Support bei Auswertung DDS und Combofix

hami7 · 04.03.2012, 13:33

Liebe Analysten,

nach einem Rootkit-Virenbefall und der folgenden augenscheinlich möglicherweise erfolgreichen Bereinigungsversuche mittels Combofix, CCleaner und Malwarebytes bitte ich um eure Auswertung der DDS, Attach und Combofix Logs.

Mein System ist Win7 Home x64. Im folgenden findet ihr DDS.txt sowie im Anhang Attach.txt und Combofix.txt, mit der Bitte um eure Auswertung.

Danke,

--
.DDS Logfile:

Code:

ATTFilter

DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 9.0.8112.16421
Run by Patric at 13:25:03 on 2012-03-04
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.6143.3960 [GMT 1:00]
.
AV: COMODO Antivirus *Enabled/Updated* {A7500527-8708-6548-7035-7F679C5FCEA5}
SP: COMODO Defense+ *Enabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall *Enabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\WBVGAservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\wbctlvga.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\wbctlvga.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
C:\Windows\SysWOW64\ACEngSvr.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\Logitech Maus RX 250\SetPoint.exe
C:\Program Files (x86)\Logitech Maus RX 250\x86\SetPoint32.exe
C:\Program Files (x86)\asus\VirtualCamera\VirCamWS.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Patric\Downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" /r
mRun: [SpybotSnD] "C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe"
StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk.disabled
StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Logitech Maus RX 250\SetPoint.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7F34F862-3E66-4BD9-8CED-B71B46FFBF4A} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7F34F862-3E66-4BD9-8CED-B71B46FFBF4A}\359454D454E435 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{7F34F862-3E66-4BD9-8CED-B71B46FFBF4A}\3656C6562627964797D277966696 : DhcpNameServer = 172.24.1.9
TCP: Interfaces\{7F34F862-3E66-4BD9-8CED-B71B46FFBF4A}\4656661657C647 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7F34F862-3E66-4BD9-8CED-B71B46FFBF4A}\74C6F62616C6355796475675962756C6563737 : DhcpNameServer = 4.2.2.1
TCP: Interfaces\{7F34F862-3E66-4BD9-8CED-B71B46FFBF4A}\E4544574541425 : DhcpNameServer = 192.168.0.1
AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
{53707962-6F74-2D53-2644-206D7942484F}
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
mRun-x64: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
mRun-x64: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" /r
mRun-x64: [SpybotSnD] "C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe"
AppInit_DLLs-X64: C:\Windows\SysWOW64\guard32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Patric\AppData\Roaming\Mozilla\Firefox\Profiles\jm53g717.default\
FF - prefs.js: browser.startup.homepage - www.web.de/fm
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
R1 EIO64;EIO Driver;C:\Windows\system32\DRIVERS\EIO64.sys --> C:\Windows\system32\DRIVERS\EIO64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 ASMMAP64;ASMMAP64;C:\Program Files\ATKGFNEX\ASMMAP64.sys [2009-10-19 14904]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-1 2253120]
R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-8-12 87040]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-12-3 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
R2 WBVGAservice;WB VGA Service;C:\Program Files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\WBVGAservice.exe [2009-10-19 72248]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-10-19 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-19 79360]
S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\system32\DRIVERS\htcnprot.sys --> C:\Windows\system32\DRIVERS\htcnprot.sys [?]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 S332x64;SPRx3x USB SmartCard Reader;C:\Windows\system32\DRIVERS\S332x64.sys --> C:\Windows\system32\DRIVERS\S332x64.sys [?]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S4 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]
.
=============== Created Last 30 ================
.
2012-03-04 11:57:19	--------	d-----w-	C:\Users\Patric\AppData\Local\Diagnostics
2012-03-04 11:48:36	--------	d-sh--w-	C:\$RECYCLE.BIN
2012-03-04 09:51:39	98816	----a-w-	C:\Windows\sed.exe
2012-03-04 09:51:39	518144	----a-w-	C:\Windows\SWREG.exe
2012-03-04 09:51:39	256000	----a-w-	C:\Windows\PEV.exe
2012-03-04 09:51:39	208896	----a-w-	C:\Windows\MBR.exe
2012-03-04 09:51:28	--------	d-----w-	C:\C2ombo2F2ix12855C
2012-03-04 09:34:53	--------	d-----w-	C:\C2ombo2F2ix14561C
2012-03-04 09:33:57	--------	d-----w-	C:\C2ombo2F2ix
2012-03-04 08:33:53	388096	----a-r-	C:\Users\Patric\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-04 08:33:53	--------	d-----w-	C:\Program Files (x86)\Trend Micro
2012-03-04 01:20:13	414368	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-04 01:06:19	16200	----a-w-	C:\Windows\stinger.sys
2012-03-04 01:05:57	--------	d-----w-	C:\Program Files (x86)\stinger
2012-03-03 23:11:24	--------	d-----w-	C:\Program Files\CCleaner
2012-02-29 21:39:58	--------	d-sh--w-	C:\Windows\System32\%APPDATA%
2012-02-20 09:12:40	8602168	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6659D2B7-9326-4F49-892F-7C4071B54C1B}\mpengine.dll
2012-02-16 06:27:55	509952	----a-w-	C:\Windows\System32\ntshrui.dll
2012-02-16 06:27:55	442880	----a-w-	C:\Windows\SysWow64\ntshrui.dll
2012-02-16 06:27:53	515584	----a-w-	C:\Windows\System32\timedate.cpl
2012-02-16 06:27:53	478720	----a-w-	C:\Windows\SysWow64\timedate.cpl
2012-02-16 06:27:51	3145728	----a-w-	C:\Windows\System32\win32k.sys
2012-02-16 06:27:48	498688	----a-w-	C:\Windows\System32\drivers\afd.sys
2012-02-16 06:27:31	690688	----a-w-	C:\Windows\SysWow64\msvcrt.dll
2012-02-16 06:27:31	634880	----a-w-	C:\Windows\System32\msvcrt.dll
.
==================== Find3M  ====================
.
2012-03-04 08:02:46	45056	----a-w-	C:\Windows\System32\acovcnt.exe
2012-01-26 23:52:58	279656	------w-	C:\Windows\System32\MpSigStub.exe
2011-12-27 10:48:04	175616	----a-w-	C:\Windows\System32\msclmd.dll
2011-12-27 10:48:04	152576	----a-w-	C:\Windows\SysWow64\msclmd.dll
2011-12-14 20:35:25	215128	----a-w-	C:\Windows\SysWow64\PnkBstrB.xtr
2011-12-14 20:34:23	215128	----a-w-	C:\Windows\SysWow64\PnkBstrB.ex0
2011-12-14 07:11:03	2308096	----a-w-	C:\Windows\System32\jscript9.dll
2011-12-14 07:04:30	1390080	----a-w-	C:\Windows\System32\wininet.dll
2011-12-14 07:03:38	1493504	----a-w-	C:\Windows\System32\inetcpl.cpl
2011-12-14 06:57:28	2382848	----a-w-	C:\Windows\System32\mshtml.tlb
2011-12-14 03:04:54	1798656	----a-w-	C:\Windows\SysWow64\jscript9.dll
2011-12-14 02:57:18	1127424	----a-w-	C:\Windows\SysWow64\wininet.dll
2011-12-14 02:56:58	1427456	----a-w-	C:\Windows\SysWow64\inetcpl.cpl
2011-12-14 02:50:04	2382848	----a-w-	C:\Windows\SysWow64\mshtml.tlb
2011-12-10 14:24:08	23152	----a-w-	C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 13:27:18,18 ===============

--- --- ---

Support bei Auswertung DDS und Combofix

Log-Analyse und Auswertung: Support bei Auswertung DDS und Combofix

Support bei Auswertung DDS und Combofix

Ähnliche Themen: Support bei Auswertung DDS und Combofix