[doppelt] Bundespolizei - Trojaner

Polla · 05.10.2011, 11:30

Hallo zusammen,
leider hat es gestern meinen Laptop erwischt und ich habe mir dort den erwähnten Trojaner zu gezogen.
Ich habe in diesem Bord bereits einige Beiträge zu diesem Thema gelesen und auch schon erste Schritte durchgeführt.
Da allerdings in allen Themen immer wieder darauf hingewisen wird, dass jede Infektion einzigartig ist und ein eigenes Vorgehen benötigt poste ich hier jetzt meine ersten Ergebnisse.
Ich habe bereits einen Scan mit srep.exe und OTLPE durchgeführt.
Diese beiden SChritte erschienen mir Sinnvoll und auch ohne weitere Gefahr für meinen Laptop durchführbar.

Hier nun die erhaltenen Logs :

srep :

Zitat:

WIN_VISTA X86Service Pack 2

HKLM\..\Winlogon; Shell = explorer.exe
No action taken
HKCU\..\Winlogon; Shell not found
No action taken

HKLM\..\Run [Windows Defender] = %ProgramFiles%\Windows Defender\MSASCui.exe -hide
HKLM\..\Run [WPCUMI] = C:\Windows\system32\WpcUmi.exe
HKLM\..\Run [LG Intelligent Update] = "C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc
HKLM\..\Run [StartCCC] = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
HKLM\..\Run [avgnt] = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
HKLM\..\Run [DivXUpdate] = "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
HKLM\..\Run [Windows Mobile-based device management] = %windir%\WindowsMobile\wmdSync.exe
HKLM\..\Run [SunJavaUpdateSched] = "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
HKLM\..\Run [Adobe Reader Speed Launcher] = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
HKLM\..\Run [Adobe ARM] = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
HKLM\..\Run [QuickTime Task] = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
HKLM\..\Run [NPSStartup] =

HKCU\..\Run [Sidebar] = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
HKCU\..\Run [msnmsgr] = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
HKCU\..\Run [ehTray.exe] = C:\Windows\ehome\ehTray.exe
HKCU\..\Run [PMCRemote] =
HKCU\..\Run [EA Core] = "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
HKCU\..\Run [Steam] = "D:\Spiele\Steam\Steam.exe" -silent
HKCU\..\Run [ICQ] = "C:\Program Files\ICQ7.2\ICQ.exe" silent loginmode=4
HKCU\..\Run [AutoStartNPSAgent] = C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
HKCU\..\Run [WMPNSCFG] = C:\Program Files\Windows Media Player\WMPNSCFG.exe
HKCU\..\Run [avupdate] = C:\Users\Saturn\AppData\Roaming\mahmud.exe

HKU\.DEFAULT\..\Winlogon; Shell =
HKU\S-1-5-19\..\Winlogon; Shell =
HKU\S-1-5-20\..\Winlogon; Shell =
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Winlogon; Shell =
HKU\S-1-5-21-491113855-2426311782-949560941-1000_Classes\..\Winlogon; Shell =
HKU\S-1-5-18\..\Winlogon; Shell =

HKU\S-1-5-19\..\Run [Sidebar] = %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
HKU\S-1-5-19\..\Run [WindowsWelcomeCenter] = rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\..\Run [Sidebar] = %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
HKU\S-1-5-20\..\Run [WindowsWelcomeCenter] = rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [Sidebar] = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [msnmsgr] = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [ehTray.exe] = C:\Windows\ehome\ehTray.exe
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [PMCRemote] =
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [EA Core] = "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [Steam] = "D:\Spiele\Steam\Steam.exe" -silent
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [ICQ] = "C:\Program Files\ICQ7.2\ICQ.exe" silent loginmode=4
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [AutoStartNPSAgent] = C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [WMPNSCFG] = C:\Program Files\Windows Media Player\WMPNSCFG.exe
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [avupdate] = C:\Users\Saturn\AppData\Roaming\mahmud.exe

==== FINISH 04.10-15.22 ====

OTLPE :

Zitat:

OTL logfile created on: 10/5/2011 1:19:32 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 99.99 Gb Total Space | 55.25 Gb Free Space | 55.26% Space Free | Partition Type: NTFS
Drive D: | 196.60 Gb Total Space | 167.00 Gb Free Space | 84.94% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2011/08/08 10:00:05 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/07/27 16:34:42 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/04/21 01:52:51 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/03/31 03:39:36 | 000,233,472 | ---- | M] (Teruten) [Auto] -- C:\Windows\System32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2008/08/29 08:58:16 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2008/04/07 03:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/20 22:23:24 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2008/01/20 22:23:24 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - [2011/08/08 10:00:11 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/08/08 10:00:11 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/10/08 11:55:33 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/04/11 00:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2009/04/11 00:38:59 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\usbccid.sys -- (USBCCID)
DRV - [2009/03/31 03:39:36 | 000,036,608 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2009/03/20 04:01:26 | 000,121,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ss_bmdm.sys -- (ss_bmdm)
DRV - [2009/03/20 04:01:26 | 000,090,112 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ss_bbus.sys -- (ss_bbus) SAMSUNG USB Mobile Device (WDM)
DRV - [2009/03/20 04:01:26 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ss_bmdfl.sys -- (ss_bmdfl) SAMSUNG USB Mobile Modem (Filter)
DRV - [2009/02/13 06:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/01/19 14:31:56 | 000,277,544 | ---- | M] (Protect Software GmbH) [Kernel | Auto] -- C:\Windows\System32\drivers\acedrv11.sys -- (acedrv11)
DRV - [2008/08/29 08:57:18 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/06/25 17:30:50 | 003,662,848 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R)
DRV - [2008/06/10 11:35:54 | 003,839,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/05/02 00:59:40 | 000,122,368 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/03/29 12:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2008/01/20 22:23:02 | 004,422,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/09/17 09:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/06/14 08:41:00 | 000,466,048 | ---- | M] (LITEON) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Ltn_stk7070P.sys -- (Ltn_stk7070P)
DRV - [2007/06/13 13:30:20 | 000,013,440 | ---- | M] (LITEON) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Ltn_stkrc.sys -- (Ltn_stkrc)
DRV - [2007/01/18 13:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/12/14 02:11:58 | 000,007,680 | ---- | M] (ATK0100) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ATKACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.lge.com
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Mcx1_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Saturn_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.lge.com
IE - HKU\Saturn_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://start.icq.com/
IE - HKU\Saturn_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\Saturn_ON_C\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\Saturn_ON_C\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKU\Saturn_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\System32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/17 12:48:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/17 12:48:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.12\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/08/22 16:02:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.12\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011/02/24 11:02:46 | 000,000,000 | ---D | M]

[2011/06/27 08:49:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/16 08:06:57 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/02/27 12:55:34 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011/02/27 12:55:34 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011/02/27 12:55:34 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2011/02/27 12:55:34 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011/02/27 12:55:34 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [LG Intelligent Update] C:\Program Files\lg_swupdate\giljabistart.exe (BIT LEADER)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\Mcx1_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\Saturn_ON_C..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKU\Saturn_ON_C..\Run: [avupdate] C:\Users\Saturn\AppData\Roaming\mahmud.exe ()
O4 - HKU\Saturn_ON_C..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O4 - HKU\Saturn_ON_C..\Run: [ICQ] File not found
O4 - HKU\Saturn_ON_C..\Run: [PMCRemote] File not found
O4 - HKU\Saturn_ON_C..\Run: [Steam] File not found
O4 - Startup: Error locating startup folders.
O7 - HKU\Mcx1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Mcx1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\Mcx1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O7 - HKU\Saturn_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Saturn_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\Saturn_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra Button: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Spiele\Poker\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Spiele\Poker\PartyPoker\RunApp.exe ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/04 09:03:30 | 000,000,000 | ---D | C] -- C:\Users\Saturn\AppData\Roaming\Avira
[2011/10/04 03:26:00 | 000,000,000 | ---D | C] -- C:\Users\Saturn\Desktop\CinemaxX
[2011/09/22 07:51:04 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/09/21 08:26:03 | 000,000,000 | ---D | C] -- C:\Users\Saturn\AppData\Roaming\Padserv
[2011/09/15 09:59:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Airline Tycoon Evolution
[5 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/05 06:10:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/10/05 06:09:06 | 000,007,512 | ---- | M] () -- C:\Users\Saturn\AppData\Local\d3d9caps.dat
[2011/10/05 06:06:33 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/05 06:06:32 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/04 09:27:37 | 000,638,418 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011/10/04 09:27:37 | 000,604,280 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/10/04 09:27:37 | 000,131,526 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011/10/04 09:27:37 | 000,107,958 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/10/04 09:26:43 | 000,000,349 | ---- | M] () -- C:\Users\Public\Documents\PCLECHAL.INI
[2011/10/04 08:47:44 | 000,172,544 | ---- | M] () -- C:\Users\Saturn\AppData\Roaming\mahmud.exe
[2011/09/22 07:51:04 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/09/15 09:59:19 | 000,000,461 | ---- | M] () -- C:\Users\Public\Desktop\Airline Tycoon Evolution.lnk
[2011/09/15 09:59:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Airline Tycoon Evolution
[2011/09/14 16:19:55 | 000,017,209 | ---- | M] () -- C:\Users\Saturn\Documents\Wochenplan für WiSe 11,12.ods
[2011/09/10 15:54:58 | 003,750,912 | ---- | M] () -- C:\Users\Saturn\Desktop\DSC_0257.JPG
[2011/09/10 06:43:34 | 003,661,703 | ---- | M] () -- C:\Users\Saturn\Desktop\DSC_0245.JPG
[5 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/04 08:47:44 | 000,172,544 | ---- | C] () -- C:\Users\Saturn\AppData\Roaming\mahmud.exe
[2011/09/24 05:47:39 | 003,661,703 | ---- | C] () -- C:\Users\Saturn\Desktop\DSC_0245.JPG
[2011/09/24 05:47:10 | 003,750,912 | ---- | C] () -- C:\Users\Saturn\Desktop\DSC_0257.JPG
[2011/09/15 09:59:19 | 000,000,461 | ---- | C] () -- C:\Users\Public\Desktop\Airline Tycoon Evolution.lnk
[2011/08/28 14:57:01 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2011/08/28 14:57:01 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2011/02/24 12:45:57 | 000,000,125 | ---- | C] () -- C:\Windows\QTW.INI
[2010/06/18 06:17:48 | 000,201,488 | ---- | C] () -- C:\Windows\System32\MACD32.DLL
[2010/06/18 06:17:48 | 000,144,144 | ---- | C] () -- C:\Windows\System32\MASE32.DLL
[2010/06/18 06:17:48 | 000,141,584 | ---- | C] () -- C:\Windows\System32\MAMC32.DLL
[2010/06/18 06:17:48 | 000,063,248 | ---- | C] () -- C:\Windows\System32\MASD32.DLL
[2010/06/18 06:17:48 | 000,033,040 | ---- | C] () -- C:\Windows\System32\MA32.DLL
[2010/04/03 12:52:07 | 000,069,632 | ---- | C] () -- C:\Windows\System32\xmltok.dll
[2010/04/03 12:52:07 | 000,036,864 | ---- | C] () -- C:\Windows\System32\xmlparse.dll
[2009/12/03 16:47:48 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2009/11/21 09:05:37 | 000,000,822 | ---- | C] () -- C:\Windows\eReg.dat
[2009/10/24 12:14:07 | 000,138,056 | ---- | C] () -- C:\Users\Saturn\AppData\Roaming\PnkBstrK.sys
[2009/10/24 12:13:51 | 000,075,064 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2009/10/09 12:26:12 | 000,554,496 | ---- | C] () -- C:\Windows\System32\dvmsg.dll
[2009/08/08 10:49:03 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/08 10:49:02 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/04 06:36:03 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/08/01 14:47:11 | 000,041,984 | ---- | C] () -- C:\Users\Saturn\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/24 11:23:13 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/07/24 11:18:13 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2009/07/24 11:03:09 | 000,009,665 | ---- | C] () -- C:\Windows\lg_up.ini
[2009/07/24 10:55:51 | 000,000,894 | ---- | C] () -- C:\Windows\lgcenter.ini
[2009/07/24 10:26:05 | 000,007,512 | ---- | C] () -- C:\Users\Saturn\AppData\Local\d3d9caps.dat
[2008/08/29 08:58:26 | 000,197,408 | ---- | C] () -- C:\Windows\System32\vpnapi.dll
[2008/06/16 23:51:02 | 000,638,418 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2008/06/16 23:51:02 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2008/06/16 23:51:02 | 000,131,526 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2008/06/16 23:51:02 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2008/06/10 09:13:02 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/06/10 04:50:18 | 000,174,819 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2008/03/05 07:38:44 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe
[2007/10/25 11:26:10 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2007/06/25 14:34:26 | 000,070,400 | ---- | C] () -- C:\Windows\System32\PhysXLoader.dll
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,259,776 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,604,280 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,107,958 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2000/02/09 18:00:00 | 000,047,104 | ---- | C] () -- C:\Windows\System32\wrkgadm.exe
[2000/02/09 18:00:00 | 000,012,288 | ---- | C] () -- C:\Windows\System32\HLINKPRX.DLL

========== LOP Check ==========

[2011/02/08 16:53:51 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\AIMP
[2010/10/18 05:26:33 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Audacity
[2011/07/13 18:00:55 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\DVDVideoSoftIEHelpers
[2009/11/30 19:04:20 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\EPSON
[2010/06/20 06:32:45 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\GoPal Assistant
[2011/09/29 07:43:28 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\ICQ
[2010/04/19 15:53:16 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Leadertech
[2011/05/11 12:01:43 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\LolClient
[2011/08/08 07:33:51 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Mount&Blade
[2009/09/20 06:33:52 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\OpenOffice.org
[2011/09/29 02:26:22 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Padserv
[2011/08/28 15:02:55 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\PC Suite
[2010/05/26 08:17:36 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\ProtectDisc
[2011/08/28 14:56:39 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Samsung
[2009/08/01 15:11:39 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Serif
[2010/08/02 06:54:17 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\temp
[2010/03/30 06:48:00 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Thunderbird
[2010/03/15 17:19:16 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Tobit
[2011/05/21 13:10:36 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\TS3Client
[2010/07/23 06:07:41 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\UseNeXT
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2011/04/28 14:06:05 | 000,000,000 | ---D | M] -- C:\ProgramData\Electronic Arts
[2009/10/13 13:08:54 | 000,000,000 | ---D | M] -- C:\ProgramData\EPSON
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2011/05/18 14:31:28 | 000,000,000 | ---D | M] -- C:\ProgramData\ICQ
[2011/08/28 15:02:56 | 000,000,000 | ---D | M] -- C:\ProgramData\PC Suite
[2010/06/18 06:21:52 | 000,000,000 | ---D | M] -- C:\ProgramData\Pinnacle
[2011/05/31 15:26:34 | 000,000,000 | ---D | M] -- C:\ProgramData\PMB Files
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2010/10/03 15:33:34 | 000,000,000 | ---D | M] -- C:\ProgramData\WindowsSearch
[2010/02/21 17:05:13 | 000,000,000 | ---D | M] -- C:\ProgramData\WinZip
[2011/10/04 09:04:33 | 000,032,532 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

Wäre nun für weitere Anweisungen sehr dankbar.

cosinus · 05.10.2011, 17:03

1x reicht völlig!

http://www.trojaner-board.de/103850-...tml#post706609

05.10.2011, 17:03	#2
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	[doppelt] Bundespolizei - Trojaner 1x reicht völlig! http://www.trojaner-board.de/103850-...tml#post706609 __________________ __________________

[doppelt] Bundespolizei - Trojaner

Mülltonne: [doppelt] Bundespolizei - Trojaner

[doppelt] Bundespolizei - Trojaner

[doppelt] Bundespolizei - Trojaner

Ähnliche Themen: [doppelt] Bundespolizei - Trojaner