Trojanerbefall führt zu Extremausfall

[pc-jedi]

Hi

Ja, das funktioniert auch wenn du SP3 hast und nein die IPs brauchst du nicht notieren. Um die kümmern wir uns dann später.

[hares]

Ich verstehe nicht ganz: Was funktioniert auch wenn ich SP3 habe?

[pc-jedi]

Oh entschuldige Habe im falschen Fenster geantwortet.

Mach mal bitte folgendes:
Schritt 1
Vorbereitung

Lösche die vorhandene Version von Combofix und lade das Programm von einem der folgenden Download-Spiegel neu herunter:

BleepingComputer.com - ForoSpyware.com

und speichere es auf dem Desktop (nicht woanders hin, das ist wichtig)!
Wenn Du ComboFix bereits vorher auf dem Rechner hattest, lösche die alte Version, da ComboFix laufend aktualisiert wird.

• Denke daran, während des Laufs von Combofix Dein Antiviren-Programm temporär abzustellen.
  Danach wieder anstellen nicht vergessen!
• Wichtig: Bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein.
  Dies kann dazu führen, dass ComboFix sich aufhängt.

Anwendung

1. Öffne notepad (Start => Ausführen => notepad (reinschreiben) => ok) oder einen Editor Deiner Wahl und kopiere alles aus der nachfolgenden Codebox in ein leeres Dokument:
   
   Code:

   RegNull::
   [HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{28FAB9E2-8056-C399-CA16-FD317BB72F73}*]
   [HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8923014A-46E6-8B98-1CD9-1623C5A77CEE}*]
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2DE89BFF-E132-853A-E20D-320167E63033}\InProcServer32*]

2. Speichere dies als CFScript.txt auf Deinem Desktop.
   
   .
3. In Bezug auf obiges Bild, ziehe CFScript.txt in die ComboFix.exe
4. Wenn ComboFix fertig ist, wird es ein Log erstellen, C:\ComboFix.txt. Bitte füge es hier als Antwort ein.

Hinweis für Mitleser: Obiges Combofix-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

Falls im Skript die Anweisung Suspect:: oder Collect:: enthalten ist, wird eine Message-Box erscheinen, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen.

[hares]

Hier ist der Combofix Log:

Code:

ComboFix 10-09-02.04 - Administrator 03.09.2010  20:07:47.1.1 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.49.1033.18.1015.288 [GMT 2:00]
ausgeführt von:: c:\users\Administrator\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Administrator\Desktop\CFScript.txt
SP: Spyware Terminator *disabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((   Dateien erstellt von 2010-08-03 bis 2010-09-03  ))))))))))))))))))))))))))))))
.

2010-09-03 18:27 . 2010-09-03 18:27	--------	d-----w-	c:\users\Public\AppData\Local\temp
2010-09-03 18:27 . 2010-09-03 18:27	--------	d-----w-	c:\users\Guest\AppData\Local\temp
2010-09-03 18:27 . 2010-09-03 18:27	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-08-22 23:56 . 2010-02-12 10:32	293376	----a-w-	c:\windows\system32\browserchoice.exe
2010-08-22 23:48 . 2010-06-08 17:35	3600768	----a-w-	c:\windows\system32\ntkrnlpa.exe
2010-08-22 23:48 . 2010-06-08 17:35	3548040	----a-w-	c:\windows\system32\ntoskrnl.exe
2010-08-22 23:48 . 2010-05-27 20:08	81920	----a-w-	c:\windows\system32\iccvid.dll
2010-08-22 23:44 . 2010-06-16 16:04	905088	----a-w-	c:\windows\system32\drivers\tcpip.sys
2010-08-21 20:58 . 2010-08-21 20:58	142592	----a-w-	c:\windows\system32\drivers\sp_rsdrv2.sys
2010-08-21 20:58 . 2010-09-01 23:45	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Spyware Terminator
2010-08-21 20:58 . 2010-09-01 23:51	--------	d-----w-	c:\programdata\Spyware Terminator
2010-08-21 20:58 . 2010-09-01 23:51	--------	d-----w-	c:\program files\Spyware Terminator
2010-08-18 03:14 . 2010-08-18 03:14	--------	d-----w-	c:\program files\Common Files\Java
2010-08-18 03:14 . 2010-08-18 03:14	423656	----a-w-	c:\windows\system32\deployJava1.dll
2010-08-17 11:06 . 2010-04-29 13:39	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 11:06 . 2010-08-17 11:06	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-08-17 11:06 . 2010-04-29 13:39	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-08-16 14:56 . 2010-08-16 18:22	785408	----a-w-	c:\windows\system32\drivers\ttbis.sys
2010-08-16 14:56 . 2010-08-17 10:53	--------	d-----w-	c:\users\Administrator\AppData\Local\hhwousgfr
2010-08-16 14:55 . 2010-08-16 14:55	--------	d-----w-	c:\users\Administrator\AppData\Roaming\146B927A0BC2AF5D5B1D4D21F7F9CD1B
2010-08-06 17:33 . 2010-09-02 23:53	--------	d-----w-	c:\users\Administrator\AppData\Roaming\TV-Browser

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 01:58 . 2008-03-05 02:32	--------	d-----w-	c:\users\Administrator\AppData\Roaming\vlc
2010-09-02 16:31 . 2008-11-25 14:02	--------	d-----w-	c:\users\Administrator\AppData\Roaming\dvdcss
2010-08-30 03:27 . 2007-10-22 11:08	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Vso
2010-08-29 12:52 . 2009-01-26 18:14	--------	d-----w-	c:\users\Administrator\AppData\Roaming\Any Video Converter Professional
2010-08-24 20:08 . 2010-07-25 20:29	--------	d-----w-	c:\programdata\Rosetta Stone
2010-08-23 17:20 . 2009-09-06 19:40	--------	d-----w-	c:\program files\Ubisoft
2010-08-22 23:51 . 2009-06-23 20:07	--------	d-----w-	c:\program files\Movie Maker 2.6
2010-08-22 23:50 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-08-22 14:08 . 2009-01-28 19:53	--------	d-----w-	c:\program files\Opera
2010-08-18 23:24 . 2007-10-17 13:50	--------	d-----w-	c:\program files\Common Files\Adobe
2010-08-18 02:52 . 2010-01-04 20:38	--------	d-----w-	c:\program files\TrueCrypt
2010-08-17 21:35 . 2007-10-17 00:50	107408	----a-w-	c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-17 10:40 . 2010-06-27 11:24	680	----a-w-	c:\users\Administrator\AppData\Local\d3d9caps.dat
2010-08-16 22:58 . 2007-10-17 14:00	--------	d-----w-	c:\programdata\FLEXnet
2010-08-16 17:12 . 2010-01-12 08:59	--------	d-----w-	c:\program files\a-squared Free
2010-08-16 04:20 . 2010-06-23 14:02	--------	d-----w-	c:\program files\LingoPad
2010-08-07 21:11 . 2010-07-27 19:54	--------	d-----w-	c:\program files\The KMPlayer
2010-08-06 17:32 . 2008-06-26 15:26	--------	d-----w-	c:\program files\TV-Browser
2010-08-03 17:16 . 2008-02-13 15:00	--------	d-----w-	c:\program files\iTunes
2010-08-03 17:06 . 2010-08-03 17:06	--------	d-----w-	c:\program files\iPod
2010-08-03 17:06 . 2008-02-13 14:51	--------	d-----w-	c:\program files\Common Files\Apple
2010-07-25 20:29 . 2010-07-25 20:29	--------	d-----w-	c:\program files\Rosetta Stone
2010-07-23 19:51 . 2010-07-23 19:51	136096	---ha-w-	c:\windows\system32\mlfcache.dat
2010-07-21 14:03 . 2008-07-07 09:52	--------	d-----w-	c:\users\Administrator\AppData\Roaming\ICQ
2010-07-21 14:02 . 2010-07-21 14:02	--------	d-----w-	c:\programdata\ICQ
2010-07-21 14:02 . 2007-07-27 16:17	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-07-17 01:55 . 2008-05-11 20:29	895	----a-w-	c:\windows\eReg.dat
2010-07-14 19:00 . 2007-10-17 16:31	--------	d-----w-	c:\program files\DAEMON Tools
2010-07-11 11:33 . 2007-07-27 16:44	--------	d-----w-	c:\programdata\Roxio
2010-07-11 11:33 . 2007-07-27 16:38	--------	d-----w-	c:\program files\Common Files\Roxio Shared
2010-07-10 21:57 . 2010-03-20 14:22	--------	d-----w-	c:\program files\AV Vcs 6.0 DIAMOND
2010-07-10 21:15 . 2008-04-04 12:19	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-07-10 19:08 . 2010-07-10 19:08	--------	d-----w-	c:\program files\Microsoft.NET
2010-07-08 13:21 . 2010-07-08 13:21	--------	d-----w-	c:\users\Administrator\AppData\Roaming\FastStone
2010-06-26 06:05 . 2010-08-22 23:47	916480	----a-w-	c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-22 23:47	109056	----a-w-	c:\windows\system32\iesysprep.dll
2010-06-26 06:02 . 2010-08-22 23:47	71680	----a-w-	c:\windows\system32\iesetup.dll
2010-06-26 04:25 . 2010-08-22 23:47	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-22 23:47	2037760	----a-w-	c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-22 23:47	36864	----a-w-	c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-22 23:47	302080	----a-w-	c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-22 23:47	144896	----a-w-	c:\windows\system32\drivers\srv2.sys
2010-06-11 16:16 . 2010-08-22 23:47	274944	----a-w-	c:\windows\system32\schannel.dll
2010-06-11 16:15 . 2010-08-22 23:47	1248768	----a-w-	c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2008-08-22 17:49	310328	----a-w-	c:\windows\System32\PGPfsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 1183744]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SynTPEnh.lnk - c:\program files\Synaptics\SynTP\SynTPEnh.exe [2008-3-28 1045800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 16:04	49152	----a-w-	c:\windows\System32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=PGPmapih.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages	REG_MULTI_SZ   	scecli PGPpwflt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\CCleaner.exe]
path=CCleaner.exe
backup=c:\windows\pss\CCleaner.exe.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 11:40	218032	----a-w-	c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"VistaSp2"=hex(b):87,a1,0c,24,bc,19,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 HDD & SSD access service;HDD & SSD access service;c:\program files\Common Files\BinarySense\disksvc.exe [x]
R3 AVMUNET;AVM FRITZ!Box;c:\windows\system32\DRIVERS\avmunet.sys [2005-02-22 15104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-02-07 193840]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2007-06-08 30008]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-06-08 172131]
R3 NDNdisprot;NetDetect NDIS Driver;c:\windows\system32\DRIVERS\ndndisprot.sys [2008-01-01 21504]
R3 rockusb;Driver for rockusb Device;c:\windows\system32\DRIVERS\rockusb.sys [2006-03-22 73984]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 gupdate1ca168b3cb2a5e3;Google Update Service (gupdate1ca168b3cb2a5e3);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-06 133104]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2007-10-17 685816]
S0 pgpfs;PGP File Sharing;c:\windows\System32\Drivers\PGPfsfd.sys [2008-08-22 128568]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2010-08-21 142592]
S2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [2010-07-14 1872320]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc
bthsvcs	REG_MULTI_SZ   	BthServ
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Inhalt des "geplante Tasks" Ordners

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-06 11:44]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-06 11:44]

2010-09-03 c:\windows\Tasks\User_Feed_Synchronization-{BD4BC8F0-18E3-4538-A5AC-6027C0DDD2E0}.job
- c:\windows\system32\msfeedssync.exe [2010-08-22 04:24]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://start.icq.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=none&bd=smb&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:6522
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
LSP: c:\windows\system32\PGPlsp.dll
DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - hxxp://mywebcast.cc/tvants/tvants.cab
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\f2ao3cfs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 20:28
Windows 6.0.6002 Service Pack 2 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,83,99,55,3d,09,7e,f9,46,ac,ca,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,e6,ea,75,95,d0,e6,40,8c,1e,a2,\

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.0122Istanbul_Bosporus_trip4217200312101418\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\photoviewer.dll"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="3gp_auto_file"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AVI"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Paint.Picture"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.divx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\photoviewer.dll"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdmov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\mplayerc6491.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nfo\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ram\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmvb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\mplayerc6491.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="OpenOffice.org.Rtf"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.torrent\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\vlc.exe"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wgt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.Widget"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMVFile"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Opera.HTML"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\NOTEPAD.EXE"

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{28FAB9E2-8056-C399-CA16-FD317BB72F73}*]
"iahajioljmcloppjcl"=hex:6a,61,65,63,6b,6d,70,70,6a,6b,6f,6c,68,61,6b,6e,6b,69,
   6f,6f,00,08
"hanaphjeohkoaiee"=hex:6a,61,65,63,6b,6d,70,70,6a,6b,6f,6c,68,61,6b,6e,6b,69,
   6f,6f,00,01

[HKEY_USERS\S-1-5-21-420206636-805589922-3808772611-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8923014A-46E6-8B98-1CD9-1623C5A77CEE}*]
"hanfgllpamcnhhgd"=hex:6a,61,6b,63,6a,6b,64,61,6d,64,68,66,6e,68,61,6c,6a,6f,
   70,67,00,03
"iapgihbadbmlihojgn"=hex:6a,61,6b,63,6a,6b,64,61,6d,64,68,66,6e,68,61,6c,6a,6f,
   70,67,00,03

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2DE89BFF-E132-853A-E20D-320167E63033}\InProcServer32*]
"kagolagpfbkoffmdpmjabl"=hex:62,61,67,6a,00,fc
"jagogpodkogmhpijddca"=hex:63,61,62,6a,6d,70,00,00

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(2908)
c:\windows\system32\PGPfsshl.dll
c:\program files\PGP Corporation\PGP Desktop\PGPwipe.dll
.
Zeit der Fertigstellung: 2010-09-03  20:39:44
ComboFix-quarantined-files.txt  2010-09-03 18:39

Vor Suchlauf: 9.156.456.448 bytes free
Nach Suchlauf: 9.027.993.600 bytes free

- - End Of File - - 7D7FBAFB30545C35BEB38D9571B6E9D5

[pc-jedi]

Hi

Es kann evt. noch ein bisschen dauern da, ich meine Kollegen dazu befragt habe.
Ich bitte um Verständnis.

[hares]

Klar, kein Problem. Du hast mir ja schon extrem geholfen.

[pc-jedi]

Hi

Notiere bitte alle IPs die MBAM block.

[pc-jedi]

Fehlende Rückmeldung

Gibt es Probleme beim Abarbeiten obiger Anleitung, wenn ja welche? Wenn ich innerhalb von fünf Tagen keine Rückmeldung von Dir erhalte, gehe ich davon aus, dass Du nicht mehr weitermachen möchtest und/oder Du das Problem lösen konntest und werde diesen Thread kommentarlos schließen, damit Kapazitäten für andere wartende User frei werden.

Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner schon sauber ist.

Edit 12.09.2010:
Thread wird mangels Rückmeldung geschlossen.
Bei Bedarf schicke bitte eine PN an mich, ich kann den Thread ggfs. wieder öffnen.