Trojan Ransom

markusg · 19.12.2012, 13:55

Hi
doch geschafft :-)
combofix:

Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich
ziehen und eine Bereinigung der Infektion noch erschweren.

Downloade dir bitte Combofix von einem dieser Downloadspiegel

Link 1
Link 2

WICHTIG - Speichere Combofix auf deinem Desktop

Deaktiviere bitte all deine Anti Viren sowie Anti Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.

Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.

Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

Jacinta · 19.12.2012, 17:06

Combofix Logfile:

Code:

ATTFilter

ComboFix 12-12-19.01 - Jacinta Heidenreich 19-12-2012  13:18:06.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.351.2070.18.4076.1140 [GMT 0:00]
Executando de: c:\users\Jacinta Heidenreich\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E4T0YYP1\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((   Outras Exclusões   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JACINT~1\AppData\Local\Temp\ub194D.tmp
c:\windows\SysWow64\pt
c:\windows\SysWow64\pt\AuthFWSnapIn.Resources.dll
c:\windows\SysWow64\pt\AuthFWWizFwk.Resources.dll
.
.
((((((((((((((((   Arquivos/Ficheiros criados de 2012-11-19 to 2012-12-19  ))))))))))))))))))))))))))))
.
.
2012-12-19 13:23 . 2012-12-19 13:23	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-12-18 18:42 . 2012-12-18 18:42	76232	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{81ED132A-565C-469F-9988-D0891916862A}\offreg.dll
2012-12-18 18:26 . 2012-12-18 18:26	--------	d-----w-	C:\_OTL
2012-12-18 15:30 . 2012-12-18 15:30	--------	d-----w-	c:\program files (x86)\QS
2012-12-18 14:29 . 2012-11-08 17:24	9125352	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{81ED132A-565C-469F-9988-D0891916862A}\mpengine.dll
2012-12-18 11:49 . 2012-12-18 11:49	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Roaming\AVG
2012-12-18 11:48 . 2012-12-18 11:50	--------	d-----w-	c:\programdata\AVG
2012-12-18 11:48 . 2012-12-18 11:48	--------	d-sh--w-	c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2012-12-17 16:29 . 2012-12-17 16:29	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Roaming\Malwarebytes
2012-12-17 16:29 . 2012-12-17 16:29	--------	d-----w-	c:\programdata\Malwarebytes
2012-12-17 16:29 . 2012-12-17 16:29	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2012-12-17 16:29 . 2012-09-29 19:54	25928	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-12-17 13:49 . 2012-12-17 13:49	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Roaming\TuneUp Software
2012-12-17 13:49 . 2012-12-17 13:48	30568	----a-w-	c:\windows\system32\drivers\avgtpx64.sys
2012-12-17 13:49 . 2012-12-18 16:26	--------	d-----w-	c:\program files (x86)\Common Files\AVG Secure Search
2012-12-17 13:42 . 2012-12-19 13:12	--------	d-----w-	c:\programdata\MFAData
2012-12-17 13:42 . 2012-12-17 13:42	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Local\MFAData
2012-12-17 13:03 . 2012-12-17 13:03	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Roaming\QuickScan
2012-12-17 11:42 . 2012-12-17 13:55	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Roaming\Faes
2012-12-17 11:42 . 2012-12-17 11:43	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Roaming\Obaqpu
2012-12-17 11:25 . 2012-11-08 17:24	9125352	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-14 17:16 . 2012-12-17 13:57	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Roaming\Wotyn
2012-12-14 17:16 . 2012-12-17 13:50	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Roaming\Osqo
2012-12-14 17:16 . 2012-12-14 17:16	--------	d-----w-	c:\users\Jacinta Heidenreich\AppData\Roaming\Ufsaox
2012-12-13 09:19 . 2012-11-09 05:45	2048	----a-w-	c:\windows\system32\tzres.dll
2012-12-10 17:08 . 2012-12-10 17:08	--------	d-----w-	c:\users\DefaultAppPool
2012-11-29 09:41 . 2012-11-29 09:41	972264	------w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{36C7EAB6-8A5B-427F-9465-EEB71436B257}\gapaengine.dll
2012-11-27 09:33 . 2012-11-27 09:33	--------	d-----w-	c:\program files (x86)\Common Files\Skype
2012-11-26 18:18 . 2012-07-26 08:04	2560	----a-w-	c:\windows\system32\drivers\pt-PT\wdf01000.sys.mui
2012-11-26 18:18 . 2012-07-26 04:55	785512	----a-w-	c:\windows\system32\drivers\Wdf01000.sys
2012-11-26 18:18 . 2012-07-26 04:55	54376	----a-w-	c:\windows\system32\drivers\WdfLdr.sys
2012-11-26 18:18 . 2012-07-26 02:36	9728	----a-w-	c:\windows\system32\Wdfres.dll
2012-11-26 18:12 . 2012-07-26 03:08	84992	----a-w-	c:\windows\system32\WUDFSvc.dll
2012-11-26 18:12 . 2012-07-26 03:08	194048	----a-w-	c:\windows\system32\WUDFPlatform.dll
2012-11-26 18:12 . 2012-07-26 02:26	87040	----a-w-	c:\windows\system32\drivers\WUDFPf.sys
2012-11-26 18:12 . 2012-07-26 02:26	198656	----a-w-	c:\windows\system32\drivers\WUDFRd.sys
2012-11-26 18:12 . 2012-07-26 03:08	229888	----a-w-	c:\windows\system32\WUDFHost.exe
2012-11-26 18:12 . 2012-07-26 03:08	744448	----a-w-	c:\windows\system32\WUDFx.dll
2012-11-26 18:12 . 2012-07-26 03:08	45056	----a-w-	c:\windows\system32\WUDFCoinstaller.dll
2012-11-26 10:04 . 2012-10-03 16:42	175104	----a-w-	c:\windows\SysWow64\netcorehc.dll
2012-11-26 10:04 . 2012-10-03 16:07	45568	----a-w-	c:\windows\system32\drivers\tcpipreg.sys
2012-11-26 10:04 . 2012-01-13 07:12	52224	----a-w-	c:\windows\SysWow64\nlaapi.dll
2012-11-26 10:04 . 2012-10-03 17:44	70656	----a-w-	c:\windows\system32\nlaapi.dll
2012-11-26 10:04 . 2012-10-03 17:44	18944	----a-w-	c:\windows\system32\netevent.dll
2012-11-26 10:04 . 2012-10-03 16:42	18944	----a-w-	c:\windows\SysWow64\netevent.dll
2012-11-26 10:03 . 2012-09-25 22:46	95744	----a-w-	c:\windows\system32\synceng.dll
2012-11-26 10:03 . 2012-09-25 22:47	78336	----a-w-	c:\windows\SysWow64\synceng.dll
.
.
.
(((((((((((((((((((((((((((((((((((((   Relatório Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-13 16:01 . 2012-06-14 15:12	67413224	----a-w-	c:\windows\system32\MRT.exe
2012-10-16 08:38 . 2012-11-29 09:40	135168	----a-w-	c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38 . 2012-11-29 09:40	350208	----a-w-	c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39 . 2012-11-29 09:40	561664	----a-w-	c:\windows\apppatch\AcLayers.dll
2012-10-15 09:41 . 2012-10-15 09:42	95208	----a-w-	c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-10-15 09:41 . 2012-10-15 09:42	821736	----a-w-	c:\windows\SysWow64\npDeployJava1.dll
2012-10-15 09:41 . 2012-10-15 09:42	746984	----a-w-	c:\windows\SysWow64\deployJava1.dll
2012-10-04 18:49 . 2012-10-12 10:06	87152	----a-w-	c:\windows\system32\cpwmon64.dll
2012-10-04 16:40 . 2012-12-13 09:19	44032	----a-w-	c:\windows\apppatch\acwow64.dll
2012-10-04 08:32 . 2012-06-13 14:17	972192	------w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
.
.
((((((((((((((((((((((((((   Pontos de Carregamento do Registro   )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP KEYBOARDx"="c:\program files (x86)\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE" [2010-02-11 710656]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
"BATINDICATOR"="c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe" [2009-05-08 2068992]
"LaunchHPOSIAPP"="c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe" [2009-04-04 385024]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2011-08-12 658424]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-08-26 12277248]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"EMET Notifier"="c:\program files (x86)\EMET\EMET_notifier.exe" [2012-05-09 152152]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
MailWasherPro.lnk - c:\program files (x86)\Firetrust\MailWasher\MailWasherPro.exe [2012-4-4 5515088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-09-05 16:57	75320	----a-w-	c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages	REG_MULTI_SZ   	DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"HP Software Update"=c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-10 86072]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-08-01 195320]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys [2011-08-22 64312]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe [2011-09-05 476728]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-30 128456]
R3 NisSrv;Inspeção de Rede da Microsoft;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-12 368896]
R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [2012-04-13 31152]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Serviço de Tecnologias de Activação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-05 1255736]
S0 MfeEpeOpal;MfeEpeOpal; [x]
S0 MfeEpePc;MfeEpePc; [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-12-17 30568]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-09-14 89600]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-07-20 249648]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-08-26 322048]
S2 jhi_service;Intel(R) Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-07-22 1318912]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2011-08-12 1128952]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-10-02 3064000]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-05 378472]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-08-03 2656536]
S2 vToolbarUpdater13.3.2;vToolbarUpdater13.3.2;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe [2012-12-17 894920]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
S3 QDrive;QDrive;c:\users\JACINT~1\AppData\Local\Temp\QDrive.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-09-14 533096]
S3 tihub3;TI USB3 Hub Service;c:\windows\system32\drivers\tihub3.sys [2011-09-21 136000]
S3 tixhci;TI XHCI Service;c:\windows\system32\drivers\tixhci.sys [2011-09-21 409408]
.
.
--- =Outros Serviços/Drivers Na Memória ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
iissvcs	REG_MULTI_SZ   	w3svc was
apphost	REG_MULTI_SZ   	apphostsvc
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-12-18 c:\windows\Tasks\HPCeeScheduleForJacinta Heidenreich.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 11:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BeatsOSDApp"="c:\program files\IDT\WDM\beats64.exe" [2011-09-14 37888]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-09-14 1128448]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-07-22 200704]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 1289704]
"Certificate Import"="c:\program files\Cartão de Cidadão\PtEidTrayApplet.exe" [2012-01-23 674664]
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.de/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: millenniumbcp.pt\corp
TCP: DhcpNameServer = 172.16.2.254
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Wow6432Node-HKLM-Run-vProt - c:\program files (x86)\AVG Secure Search\vprot.exe
HKLM_Wow6432Node-ActiveSetup-{F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1} - msiexec
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Outros Processos em Execução ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Licensing\License Agent\bin\cla.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
c:\program files\QNAP\NetBak\Enclosure.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Tempo para conclusão: 2012-12-19  15:53:35 - Máquina reiniciou
ComboFix-quarantined-files.txt  2012-12-19 15:53
.
Pré-execução: 795.451.473.920 bytes livres
Pós execução: 793.540.599.808 bytes livres
.
- - End Of File - - 9EDEFF52ADF96AE35F0ED8A21044D8CD

--- --- ---

Und nun, was muss noch gemacht werden um 100%ig sicher zu gehen das der PC sauber ist?

markusg · 19.12.2012, 18:27

hi

dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user.
wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts.

• Starte bitte die OTL.exe
• Kopiere nun das Folgende in die Textbox.

Code:

ATTFilter

:OTL
c:\users\Jacinta Heidenreich\AppData\Roaming\Faes
c:\users\Jacinta Heidenreich\AppData\Roaming\Obaqpu
c:\users\Jacinta Heidenreich\AppData\Roaming\Wotyn
c:\users\Jacinta Heidenreich\AppData\Roaming\Osqo
c:\users\Jacinta Heidenreich\AppData\Roaming\Ufsaox
 :Files
:Commands
[EMPTYFLASH] 
[emptytemp]

• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
• OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren.
starte in den normalen modus.

falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden

Hinweis: Die Datei bitte wie in der Anleitung zum UpChannel angegeben auch da hochladen. Bitte NICHT die ZIP-Datei hier als Anhang
in den Thread posten!

Drücke bitte die

+ E Taste.

Öffne dein Systemlaufwerk ( meistens C: )
Suche nun
folgenden Ordner: _OTL und öffne diesen.
Mache einen Rechtsklick auf den Ordner Movedfiles --> Senden an --> Zip-Komprimierter Ordner
Dies wird eine Movedfiles.zip Datei in _OTL erstellen
Lade diese bitte in unseren Uploadchannel
hoch. ( Durchsuchen --> C:\_OTL\Movedfiles.zip )

Teile mir mit ob der Upload problemlos geklappt hat. Danke im voraus

Jacinta · 20.12.2012, 10:25

All processes killed
Error: Unable to interpret <Code:> in the current context!
Error: Unable to interpret <---------> in the current context!
========== OTL ==========
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: DefaultAppPool
->Flash cache emptied: 0 bytes

User: Jacinta Heidenreich
->Flash cache emptied: 1081 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Jacinta Heidenreich
->Temp folder emptied: 2237849 bytes
->Temporary Internet Files folder emptied: 39169366 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 43446 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 40,00 mb

Error: Unable to interpret <---------> in the current context!

OTL by OldTimer - Version 3.2.69.0 log created on 12202012_091918

Files\Folders moved on Reboot...
C:\Users\Jacinta Heidenreich\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\Jacinta Heidenreich\AppData\Local\Temp\~DF0E7EE6B13C365EB0.TMP not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Hi, Upload hat nicht geklappt. Noergelt " Link zum Thema.....

Wichtig vor dem Upload: Schalte deinen Virenscanner (insb. AVG) für den Upload vorübergehend aus.

Die hochgeladenen Dateien werden automatisch gepackt und mit einem Passwort versehen.

Upload / Hochladen:
Upload / Hochladen:
Upload / Hochladen:
Link zum Thema im Forum:

Dein Benutzername:

Kommentar:
Hi Markus, anbei die Zip-datei

markusg · 20.12.2012, 13:28

Hi
du hast nicht das aus der Codebox ausgeführt, noch mal bitte. und danach noch mal uploaden, ist ja eig nicht so schwer, du musst da deinen Namen und den Link aus der Adresszeile eintragen

Trojan Ransom

Plagegeister aller Art und deren Bekämpfung: Trojan Ransom

Trojan Ransom

Trojan Ransom

Trojan Ransom

Trojan Ransom

Trojan Ransom

Ähnliche Themen: Trojan Ransom