Trojaner-Board
Seite 1 von 3 1 23
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   security center, Achtung! Ihr Windows System wurde blockiert! (https://www.trojaner-board.de/108866-security-center-achtung-windows-system-wurde-blockiert.html)

sternchendan 01.02.2012 15:53
security center, Achtung! Ihr Windows System wurde blockiert!
 
hallo, ich nutze einen netbook und hab mir den trojaner oder was auch immer gefangen...Wenn ich Windows 7 starte erscheint sofort der Bildschirm, dass Windows gesperrt wurde und ich werde aufgefordert 100 Euro zu bezahlen.
habe schon die otl.exe geladen und auch gescannt. netbook ist im abgesicherten modus gestartet.
den otl.txt schick ich gleich nach, bitte helft mir.

markusg 01.02.2012 15:56
dann hänge die otl.txt an bitte.

sternchendan 01.02.2012 16:15
hier der otl.txtOTL Logfile:
Code:
OTL logfile created on: 01.02.2012 15:40:01 - Run 1
OTL by OldTimer - Version 3.2.31.0    Folder = C:\Users\***\Desktop
 Starter Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1013,30 Mb Total Physical Memory | 679,59 Mb Available Physical Memory | 67,07% Memory free
1,99 Gb Paging File | 1,69 Gb Available in Paging File | 84,77% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 58,59 Gb Total Space | 37,27 Gb Free Space | 63,60% Space Free | Partition Type: NTFS
Drive D: | 159,19 Gb Total Space | 158,56 Gb Free Space | 99,60% Space Free | Partition Type: NTFS
Drive E: | 961,73 Mb Total Space | 961,17 Mb Free Space | 99,94% Space Free | Partition Type: FAT
 
Computer Name: ***-PC | User Name: *** | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\***\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
 
 
========== Modules (No Company Name) ==========
 
 
========== Win32 Services (SafeList) ==========
 
SRV - (VmbService) --  File not found
SRV - (FSORSPClient) -- C:\Program Files\Vodafone\PC Protection\ORSP Client\fsorsp.exe (F-Secure Corporation)
SRV - (FSMA) -- C:\Program Files\Vodafone\PC Protection\Common\FSMA32.EXE (F-Secure Corporation)
SRV - (FSDFWD) -- C:\Program Files\Vodafone\PC Protection\FWES\Program\fsdfwd.exe (F-Secure Corporation)
SRV - (F-Secure Gatekeeper Handler Starter) -- C:\Program Files\Vodafone\PC Protection\Anti-Virus\fsgk32st.exe (F-Secure Corporation)
SRV - (btwdins) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (VMCService) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (Vodafone)
SRV - (Rezip) -- C:\Windows\System32\Rezip.exe ()
SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (fsbts) -- C:\windows\system32\Drivers\fsbts.sys ()
DRV - (F-Secure Gatekeeper) -- C:\Program Files\Vodafone\PC Protection\Anti-Virus\minifilter\fsgk.sys ()
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (ZTEusbnet) -- C:\Windows\System32\drivers\ZTEusbnet.sys (ZTE Corporation)
DRV - (ZTEusbvoice) -- C:\Windows\System32\drivers\zteusbvoice.sys (ZTE Incorporated)
DRV - (ZTEusbser6k) -- C:\Windows\System32\drivers\ZTEusbser6k.sys (ZTE Incorporated)
DRV - (ZTEusbnmea) -- C:\Windows\System32\drivers\ZTEusbnmea.sys (ZTE Incorporated)
DRV - (ZTEusbmdm6k) -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys (ZTE Incorporated)
DRV - (huawei_enumerator) -- C:\Windows\System32\drivers\ew_jubusenum.sys (Huawei Technologies Co., Ltd.)
DRV - (FSES) -- C:\Windows\System32\drivers\fses.sys (F-Secure Corporation)
DRV - (samsung_hspa_datacard_cdc_acm) -- C:\Windows\System32\drivers\samsung_hspa_datacard_cdc_acm.sys (Samsung)
DRV - (samsung_hspa_datacard_dc_enum) -- C:\Windows\System32\drivers\samsung_hspa_datacard_dc_enum.sys (Samsung)
DRV - (samsung_hspa_datacard_cdc_ecm) -- C:\Windows\System32\drivers\samsung_hspa_datacard_cdc_ecm.sys (Samsung)
DRV - (F-Secure HIPS) -- C:\Program Files\Vodafone\PC Protection\HIPS\drivers\fshs.sys (F-Secure Corporation)
DRV - (FSFW) -- C:\Windows\System32\drivers\fsdfw.sys (F-Secure Corporation)
DRV - (fsvista) -- C:\Program Files\Vodafone\PC Protection\Anti-Virus\minifilter\fsvista.sys ()
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (yukonw7) -- C:\Windows\System32\drivers\yk62x86.sys (Marvell)
DRV - (btusbflt) -- C:\Windows\System32\drivers\btusbflt.sys (Broadcom Corporation.)
DRV - (massfilter) -- C:\Windows\System32\drivers\massfilter.sys (ZTE Incorporated)
DRV - (hwdatacard) -- C:\Windows\System32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\URLSearchHook:  - No CLSID value found
IE - HKLM\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - No CLSID value found
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = Klingeltöne, Handylogos, Handyspiele & MusicDownloads - Vodafone D2 - Home
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google
IE - HKCU\..\URLSearchHook:  - No CLSID value found
IE - HKCU\..\URLSearchHook: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Search"
FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "ICQ Search"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "hxxp://start.icq.com/sm"
FF - prefs.js..extensions.enabledItems: litmus-ff@f-secure.com:1.10
FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:2.0.0.4
FF - prefs.js..extensions.enabledItems: {872b5b88-9db5-4310-bdd0-ac189557e5f5}:2.7.2.0
FF - prefs.js..extensions.enabledItems: {ACAA314B-EEBA-48e4-AD47-84E31C44796C}:1.0.1
FF - prefs.js..extensions.enabledItems: ff-bmboc@bytemobile.com:4.2.2
FF - prefs.js..keyword.URL: "hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.4&q="
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
FF - prefs.js..network.proxy.type: 0
 
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\3.0.40624.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\litmus-ff@f-secure.com: C:\Program Files\Vodafone\PC Protection\NRS\litmus-ff@f-secure.com [2011.11.04 14:31:09 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011.12.09 15:26:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.01.25 16:13:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.09.22 22:25:05 | 000,000,000 | ---D | M]
 
[2010.08.27 19:28:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Extensions
[2012.01.09 19:57:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\csx97i5m.default\extensions
[2012.01.09 19:57:39 | 000,000,000 | ---D | M] ("ICQ Toolbar") -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\csx97i5m.default\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
[2012.01.10 04:40:41 | 000,000,000 | ---D | M] (DVDVideoSoftTB Community Toolbar) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\csx97i5m.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
[2011.06.09 19:16:34 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\csx97i5m.default\extensions\engine@conduit.com
[2011.10.27 16:14:53 | 000,000,000 | ---D | M] (Yontoo Layers) -- C:\Users\***\AppData\Roaming\mozilla\Firefox\Profiles\csx97i5m.default\extensions\plugin@yontoo.com
[2010.10.16 20:29:45 | 000,000,873 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\conduit.xml
[2010.11.25 20:48:19 | 000,002,342 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icq-search.xml
[2011.02.17 21:42:07 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin-1.xml
[2011.04.29 22:19:35 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin-2.xml
[2011.06.02 20:32:51 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin-3.xml
[2011.06.30 19:58:36 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin-4.xml
[2011.08.20 16:46:15 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin-5.xml
[2011.09.01 09:17:02 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin-6.xml
[2011.09.08 11:00:27 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin-7.xml
[2011.10.02 08:34:09 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin-8.xml
[2011.11.10 12:20:59 | 000,000,950 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin-9.xml
[2010.06.21 17:35:24 | 000,001,042 | ---- | M] () -- C:\Users\***\AppData\Roaming\Mozilla\Firefox\Profiles\csx97i5m.default\searchplugins\icqplugin.xml
[2011.11.10 17:26:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011.12.09 15:26:52 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 &lt;video&gt;) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\DIVXHTML5
[2012.01.25 16:13:46 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011.09.22 22:24:26 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011.10.02 08:31:06 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011.10.02 08:31:06 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011.10.02 08:31:06 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011.10.02 08:31:06 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2011.10.02 08:31:06 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011.10.02 08:31:06 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
 
O1 HOSTS File: ([2009.06.10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Vodafone\PC Protection\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll (Yontoo LLC)
O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Vodafone\PC Protection\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {872B5B88-9DB5-4310-BDD0-AC189557E5F5} - No CLSID value found.
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\Vodafone\PC Protection\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\Vodafone\PC Protection\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [MobileConnect] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone)
O4 - HKCU..\Run: [Firefox helper] C:\Users\***\AppData\Local\Mozilla\Firefox\firefox.exe File not found
O4 - HKCU..\Run: [ICQ] "C:\Program Files\ICQ7.2\ICQ.exe" silent loginmode=4 File not found
O4 - HKCU..\Run: [Mozilla client] C:\Users\***\AppData\Local\Mozilla\Firefox\firefox.exe File not found
O4 - HKCU..\Run: [Userinit] C:\Users\***\AppData\Roaming\appconf32.exe ()
O4 - HKCU..\Run: [vasja] C:\Users\***\AppData\Local\Temp\0.23535058900445038.exe (Orb Networks)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Vodafone\PC Protection\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6432BB28-6AEB-4496-A461-D9B2B06B818E}: DhcpNameServer = 139.7.30.126 139.7.30.125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6CB44DBC-6166-496D-B83D-F8183DC7BE4B}: NameServer = 139.7.30.126 139.7.30.125
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{02ecf432-d63e-11df-b150-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{02ecf432-d63e-11df-b150-506313bbde78}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{0711cbb3-b132-11df-9014-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{0711cbb3-b132-11df-9014-506313bbde78}\Shell\AutoRun\command - "" = E:\setup.exe
O33 - MountPoints2\{0711cbb5-b132-11df-9014-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{0711cbb5-b132-11df-9014-506313bbde78}\Shell\AutoRun\command - "" = E:\setup.exe
O33 - MountPoints2\{396aa6c6-0855-11e0-a617-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{396aa6c6-0855-11e0-a617-506313bbde78}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{396aa704-0855-11e0-a617-001e101f57d0}\Shell - "" = AutoRun
O33 - MountPoints2\{396aa704-0855-11e0-a617-001e101f57d0}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{4462ef78-e75f-11df-ad14-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{4462ef78-e75f-11df-ad14-506313bbde78}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{4462ef7a-e75f-11df-ad14-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{4462ef7a-e75f-11df-ad14-506313bbde78}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{4462ef8f-e75f-11df-ad14-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{4462ef8f-e75f-11df-ad14-506313bbde78}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{60995e36-7c70-11e0-a991-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{60995e36-7c70-11e0-a991-506313bbde78}\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{b0130370-d17f-11df-9df2-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{b0130370-d17f-11df-9df2-506313bbde78}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{d1df96be-1cf4-11e0-accf-506313bbde78}\Shell - "" = AutoRun
O33 - MountPoints2\{d1df96be-1cf4-11e0-accf-506313bbde78}\Shell\AutoRun\command - "" = E:\setup.exe
O33 - MountPoints2\{d80928b3-d183-11df-b0a7-002454753268}\Shell - "" = AutoRun
O33 - MountPoints2\{d80928b3-d183-11df-b0a7-002454753268}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{d80928b6-d183-11df-b0a7-002454753268}\Shell - "" = AutoRun
O33 - MountPoints2\{d80928b6-d183-11df-b0a7-002454753268}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{e3a25d6f-d180-11df-9d29-002454753268}\Shell - "" = AutoRun
O33 - MountPoints2\{e3a25d6f-d180-11df-9d29-002454753268}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{e3a25d97-d180-11df-9d29-002454753268}\Shell - "" = AutoRun
O33 - MountPoints2\{e3a25d97-d180-11df-9d29-002454753268}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\setup_vmc_lite.exe /checkApplicationPresence
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2012.02.01 15:38:07 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
[2012.01.17 14:07:00 | 000,000,000 | ---D | C] -- C:\Users\***\Desktop\50 er jahre
[2012.01.02 22:42:13 | 000,000,000 | ---D | C] -- C:\f9788601990740a36fc1
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2012.02.01 15:37:39 | 000,720,642 | ---- | M] () -- C:\windows\System32\perfh007.dat
[2012.02.01 15:37:39 | 000,672,262 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2012.02.01 15:37:39 | 000,157,784 | ---- | M] () -- C:\windows\System32\perfc007.dat
[2012.02.01 15:37:39 | 000,128,170 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2012.02.01 15:22:24 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\***\Desktop\OTL.exe
[2012.02.01 14:56:36 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012.02.01 14:56:32 | 1062,518,784 | -HS- | M] () -- C:\hiberfil.sys
[2012.02.01 14:48:57 | 000,016,384 | ---- | M] () -- C:\windows\System32\Ikeext.etl
[2012.02.01 10:52:09 | 000,010,272 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012.02.01 10:52:09 | 000,010,272 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012.02.01 00:51:31 | 000,017,277 | ---- | M] () -- C:\Users\***\Desktop\310252_225960787471369_100001723479431_575446_1000299521_n.jpg
[2012.02.01 00:50:39 | 000,008,915 | ---- | M] () -- C:\Users\***\Desktop\310731_225961207471327_100001723479431_575447_1137707446_n.jpg
[2012.02.01 00:50:06 | 000,011,196 | ---- | M] () -- C:\Users\***\Desktop\375243_226417044092410_676869320_n.jpg
[2012.02.01 00:48:58 | 000,016,981 | ---- | M] () -- C:\Users\***\Desktop\390065_226574287410019_100001723479431_577013_1456532536_n.jpg
[2012.02.01 00:47:45 | 000,015,978 | ---- | M] () -- C:\Users\***\Desktop\385950_225544207513027_100001723479431_574230_1551139175_n.jpg
[2012.01.28 19:18:47 | 000,007,801 | ---- | M] () -- C:\Users\***\Desktop\1-full.jpg
[2012.01.21 21:53:17 | 000,114,658 | ---- | M] () -- C:\Users\***\Desktop\l11.jpg
[2012.01.21 21:32:59 | 000,029,271 | ---- | M] () -- C:\Users\***\Desktop\l18.jpg
[2012.01.21 21:30:43 | 000,042,570 | ---- | M] () -- C:\Users\***\Desktop\l15.jpg
[2012.01.21 21:30:07 | 000,045,624 | ---- | M] () -- C:\Users\***\Desktop\l13.jpg
[2012.01.08 10:36:21 | 000,000,013 | ---- | M] () -- C:\Users\***\AppData\Roaming\urhtps.dat
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2012.02.01 00:51:30 | 000,017,277 | ---- | C] () -- C:\Users\***\Desktop\310252_225960787471369_100001723479431_575446_1000299521_n.jpg
[2012.02.01 00:50:37 | 000,008,915 | ---- | C] () -- C:\Users\***\Desktop\310731_225961207471327_100001723479431_575447_1137707446_n.jpg
[2012.02.01 00:50:05 | 000,011,196 | ---- | C] () -- C:\Users\***\Desktop\375243_226417044092410_676869320_n.jpg
[2012.02.01 00:48:55 | 000,016,981 | ---- | C] () -- C:\Users\***\Desktop\390065_226574287410019_100001723479431_577013_1456532536_n.jpg
[2012.02.01 00:47:33 | 000,015,978 | ---- | C] () -- C:\Users\***\Desktop\385950_225544207513027_100001723479431_574230_1551139175_n.jpg
[2012.01.28 19:18:36 | 000,007,801 | ---- | C] () -- C:\Users\***\Desktop\1-full.jpg
[2012.01.21 21:32:56 | 000,029,271 | ---- | C] () -- C:\Users\***\Desktop\l18.jpg
[2012.01.21 21:30:40 | 000,042,570 | ---- | C] () -- C:\Users\***\Desktop\l15.jpg
[2012.01.21 21:30:06 | 000,045,624 | ---- | C] () -- C:\Users\***\Desktop\l13.jpg
[2012.01.21 21:29:32 | 000,114,658 | ---- | C] () -- C:\Users\***\Desktop\l11.jpg
[2012.01.08 10:36:21 | 000,000,013 | ---- | C] () -- C:\Users\***\AppData\Roaming\urhtps.dat
[2011.10.10 21:02:32 | 000,000,000 | ---- | C] () -- C:\Users\***\AppData\Local\{9CD06E4E-6CF2-4EC8-B2EC-5F20E0797DDC}
[2010.04.03 07:16:38 | 000,042,672 | ---- | C] () -- C:\windows\System32\drivers\fsbts.sys
[2010.03.30 01:08:42 | 000,295,922 | ---- | C] () -- C:\windows\System32\perfi007.dat
[2010.03.30 01:08:41 | 000,720,642 | ---- | C] () -- C:\windows\System32\perfh007.dat
[2010.03.30 01:08:41 | 000,157,784 | ---- | C] () -- C:\windows\System32\perfc007.dat
[2010.03.30 01:08:41 | 000,038,104 | ---- | C] () -- C:\windows\System32\perfd007.dat
[2010.03.29 08:49:42 | 000,000,455 | ---- | C] () -- C:\windows\HotFixList.ini
[2010.03.29 08:36:09 | 000,311,296 | ---- | C] () -- C:\windows\System32\Rezip.exe
[2009.07.14 05:57:37 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009.07.14 05:33:53 | 000,403,712 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
[2009.07.14 03:05:48 | 000,672,262 | ---- | C] () -- C:\windows\System32\perfh009.dat
[2009.07.14 03:05:48 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat
[2009.07.14 03:05:48 | 000,128,170 | ---- | C] () -- C:\windows\System32\perfc009.dat
[2009.07.14 03:05:48 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat
[2009.07.14 03:05:05 | 000,000,741 | ---- | C] () -- C:\windows\System32\NOISE.DAT
[2009.07.14 03:04:11 | 000,215,943 | ---- | C] () -- C:\windows\System32\dssec.dat
[2009.07.14 00:55:01 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009.07.14 00:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
[2009.07.14 00:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
[2009.07.13 23:09:19 | 000,982,196 | ---- | C] () -- C:\windows\System32\igkrng500.bin
[2009.07.13 23:09:19 | 000,417,344 | ---- | C] () -- C:\windows\System32\igcompkrng500.bin
[2009.07.13 23:09:19 | 000,139,824 | ---- | C] () -- C:\windows\System32\igfcg500.bin
[2009.07.13 23:09:19 | 000,097,448 | ---- | C] () -- C:\windows\System32\igfcg500m.bin
[2009.06.10 22:26:10 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat
[2009.04.09 13:44:42 | 000,108,066 | R--- | C] () -- C:\ProgramData\DeviceManager.xml.rc4
[2008.12.09 16:23:13 | 000,052,784 | RHS- | C] () -- C:\Users\***\AppData\Roaming\appconf32.exe
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:D1B5B4F1
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:6DA3BBF2

< End of report >
--- --- ---

markusg 01.02.2012 16:20
hi
ersetze im script *** durch nutzernamen, sonst geht es nicht


dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user.
wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts.


• Starte bitte die OTL.exe
• Kopiere nun das Folgende in die Textbox.



Code:
:OTL
O4 - HKCU..\Run: [Firefox helper] C:\Users\***\AppData\Local\Mozilla\Firefox\firefox.exe File not found
O4 - HKCU..\Run: [ICQ] "C:\Program Files\ICQ7.2\ICQ.exe" silent loginmode=4 File not found
O4 - HKCU..\Run: [Mozilla client] C:\Users\***\AppData\Local\Mozilla\Firefox\firefox.exe File not found
O4 - HKCU..\Run: [Userinit] C:\Users\***\AppData\Roaming\appconf32.exe ()
O4 - HKCU..\Run: [vasja] C:\Users\***\AppData\Local\Temp\0.23535058900445038.exe (Orb Networks)
 :Files
C:\Users\***\AppData\Local\Temp\0.23535058900445038.exe
C:\Users\***\AppData\Roaming\appconf32.exe
:Commands
[purity]
[EMPTYFLASH]
[emptytemp]
[Reboot]


• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
• OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren.
starte in den normalen modus.

falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden

Drücke bitte die http://larusso.trojaner-board.de/Images/windows.jpg + E Taste.
  • Öffne dein Systemlaufwerk ( meistens C: )
  • Suche nun
    folgenden Ordner: _OTL und öffne diesen.
  • Mache einen Rechtsklick auf den Ordner Movedfiles --> Senden an --> Zip-Komprimierter Ordner

  • Dies wird eine Movedfiles.zip Datei in _OTL erstellen
  • Lade diese bitte in unseren Uploadchannel
    hoch. ( Durchsuchen --> C:\_OTL\Movedfiles.zip )
Teile mir mit ob der Upload problemlos geklappt hat. Danke im voraus :)

sternchendan 01.02.2012 16:39
All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Firefox helper deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ICQ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Mozilla client deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Userinit deleted successfully.
C:\Users\Dana\AppData\Roaming\appconf32.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\vasja deleted successfully.
C:\Users\Dana\AppData\Local\Temp\0.23535058900445038.exe moved successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Dana
->Flash cache emptied: 155501861 bytes

User: Default

User: Default User

User: Gast

User: Public

Total Flash Files Cleaned = 148,00 mb


[EMPTYTEMP]

User: All Users

User: Dana
->Temp folder emptied: 7309328 bytes
->Java cache emptied: 381937 bytes
->FireFox cache emptied: 91040208 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes

User: Gast

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7814856 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 102,00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 02012012_162819

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

sternchendan 01.02.2012 16:40
und was mach ich nun?

markusg 01.02.2012 16:42
wie wäre es zum beispiel, wenn du bis zum ende alle anweisungen durcharbeiten würdest, wo ist denn der upload um den ich gebeten habe?

sternchendan 01.02.2012 16:43
vom infizierten rechner den upload machen?

sternchendan 01.02.2012 16:54
vorgang wurde erfolgreich abgeschlossen

markusg 01.02.2012 16:55
hatt geklappt, danke.
nutzt du das system für onlinebanking, einkäufe, sonstige zahlungsabwicklungen oder ähnlich wichtiges, wie zb berufliches?

sternchendan 01.02.2012 16:56
1000 dank von 2 blonden mädels :-)

sternchendan 01.02.2012 16:57
ja... nun bestimmt alle passwörter ändern ne?

markusg 01.02.2012 16:57
bitte umgehend die bank anrufen, onlinebanking muss aufgrund des trojan.banker gesperrt werden.
der pc muss neu aufgesetzt und dann abgesichert werden
1. Datenrettung:2. Formatieren, Windows neuinstallieren:3. PC absichern: http://www.trojaner-board.de/96344-a...-rechners.html
4. alle Passwörter ändern!
5. nach PC Absicherung, die gesicherten Daten prüfen und falls sauber: zurückspielen.
6. werde ich dann noch was zum absichern von Onlinebanking mit Chip Card Reader + Star Money sagen.

sternchendan 01.02.2012 17:00
sch.... aber ich hab doch ein netbook und keine externen geräte wie rom laufwerk, wie mach ichs denn da?

markusg 01.02.2012 17:01
hi, da gibts ne recovery funktion, aber wie gesagt, jetzt erst mal die bank anrufen, falls sie zu hatt, probiere es über:
116 116
dann musst du deine daten sichern, vorher autorun deaktivieren und dann sagst du mir wie dein netbook heißt, hersteller und gerätebezeichnung


Alle Zeitangaben in WEZ +1. Es ist jetzt 10:45 Uhr.
Seite 1 von 3 1 23
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129