoft, mozilla, opera, programme, registry, search the web, senden, software, suche, sweetim, wmp |