HILFE!!! XP - Verschlüsselungstrojaner eingefangen

**Silvi** · 28.04.2012, 15:20

Hallo, auch ich gehöre zu den "Geschädigten", habe mir ebenfalls so einen Windows-Verschüsselungstrojaner eigefangen. Kann nicht sagen, welche Variante meiner ist, da keins der Abbilder zutrifft. Ich arbeite mit Windows XP Professional SP3. Was ich aber sagen kann, ist, dass an meinem Laptop nichts mehr geht. Kein abgesicherter Modus, in keiner Variante (mit oder ohne Eigabeaufforderung, Debugmodus oder sonst irgendeiner.) Ich kann nur ganz normal starten, wobei dann sofort das Bild mit der UKash-Zahlungsaufforderung erscheint. Danach kann ich nichts mehr machen, keine Taste reagiert, nicht mal ausschalten geht. In meiner Verzweiflung stieß ich auf die Kaspersky Rescue-CD, aber die hing sich immer während des Vorgangs auf. Ich habe mehrfach verschiedene Versuche mit der CD unternommen, aber das Ergebnis blieb immer dasselbe. Sie lief nie bis zum Ende (booten) durch.
Nun habe ich hier einige Threads gelesen, in der Hoffnung, dass mir jemand weiter helfen kann, und das OTL heruntergeladen und schon mal den Scan gemacht. Gott sei Dank hat mein Mann auch einen Laptop

Ich möchte die Daten gern hier einstellen zur Prüfung, aber mein Mann hat Angst, dass sich sein Rechner auch infiziert, wenn ich die "Extras.txt und OTL.txt-Dateien" von meinem Rechner auf den USB kopiere und den in seinen Rechner stecke um die Dateien in den Thread zu laden. Kann das tatsächlich passieren? Besteht die Gefahr einer Übertragung durch den USB Stick?
Vielen Dank im Voraus, ich hoffe, es kann mir jemand helfen.
Gruß Silvi

**john.doe** · 28.04.2012, 16:35

Hallo Silvi und

und das OTL heruntergeladen und schon mal den Scan gemacht

Damit kommen wir weiter.

wenn ich die "Extras.txt und OTL.txt-Dateien" von meinem Rechner auf den USB kopiere und den in seinen Rechner stecke

Mit den Dateien garantiert nicht. Sollte aber auf deinem Rechner auch ein anderer Schaedling sein, der sich ueber autorun.inf verbreitet, dann besteht sehr wohl die Gefahr einer "Ansteckung".

Die kann vermieden werden, wenn beim Anstecken des Sticks die [Umschalt]-Taste gedrueckt und festgehalten wird (ca. 5 Sekunden).

ciao, andreas

**Silvi** · 28.04.2012, 18:16

Hallo Andreas,
erst mal vielen vielen Dank, dass du so schnell schon geantwortet hast. Hier erst mal die Scandateien zum "Anguggen" was bei mir passiert ist.
Ich hoffe du kannst was finden und mir keine sooooo schlechten Nachrichten überbringen.

Gruß Silvi

P.S: Irgendwie klappt das nicht mit dem Hochladen der beiden Dateien als Anhänge - gibt immer rotes "!" mit Fehlermeldung. Daher konnte ich sie nachstehend nur aus dem Editor kopieren - ich hoffe das passt trotzdem so.

Hier die Extras.txt:

OTL Extras logfile created on: 4/28/2012 4:09:45 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 3058 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 117.19 Gb Total Space | 94.77 Gb Free Space | 80.87% Space Free | Partition Type: NTFS
Drive D: | 115.69 Gb Total Space | 115.04 Gb Free Space | 99.44% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet002

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows-Remoteverwaltung
"80:TCP" = 80:TCP:*:Disabled:Windows-Remoteverwaltung - Kompatibilitätsmodus (HTTP eingehend)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\FileZilla FTP Client\filezilla.exe" = C:\Programme\FileZilla FTP Client\filezilla.exe:*:Enabled:FileZilla FTP Client -- (FileZilla Project)
"C:\WINDOWS\system32\muzapp.exe" = C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player -- (Musiccity Co.Ltd.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{1280E900-35DA-4E08-A700-B79A5B2B8532}" = Microsoft Antimalware Service DE-DE Language Pack
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 F1
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4393DE35-AD67-4F37-95E4-30F06EA0FDB2}" = Adobe Creative Suite 3 Design Premium
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AA5B8A5-BEEF-4AD8-B11D-4443A042EA4F}" = Adobe Dreamweaver CS3
"{50779A29-834E-4E36-BBEB-B7CABC67A825}" = Microsoft Security Client DE-DE Language Pack
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{5518E08A-2053-4A3E-85B2-F912D4666C9F}" = Adobe Setup
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5B4383F2-37EE-4E97-AD81-F5FF76F286DA}" = OutlookAddInNet3Setup
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{73B5D990-04EA-4751-B10F-5534770B91F2}" = Adobe Color EU Recommended Settings
"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{8C640345-AF96-4ABA-A697-97D2A0B8C6DB}" = Adobe Flash CS3
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98EFD8F0-08DE-48DB-B922-A2EBAB711031}" = Nero 7 Premium
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.3) - Deutsch
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2C284D2-6BD7-3B34-B0C5-B2CAED168DF7}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DEU
"{C314CE45-3392-3B73-B4E1-139CD41CA933}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DEU
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF9041ED-60C9-36ED-9DB9-F55AAD993865}" = Visual C++ 9.0 ATL (x86) WinSXS MSM
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D3C605D8-3A5E-4BAD-965D-2C61441BF2AC}" = Adobe Photoshop CS3
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E7382773-CBE8-33A9-862E-C2337CD0F359}" = Visual C++ 9.0 ATL (x86) WinSXS MSM
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{FF29A7E2-FF40-4D07-B7E4-2093DE59E10A}" = Adobe Color NA Extra Settings
"7-Zip" = 7-Zip 9.20
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8.3.1 Professional
"Adobe Acrobat 8 Professional - English, Français, Deutsch_831" = Adobe Acrobat 8.3.1 - CPSID_83708
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe_061850775b1c6d22bf2a145678e05e0" = Adobe Creative Suite 3 Design Premium hinzufügen oder entfernen
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"CCleaner" = CCleaner
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_SprtHD5m" = HDAUDIO Soft Data Fax Modem with SmartCP
"FileZilla Client" = FileZilla Client 3.5.3
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"MAGIX Foto Clinic 4.5 D" = MAGIX Foto Clinic 4.5 (D)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 11.0 (x86 de)" = Mozilla Firefox 11.0 (x86 de)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Pop-Up Menu Creator5.5" = Pop-Up Menu Creator
"PROSet" = Intel(R) Network Connections Drivers
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VLC media player 1.1.11
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

< End of report >

und hier die OTL.txt

OTL logfile created on: 4/28/2012 4:09:45 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 3058 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 117.19 Gb Total Space | 94.77 Gb Free Space | 80.87% Space Free | Partition Type: NTFS
Drive D: | 115.69 Gb Total Space | 115.04 Gb Free Space | 99.44% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet002

========== Win32 Services (SafeList) ==========

SRV - [2012/04/14 04:01:26 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2011/04/27 09:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Programme\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/01/21 10:29:03 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/09/06 03:11:32 | 000,217,088 | ---- | M] (Teruten) [Auto] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2008/01/22 06:13:26 | 000,275,752 | ---- | M] (Nero AG) [On_Demand] -- C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2003/07/28 07:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/06/19 18:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (UIUSys)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- -- (dtwmnic5)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2011/07/20 03:45:52 | 000,136,808 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2011/07/20 03:45:52 | 000,121,064 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
DRV - [2011/07/20 03:45:52 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
DRV - [2011/06/07 05:13:36 | 000,020,032 | ---- | M] (Devguru Co., Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dgderdrv.sys -- (dgderdrv)
DRV - [2010/09/06 03:11:32 | 000,036,640 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2008/11/17 10:23:16 | 003,636,864 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
DRV - [2008/04/28 10:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/04/13 19:23:10 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/06/18 12:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/02/12 15:56:44 | 000,625,664 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/12/20 18:56:44 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/20 18:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/20 18:55:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\*****_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sv-obergriesbach.de/
IE - HKU\*****_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\*****_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Programme\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Programme\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Programme\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Programme\Mozilla Firefox\components [2012/03/18 04:44:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2012/04/13 02:50:55 | 000,000,000 | ---D | M]

[2012/03/19 07:39:44 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2011/01/21 15:50:55 | 000,000,000 | ---D | M] (Win32+64) -- C:\Programme\Mozilla Firefox\extensions\win32-64@anonymous.org
[2012/03/18 04:44:23 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Programme\mozilla firefox\components\browsercomps.dll
[2012/02/27 04:26:42 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\mozilla firefox\plugins\npdeployJava1.dll
[2012/02/27 04:24:48 | 000,001,392 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012/02/27 04:24:48 | 000,002,252 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\bing.xml
[2012/02/27 04:24:48 | 000,001,153 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\eBay-de.xml
[2012/02/27 04:24:48 | 000,006,805 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml
[2012/02/27 04:24:48 | 000,001,178 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml
[2012/02/27 04:24:48 | 000,001,105 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Facebook Connect) - {11DCAFD6-DDBA-4ADA-998B-996B7B691AE0} - C:\Dokumente und Einstellungen\*****\Anwendungsdaten\FBConnect\IE\FBConnect.dll (Facebook Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\******_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSC] C:\Programme\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Programme\Gemeinsame Dateien\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\*****_ON_C..\Run: [ECF73699] C:\WINDOWS\system32\A0D8512AECF736992381.exe (Tastiera penna)
O4 - HKU\*****_ON_C..\Run: [KiesHelper] C:\Programme\Samsung\Kies\KiesHelper.exe (Samsung)
O4 - HKU\*****_ON_C..\Run: [KiesPDLR] C:\Programme\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe ()
O4 - HKU\*****_ON_C..\Run: [KiesTrayAgent] C:\Programme\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\*****_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\*****_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\*****_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/micr...?1295611905359 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_31)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\A0D8512AECF736992381.exe) - C:\WINDOWS\system32\A0D8512AECF736992381.exe (Tastiera penna)
O27 - HKLM IFEO\msconfig.exe: Debugger - P9KDMF.EXE File not found
O27 - HKLM IFEO\regedit.exe: Debugger - P9KDMF.EXE File not found
O27 - HKLM IFEO\taskmgr.exe: Debugger - P9KDMF.EXE File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/01/20 13:47:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/27 14:53:33 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2012/04/26 04:31:49 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\*****\Recent
[2012/04/26 03:00:16 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Rnenprqatk
[2012/04/26 02:59:54 | 000,061,440 | -H-- | C] (Tastiera penna) -- C:\WINDOWS\System32\A0D8512AECF736992381.exe
[2012/04/24 03:13:16 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Microsoft Office Live Add-in
[2012/04/24 03:13:16 | 000,000,000 | ---D | C] -- C:\Programme\Microsoft
[2012/04/14 04:01:26 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\LocalService\IETldCache
[2012/04/05 02:35:29 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2011/07/24 06:26:17 | 000,587,249 | ---- | C] (MAGIX AG) -- C:\Programme\addoninstall.exe
[2011/07/24 06:26:17 | 000,431,376 | ---- | C] (Microsoft Corporation) -- C:\Programme\riched20.dll
[2011/07/24 06:26:17 | 000,315,392 | ---- | C] (MAGIX AG) -- C:\Programme\eModeUpgradeDlg.dll
[2011/07/24 06:26:17 | 000,024,576 | ---- | C] (Magix AG) -- C:\Programme\Validation.exe
[2011/07/24 06:26:16 | 000,176,128 | ---- | C] (MAGIX AG) -- C:\Programme\unwise.exe
[2011/07/24 06:26:15 | 000,184,320 | ---- | C] (MAGIX AG) -- C:\Programme\instslct.exe
[2011/07/24 06:26:15 | 000,081,920 | ---- | C] (MAGIX AG) -- C:\Programme\unwise.adf
[2011/07/24 06:26:11 | 001,326,080 | ---- | C] (Borland Software Corporation) -- C:\Programme\vcl60.bpl
[2011/07/24 06:26:11 | 000,685,056 | ---- | C] (Borland Software Corporation) -- C:\Programme\rtl60.bpl
[2011/07/24 06:26:10 | 002,442,752 | ---- | C] (MAGIX) -- C:\Programme\FotoClinic.exe
[2011/07/24 06:26:10 | 001,500,160 | ---- | C] (Borland Corporation) -- C:\Programme\cc3260mt.dll
[2011/07/24 06:26:10 | 000,022,016 | ---- | C] (Borland Software Corporation) -- C:\Programme\borlndmm.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/28 07:29:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/28 07:29:16 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/28 07:29:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/28 07:29:02 | 2138,492,928 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/28 07:26:13 | 001,632,520 | ---- | M] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
[2012/04/27 03:01:16 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/26 12:38:10 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh325
[2012/04/26 12:37:48 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh324
[2012/04/26 12:36:46 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh323
[2012/04/26 12:34:58 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh322
[2012/04/26 12:33:28 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh321
[2012/04/26 12:32:36 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh320
[2012/04/26 04:28:02 | 000,002,625 | ---- | M] () -- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Outlook.lnk
[2012/04/26 02:59:54 | 000,061,440 | -H-- | M] (Tastiera penna) -- C:\WINDOWS\System32\A0D8512AECF736992381.exe
[2012/04/24 03:13:16 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Microsoft Office Live Add-in
[2012/04/19 04:16:39 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/04/19 04:16:38 | 000,011,776 | -H-- | M] () -- C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/14 04:01:26 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/04/14 04:01:25 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/04/13 03:06:35 | 000,452,956 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2012/04/13 03:06:35 | 000,436,080 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/13 03:06:35 | 000,081,992 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2012/04/13 03:06:35 | 000,068,976 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/13 02:50:55 | 000,002,347 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Adobe Reader X.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/27 02:03:38 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh325
[2012/04/27 02:03:38 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh324
[2012/04/27 02:03:38 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh323
[2012/04/27 02:03:38 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh322
[2012/04/27 02:03:38 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh321
[2012/04/27 02:03:38 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh320
[2012/04/05 02:35:30 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/02/16 03:10:59 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/10/13 05:36:48 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/27 13:46:10 | 000,372,560 | ---- | C] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\WPFFontCache_v0400-S-1-5-21-484763869-436374069-839522115-1003-0.dat
[2011/09/27 13:46:10 | 000,336,154 | ---- | C] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\WPFFontCache_v0400-System.dat
[2011/07/26 09:32:17 | 000,031,470 | -H-- | C] () -- C:\Programme\pa.GID
[2011/07/24 06:26:31 | 000,002,364 | ---- | C] () -- C:\Programme\FotoClinic.ini
[2011/07/24 06:26:23 | 000,001,138 | ---- | C] () -- C:\Programme\Install.cfg
[2011/07/24 06:26:17 | 000,032,768 | ---- | C] () -- C:\Programme\MagixUpdater.exe
[2011/07/24 06:26:17 | 000,000,140 | ---- | C] () -- C:\Programme\Validation.ini
[2011/07/24 06:26:16 | 000,786,305 | ---- | C] () -- C:\Programme\MAGIX Creation Logo.pdf
[2011/07/24 06:26:16 | 000,016,460 | ---- | C] () -- C:\Programme\support.rtf
[2011/07/24 06:26:16 | 000,014,810 | ---- | C] () -- C:\Programme\order.rtf
[2011/07/24 06:26:16 | 000,006,034 | ---- | C] () -- C:\Programme\uninstall.ini
[2011/07/24 06:26:16 | 000,002,757 | ---- | C] () -- C:\Programme\register.rtf
[2011/07/24 06:26:16 | 000,000,723 | ---- | C] () -- C:\Programme\unwise.ini
[2011/07/24 06:26:15 | 000,129,024 | ---- | C] () -- C:\Programme\uninstall.exe
[2011/07/24 06:26:15 | 000,002,885 | ---- | C] () -- C:\Programme\e-mode.ini
[2011/07/24 06:26:11 | 000,618,496 | ---- | C] () -- C:\Programme\stlpmt45.dll
[2011/07/24 06:26:11 | 000,240,128 | ---- | C] () -- C:\Programme\pcomponents.bpl
[2011/07/24 06:26:11 | 000,139,264 | ---- | C] () -- C:\Programme\UpgradeInfo.exe
[2011/07/24 06:26:11 | 000,100,352 | ---- | C] () -- C:\Programme\libpng.dll
[2011/07/24 06:26:11 | 000,055,296 | ---- | C] () -- C:\Programme\palng.dll
[2011/07/24 06:26:11 | 000,046,080 | ---- | C] () -- C:\Programme\zlib.dll
[2011/07/24 06:26:11 | 000,018,432 | ---- | C] () -- C:\Programme\ps8bf.dll
[2011/07/24 06:26:10 | 000,028,672 | ---- | C] () -- C:\Programme\explore.exe
[2011/07/24 06:26:10 | 000,004,716 | ---- | C] () -- C:\Programme\e-mode-upgradedlg-exit.rtf
[2011/07/24 06:26:10 | 000,004,694 | ---- | C] () -- C:\Programme\e-mode-upgradedialog.rtf
[2011/07/24 06:25:13 | 000,006,537 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2011/07/15 07:16:36 | 001,632,520 | ---- | C] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
[2011/07/15 01:10:55 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2011/07/15 01:10:55 | 000,036,640 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2011/06/07 05:13:38 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011/06/07 05:13:38 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011/06/07 05:13:38 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011/06/07 05:13:38 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2011/06/07 05:13:38 | 000,030,568 | ---- | C] () -- C:\WINDOWS\MusiccityDownload.exe
[2011/02/15 13:47:58 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2011/01/25 07:36:27 | 000,000,149 | ---- | C] () -- C:\Dokumente und Einstellungen\*****\default.pls
[2011/01/25 07:35:42 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/01/25 07:30:58 | 000,011,776 | -H-- | C] () -- C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/25 06:25:11 | 000,000,026 | ---- | C] () -- C:\WINDOWS\HNetCtrl.INI
[2011/01/25 06:18:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/01/25 06:02:57 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WINPHONE.INI
[2011/01/20 16:06:27 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2011/01/20 15:25:36 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/01/20 14:45:55 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4859.dll
[2011/01/20 13:49:45 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/01/20 13:44:14 | 000,021,740 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/01/20 13:38:22 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/01/20 13:37:13 | 001,551,880 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,452,956 | ---- | C] () -- C:\WINDOWS\System32\perfh007.dat
[2004/08/04 08:00:00 | 000,436,080 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,269,480 | ---- | C] () -- C:\WINDOWS\System32\perfi007.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,081,992 | ---- | C] () -- C:\WINDOWS\System32\perfc007.dat
[2004/08/04 08:00:00 | 000,068,976 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,034,478 | ---- | C] () -- C:\WINDOWS\System32\perfd007.dat
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/02/20 12:53:42 | 000,005,702 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/01/21 15:50:55 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\FBConnect
[2012/04/26 04:26:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\FileZilla
[2011/07/26 08:19:51 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Pop-Up Menu Creator
[2012/04/26 03:00:16 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Rnenprqatk
[2011/07/15 01:14:27 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Samsung
[2011/05/14 06:17:06 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\T-Online
[2011/12/18 09:38:34 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Temp
[2011/07/15 01:14:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Samsung
[2011/05/14 06:15:51 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\T-Online
[2011/08/31 13:19:53 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}(2)
[2011/04/26 09:26:17 | 000,000,112 | ---- | M] () -- C:\WINDOWS\Tasks\Low Battery Alarm Program.job

========== Purity Check ==========

< End of report >

**john.doe** · 28.04.2012, 18:54

1.) Fixen mit OTLpe

Starte den unbootbaren Computer erneut mit der OTLPE-CD,
warte bis der Reatogo-X-Pe-Desktop erscheint und doppelklicke das OTLPE-Icon.

Kopiere folgendes Skript in das Textfeld unterhalb von Custom Scans/Fixes:
Sollte das mangels Internet-Verbindung nicht möglich sein,
kopiere den Text aus der folgenden Code-Box und speichere ihn als Fix.txt auf einen USB-Stick.
Schließe den USB-Stick an den Computer an und öffne Fix.txt mit dem Explorer auf dem Reatogo-Desktop.
Kopiere den Inhalt von Fix.txt in das Textfeld unterhalb von Custom Scans/Fixes:

***** durch Anmeldename ersetzen!

Code:

:OTL
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKU\*****_ON_C..\Run: [ECF73699] C:\WINDOWS\system32\A0D8512AECF736992381.exe (Tastiera penna)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
 O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
 O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
 O7 - HKU\*****_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
 O7 - HKU\*****_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
 O7 - HKU\*****_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\A0D8512AECF736992381.exe) - C:\WINDOWS\system32\A0D8512AECF736992381.exe (Tastiera penna)
 O27 - HKLM IFEO\msconfig.exe: Debugger - P9KDMF.EXE File not found
 O27 - HKLM IFEO\regedit.exe: Debugger - P9KDMF.EXE File not found
 O27 - HKLM IFEO\taskmgr.exe: Debugger - P9KDMF.EXE File not found
 O32 - HKLM CDRom: AutoRun - 1

:Files
C:\WINDOWS\system32\A0D8512AECF736992381.exe
C:\RECYCLER.*
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Rnenprqatk
C:\WINDOWS\System32\winsh32?

:Commands
[emptytemp]

Schließe alle Programme.
Klicke auf den Fix Button.
Klick auf .
Kopiere den Inhalt hier in Code-Tags in Deinen Thread.
Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

2.) Neustarten, CD raus und berichten, ob sich der Rechner wieder "normal" starten laesst.

ciao, andreas

**Silvi** · 28.04.2012, 21:58

Hallo Andreas,
1. habe "gefixt" und das ist das Ergebnis:

Code:

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_USERS\ArethaFranklin_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\ECF73699 deleted successfully.
C:\WINDOWS\system32\A0D8512AECF736992381.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegedit deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_USERS\ArethaFranklin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_USERS\ArethaFranklin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_USERS\ArethaFranklin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegedit deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\A0D8512AECF736992381.exe deleted successfully.
File C:\WINDOWS\system32\A0D8512AECF736992381.exe not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\ deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
========== FILES ==========
File\Folder C:\WINDOWS\system32\A0D8512AECF736992381.exe not found.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc501 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc484 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc483 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc482 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc481 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc480\9482F4B4-E343-43B6-B170-9A65BC822C77 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc480\7971F918-A847-4430-9279-4A52D1EFE18D folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc480 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc479 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc478 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\Install folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\fa3616be5aef51c5afa4f903f59d59d4 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\f8e5b85e759db8d33a682de93dab7d15 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\f86476030c128b80d7d10a4009a41702 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\f10260c6affc20427498eb9420688c4e folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\e3a0ab9bbcc9e88c6d55aa55ced6c0f1 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\b95ce70b2876884aa680fb29449c88f8 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\b79e78f1540bef723b017cc8f023026d folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\9f7a51baff1b338ee54334bd918723e6 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\810d6bd82a7998224a2d12063b8b968f\update folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\810d6bd82a7998224a2d12063b8b968f folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\7ca582372067ce17a1dac51f1d6b6712 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\416bf76f412f479f57ace38837136920 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477\21066b9ccd83f1b5e69be4eaa2b537c7 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc477 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc476\7971f918-a847-4430-9279-4a52d1efe18d folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc476 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc475\Registered folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc475\Default folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc475 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc474 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc473\de folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc473 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1562.log folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1561.log folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1560.log folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1550.log folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1548.log folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1348 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1311 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1310 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1289\Client folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1289 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1285 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1265.4322 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1264.3705 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1254 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1218 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1157.Aindling-erst-im-Finale-geschlagen-id5084611-Dateien folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1141 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1110 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1109\show_data_002 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1109\show_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1109\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1109 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1107\show_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1107\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1107 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1104\show_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1104\request_data\imp_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1104\request_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1104\iframe_975_data\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1104\iframe_975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1104 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1102\show_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1102\iframe_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1102\977_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1102\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1102 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1100\show_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1100\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1100 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1098\iframe_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1098\977_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1098\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1098\2229_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1098 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1096\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1096 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1094\977_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1094\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1094\2229_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1094 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1092\977_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1092\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1092 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1090\show_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1090\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1090\2229_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1090 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1088\iframe_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1088\977_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1088\975_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1088\2229_data folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003\Dc1088 folder moved successfully.
C:\RECYCLER\S-1-5-21-484763869-436374069-839522115-1003 folder moved successfully.
C:\RECYCLER folder moved successfully.
C:\Dokumente und Einstellungen\ArethaFranklin\Anwendungsdaten\Rnenprqatk folder moved successfully.
C:\WINDOWS\System32\winsh320 moved successfully.
C:\WINDOWS\System32\winsh321 moved successfully.
C:\WINDOWS\System32\winsh322 moved successfully.
C:\WINDOWS\System32\winsh323 moved successfully.
C:\WINDOWS\System32\winsh324 moved successfully.
C:\WINDOWS\System32\winsh325 moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 1536766 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: ArethaFranklin
->Temp folder emptied: 940253 bytes
->Temporary Internet Files folder emptied: 1508442 bytes
->Java cache emptied: 82310 bytes
->FireFox cache emptied: 49485450 bytes
->Flash cache emptied: 14354 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2134333 bytes
%systemroot%\System32 .tmp files removed: 150407 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4868145 bytes
 
Total Files Cleaned = 58.00 mb
 
 
OTLPE by OldTimer - Version 3.1.48.0 log created on 04282012_223441

2. Habe den Laptop runtergefahren und neu gestartet (ohne CD). Es hat sich leider nichts geändert, außer einer neu hinzugekommenen Fehlermeldung.

Schicke dir mal das Bild von dem UKash-Trojaner:

Mist, geht schon wieder nicht.... - wenn ich das jpg auswähle und hochladen will, erscheint folgende Fehlermeldung (wie vorher bei den txt Anhängen)
[IO ErrorEvent type="ioError"=false cancelable=false event Phase=2 text="Error#2038"]
Wie kann ich dir den Screenshot zukommen lassen???? Einfaches copy&paste ging auch nicht.
OK, dann schreibe ich dir die "neue" Fehlermeldung:
jusched.exe Datei beschädigt
Exception Processing Message C0000102 Parameters 75b0bf7c 75b0bf7c 75b0bf7c 75b0bf7c
ok
3. nachdem mein Laptop auf standby ging, wollte ich ihn (damit ich die Fehlermeldung abschreiben kann) wieder hochfahren, aber dann ging wieder gar nichts mehr. Keine normaler Windows start, kein Start im Abgesicherten Modus. Es erschien ein weißer Text auf blauem Hintergrund, der besagte, dass ein Datenträger auf Konsistenz überprüft werden müsse, dann lief eine CHKDSK los und überprüfte C und D. Ergebnis: Fehler in irgendeiner Index und es wurden zig Einträge im Index $30 (oder so ähnlich) gelöscht und es lief tonnenweise irgendein Text rasendschnell über den Bildschirm. Ich habe keine Möglichkeit da einzugreifen und keinen Schimmer, was da grad passiert. So, jetzt hat das alles ein Ende, der LT versucht neu zu booten, aber es geht nicht, er fährt nur bis zum DOS mit den Auswahlkriterien in welchem Modus er gestartet werden soll. Habe den LT ausgeschaltet, bevor der Countdown zum Start beendet war. Ich hoffe jetzt nur, dass nicht noch schlimmeres passiert ist.
Gruß Silvi

**john.doe** · 28.04.2012, 22:13

Hm, seltsam.

1.) Stecke den Stick an den Rechner.

2.) Starte mit CD.

3.) Sichere deine Daten auf einen externen Datentraeger (Stick).

4.) Erstelle neue Logs mit OTL und poste die hier.

ciao, andreas

**Silvi** · 28.04.2012, 23:23

ok, leider ist es jetzt schon sehr spät, das Sichern meiner Daten dauerte etwas länger als gedacht, aber ist ist geschehen.

ABER: neues Problem Beim Doppelklicken auf das OTLPE-Symbol, zum neuen Erstellen von Logfiles, erscheint nun folgender Fehler:
RunScanner Error Registry Access Error, ret=1009;
The configuration registry database is corrupt. (darunter das "OK" zum bestätigen.)
Wie in Gottes Namen geht es jetzt weiter? Neue CD brennen? Runterfahren, neu Laden? Bin jetzt völlig planlos

Silvi

**john.doe** · 29.04.2012, 06:47

Moin Silvi,

1.) ich brauche den Hersteller und Typ deines Laptops.

2.) Lade dir Immunisier.bat auf dem Rechner deines Mannes auf seinen Desktop herunter, benenne die Datei um in Immunisier.bat, kopiere die Datei auf den Stick und starte sie dort mit Doppelklick.

3.) Versuche deine gesicherten Daten (vorerst nur Bilder oder Musik!) am Rechner deines Mannes zu oeffnen und berichte, ob das funktioniert.

ciao, andreas

**Silvi** · 29.04.2012, 09:38

Moin Andreas,
bist ja schon wieder früh im Portal. Konnte erst jetzt an den Rechner, mein Mann hat vorsichtshalber erst mal einen ausgiebigen Scan über seinen Rechner laufen lassen.
Also zu 1: Habe einen Rechner von HP, Typ= 530. So stehts zumindest drauf.
zu 2. Mache ich gleich im Anschluss, 3. ebenfalls.
Bis gleich, Gruß Silvi
PS: Bin happy, dass du mir noch nicht gesagt hast, dass ich den LT aus dem Fenster werfen soll.

Sorry, nochmal kurz zum Verständnis: Ich soll die Immunisier.bat (auf dem Stick) am Rechner meines Mannes starten????? Dann meine Musik/Bilddateien dort versuchen zu öffnen?

**john.doe** · 29.04.2012, 10:15

Moin Silvi,

Bin happy, dass du mir noch nicht gesagt hast, dass ich den LT aus dem Fenster werfen soll.

Nein. Ich kann nicht so ganz nachvollziehen, was abgelaufen ist. Denn ueblicherweise verschluesselt der Schaedling sowohl System- als auch private Dateien. Das ist in deinem Fall vermutlich aber nicht passiert. Deshalb sollst du testen, ob sich die Dateien oeffnen lassen.

Falls ja, dann habe ich vor, den Rechner in den Auslieferungszustand zurueckzusetzen. Dazu muessen aber erstmal deine Daten gesichert werden (schon erledigt). Eine Reparatur ist zwar moeglich aber wesentlich zeitintensiver als Zuruecksetzen und Zurueckspielen der eigenen Daten.

Dazu brauche ich aber Hersteller und Typ (schon erledigt), denn meist haben Laptops die Moeglichkeit in Minuten den Auslieferungszustand wiederherzustellen.

Ich soll die Immunisier.bat (auf dem Stick) am Rechner meines Mannes starten?

Ja. Du kannst entweder jedesmal die Shifttaste gedrueckt halten oder einmalig den Stick immunisieren.

Das Immunisieren hat den Vorteil, dass du den Stick dann auch an einen infizierten Rechner (Internetcafe, "Freunde und Bekannte", usw.) anstecken kannst, ohne danach deinen eigenen Rechner zu infizieren.

Dann meine Musik/Bilddateien dort versuchen zu öffnen?

Ja.

ciao, andreas