Windows restore / Daten wiederherstellbar?
 

Hallo Zusammen,

hatte mir diesen windows restore trojaner eingefangen und dank der Informationen auf trojaner board entfernen können. (Malware etc.)

Habe allerdings noch folgendes Problem:
Meine Dateien und Programme sind verschwunden bzw. nicht mehr ersichtlich.
Habe mittels Recovery Software (u.a. Stellar und Smart Data recovery) versucht diese wieder herzustellen(erfolglos). Die jeweilige Software zeigt die verloren gegangenen Dateien zwar an, sie lassen sicher allerdings nicht wiederherstellen.

Kann mir jemand helfen?

Gruß und vielen vielen Dank im Voraus!!!

Bitte alle vorhandenen Logs dazu posten!!

Hallo,

vielen Dank für deine Antwort.
Ich habe gestern zufällig in diesem Forum eine Software gefunden
womit ich meine Daten wieder bekommen habe.

Allerdings ist windows restore heute auf meinen Rechner zurückgekehrt.:(

Wenn ich nun die Schritte der Beseitigung wiederholen möchte, sagt er mir
bei der Instalation von rkill "Zugriff verweigert".

Anbei der rkill-Editor !!

Schon mal vorab vielen vielen Dank für deine Hilfe.

Gruß


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11.04.2011 at 12:39:27.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Dokumente und Einstellungen\EuFH\Eigene Dateien\eXplorer.exe


Rkill completed on 11.04.2011 at 12:39:32.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 14.04.2011 at 9:15:37.
Operating System: Microsoft Windows XP


Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 14.04.2011 at 9:15:38.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

Processes terminated by Rkill or while it was running:

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\tAExRDJWhvf.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\18734900.exe


Rkill completed on 14.04.2011 at 9:15:42.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 14.04.2011 at 9:16:07.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 14.04.2011 at 9:16:21.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 14.04.2011 at 9:31:00.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Dokumente und Einstellungen\admin\Eigene Dateien\eXplorer.exe


Rkill completed on 14.04.2011 at 9:31:10.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 14.04.2011 at 9:33:25.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\msiexec.exe
C:\Dokumente und Einstellungen\admin\Eigene Dateien\eXplorer.exe


Rkill completed on 14.04.2011 at 9:33:35.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 14.04.2011 at 9:35:13.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 14.04.2011 at 9:35:22.

Wo sind die Logs von Malwarebytes und OTL?

Malware kann ich nicht mehr installieren.
"Zugriff verweigert" popt auf bei Instalation

Das schon probiert => http://www.trojaner-board.de/82699-m...tet-nicht.html
Ggf im Zusammenhang mit dem random installer probieren, falls man schon Probleme bei der Installation bzw. beim Download hat => http://malwarebytes.org/mbam-download-exe-random.php

Wo finde ich OTL?

malware:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6360

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

14.04.2011 11:26:46
mbam-log-2011-04-14 (11-26-46).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Durchsuchte Objekte: 237652
Laufzeit: 51 Minute(n), 1 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tAExRDJWhvf (Trojan.FakeAlert) -> Value: tAExRDJWhvf -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\dokumente und einstellungen\all users\anwendungsdaten\taexrdjwhvf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\dokumente und einstellungen\all users\anwendungsdaten\18734900.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\spool\prtprocs\w32x86\6197.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Wo findest du was genau? Bitte genauer! Die Logs oder das Programm oder die Anleitung? :glaskugel:

OTL Logfile:
--- --- ---

OTL EXTRAS Logfile:
--- --- ---

Mach einen OTL-Fix, beende alle evtl. geöffneten Programme, auch Virenscanner deaktivieren (!), starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)

Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt.

All processes killed
========== OTL ==========
C:\WINDOWS\tasks\RegistryBooster.job moved successfully.
C:\WINDOWS\system32\drivers\1228.sys moved successfully.
C:\Dokumente und Einstellungen\EuFH\Desktop\Windows Fix Disk.lnk moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\~18734900r moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\~18734900 moved successfully.
C:\WINDOWS\system32\drivers\7895.sys moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\18734900 moved successfully.
C:\Dokumente und Einstellungen\EuFH\Desktop\Prüfungsanmeldung.pdf moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\~18407220r moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\~18407220 moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\18407220 moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\~19717940r moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\~19717940 moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\19717940 moved successfully.
C:\Dokumente und Einstellungen\EuFH\Startmenü\Programme\Windows Fix Disk folder moved successfully.
C:\Dokumente und Einstellungen\EuFH\Desktop\Windows_restore folder moved successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\AUTOEXEC.BAT moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{01a1b78b-f9de-11de-bb40-001a6b7a9d4e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01a1b78b-f9de-11de-bb40-001a6b7a9d4e}\ not found.
File cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{01a1b78b-f9de-11de-bb40-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01a1b78b-f9de-11de-bb40-001a6b7a9d4e}\ not found.
File cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{01a1b78b-f9de-11de-bb40-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01a1b78b-f9de-11de-bb40-001a6b7a9d4e}\ not found.
File cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1cbf077a-fc4d-11de-bb45-001a6b7a9d4e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1cbf077a-fc4d-11de-bb45-001a6b7a9d4e}\ not found.
File F:\cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1cbf077a-fc4d-11de-bb45-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1cbf077a-fc4d-11de-bb45-001a6b7a9d4e}\ not found.
File F:\cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1cbf077a-fc4d-11de-bb45-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1cbf077a-fc4d-11de-bb45-001a6b7a9d4e}\ not found.
File F:\cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4ad4f6-eb00-11de-bb28-001a6b7a9d4e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e4ad4f6-eb00-11de-bb28-001a6b7a9d4e}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4ad4f6-eb00-11de-bb28-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e4ad4f6-eb00-11de-bb28-001a6b7a9d4e}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4ad4f6-eb00-11de-bb28-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e4ad4f6-eb00-11de-bb28-001a6b7a9d4e}\ not found.
File F:\autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4ad4f7-eb00-11de-bb28-001a6b7a9d4e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e4ad4f7-eb00-11de-bb28-001a6b7a9d4e}\ not found.
File G:\cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4ad4f7-eb00-11de-bb28-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e4ad4f7-eb00-11de-bb28-001a6b7a9d4e}\ not found.
File G:\cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4ad4f7-eb00-11de-bb28-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e4ad4f7-eb00-11de-bb28-001a6b7a9d4e}\ not found.
File G:\cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4ad503-eb00-11de-bb28-001c2390cc69}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e4ad503-eb00-11de-bb28-001c2390cc69}\ not found.
File cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4ad503-eb00-11de-bb28-001c2390cc69}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e4ad503-eb00-11de-bb28-001c2390cc69}\ not found.
File cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e4ad503-eb00-11de-bb28-001c2390cc69}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3e4ad503-eb00-11de-bb28-001c2390cc69}\ not found.
File cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65b10c4e-ebb3-11de-bb2a-001a6b7a9d4e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65b10c4e-ebb3-11de-bb2a-001a6b7a9d4e}\ not found.
File F:\cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65b10c4e-ebb3-11de-bb2a-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65b10c4e-ebb3-11de-bb2a-001a6b7a9d4e}\ not found.
File F:\cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65b10c4e-ebb3-11de-bb2a-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65b10c4e-ebb3-11de-bb2a-001a6b7a9d4e}\ not found.
File F:\cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db85db26-c52e-11de-bad9-001a6b7a9d4e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{db85db26-c52e-11de-bad9-001a6b7a9d4e}\ not found.
File cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db85db26-c52e-11de-bad9-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{db85db26-c52e-11de-bad9-001a6b7a9d4e}\ not found.
File cold\hott\sysdiag64.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db85db26-c52e-11de-bad9-001a6b7a9d4e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{db85db26-c52e-11de-bad9-001a6b7a9d4e}\ not found.
File cold\hott\sysdiag64.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ deleted successfully.
C:\Programme\ICQ6Toolbar\ICQToolBar.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{855F3B16-6D32-4FE6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4FE6-8A56-BBB695989046}\ not found.
File C:\Programme\ICQ6Toolbar\ICQToolBar.dll not found.
Prefs.js: "ICQ Search" removed from browser.search.defaultenginename
Prefs.js: "ICQ Search" removed from browser.search.selectedEngine
Prefs.js: "hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=" removed from keyword.URL
Prefs.js: "" removed from network.proxy.backup.ftp
Prefs.js: 0 removed from network.proxy.backup.ftp_port
Prefs.js: "" removed from network.proxy.backup.gopher
Prefs.js: 0 removed from network.proxy.backup.gopher_port
Prefs.js: "" removed from network.proxy.backup.socks
Prefs.js: 0 removed from network.proxy.backup.socks_port
Prefs.js: "" removed from network.proxy.backup.ssl
Prefs.js: 0 removed from network.proxy.backup.ssl_port
Prefs.js: "Proxy" removed from network.proxy.ftp
Prefs.js: 3128 removed from network.proxy.ftp_port
Prefs.js: "Proxy" removed from network.proxy.gopher
Prefs.js: 3128 removed from network.proxy.gopher_port
Prefs.js: "Proxy" removed from network.proxy.http
Prefs.js: 3128 removed from network.proxy.http_port
Prefs.js: true removed from network.proxy.share_proxy_settings
Prefs.js: "Proxy" removed from network.proxy.socks
Prefs.js: 3128 removed from network.proxy.socks_port
Prefs.js: "Proxy" removed from network.proxy.ssl
Prefs.js: 3128 removed from network.proxy.ssl_port
Prefs.js: 4 removed from network.proxy.type
Service ICQ Service stopped successfully!
Service ICQ Service deleted successfully!
C:\Programme\ICQ6Toolbar\ICQ Service.exe moved successfully.
Service MDM stopped successfully!
Service MDM deleted successfully!
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: admin
->Temp folder emptied: 236753864 bytes
->Temporary Internet Files folder emptied: 373253334 bytes
->Java cache emptied: 4962819 bytes
->FireFox cache emptied: 15974042 bytes
->Flash cache emptied: 2010282 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: EuFH
->Temp folder emptied: 834321815 bytes
->Temporary Internet Files folder emptied: 943398861 bytes
->Java cache emptied: 9142589 bytes
->FireFox cache emptied: 89776218 bytes
->Flash cache emptied: 2948699 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 14472095 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1908702 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2147662 bytes
%systemroot%\System32 .tmp files removed: 429459 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2278254 bytes
RecycleBin emptied: 29638893 bytes

Total Files Cleaned = 2.445,00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04142011_125650

Files\Folders moved on Reboot...
File\Folder C:\Dokumente und Einstellungen\EuFH\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\Q7K36T81\1729516519@Top1,TopRight,Right,Middle1,Right1,Right2,Right3,Right4,Right5,Right6,Bottom,Middle,Middle2,Middle3,Position1,Po sition2,Position3,x01,x02,x03,x04,x05,x70,Bottom1[1] not found!
File\Folder C:\Dokumente und Einstellungen\EuFH\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\C7M5610J\1149521306@Top1,TopRight,Right,Middle1,Right1,Right2,Right3,Right4,Right5,Right6,Bottom,Middle,Middle2,Middle3,Position1,Po sition2,Position3,x01,x02,x03,x04,x05,x70,Bottom1[1] not found!
File\Folder C:\Dokumente und Einstellungen\EuFH\Lokale Einstellungen\Temp\~DF805A.tmp not found!
File\Folder C:\Dokumente und Einstellungen\EuFH\Lokale Einstellungen\Temp\~DFD68.tmp not found!
C:\Dokumente und Einstellungen\EuFH\Lokale Einstellungen\Temporary Internet Files\Content.IE5\IQKCRG71\97421-windows-restore-daten-wiederherstellbar-2[1].html moved successfully.

Registry entries deleted on Reboot...

Bitte nun dieses Tool von Kaspersky ausführen und das Log posten => http://www.trojaner-board.de/82358-t...entfernen.html

Der tdsskiller kann zwar auf dem Desktop gepseichert werden,
er öffnet sich allerdings nicht :(

=> http://filepony.de/download-tdsskiller/

Diesen Link hast du benutzt? Klick mal mit Rechts auf den Link => Ziel speichern unter => Desktop auswählen => Dateinamen ändern in abc.exe => den in abc.exe umbenannten TDSS-Killer ausführen