|
Plagegeister aller Art und deren Bekämpfung: BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführtWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
23.03.2012, 16:23 | #1 |
| BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Also hallo erst einmal, bin ja noch ganz neu hier im Forum. Hab mich schon durch einige Forumsbeiträge gelesen. Der PC von meinen Eltern hat den berüchtigten BKA-Trojaner und ich würde mich freuen, wenn ihr mir hier ein wenig behilflich sein könntet. Betriebssystem: Windows 7 32 bit Antivirussoftware: GData Internet Security Eltern haben laut der Seite botfrei.de den Trojaner als Version 1.03 identifiziert. hxxp://bka-trojaner.de/ Das die Explorer.exe befallen ist, wurde anhand dieser Anleitung von redirect301 festgestellt: hxxp://www.redirect301.de/bundespolizei-trojaner-entfernen.html Ein Austausch über die Eingabeaufforderung im abgesicherten Modus war nicht möglich (Erweiterter Fehler 5). Habe mich erst einmal an dieser Anleitung orientiert, da sie recht genau mein Problem widerspiegelt, dann diesen Threat eröffnet, damit mein individuelle Problem behoben werden kann. http://www.trojaner-board.de/107703-...lorer-exe.html Ich habe deshalb OTL im abgesicherten Modus mit Netzwerktreibern durchlaufen lassen. Hier anbei die OTL.txt und Extras.txt Hoffe ich habe alle Regeln ausreichend befolgt und hoffe mir kann jemand weiterhelfen. Da ich schon einiges über diesen Trojaner jetzt gelesen habe wollte ich mal nachfragen, wie hier im Forum zu Lösungsansätzen von "Kaspersky WindowsUnlocker" gedacht wird. Ziehe aber auf jeden Fall die manuelle Hilfestellung von euch vor, da diese mir sicherer erscheint. OTL.txt Code:
ATTFilter OTL logfile created on: 23.03.2012 14:59:08 - Run 1 OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Stamm\Desktop Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,62 Gb Available Physical Memory | 80,80% Memory free 4,00 Gb Paging File | 3,64 Gb Available in Paging File | 91,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 29,45 Gb Total Space | 4,61 Gb Free Space | 15,65% Space Free | Partition Type: NTFS Drive D: | 160,46 Gb Total Space | 28,78 Gb Free Space | 17,94% Space Free | Partition Type: NTFS Drive G: | 7,49 Gb Total Space | 7,48 Gb Free Space | 99,83% Space Free | Partition Type: FAT32 Computer Name: STAMM-PC | User Name: Stamm | Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\Stamm\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Windows\explorer.exe (Microsoft Corporation) ========== Modules (No Company Name) ========== MOD - C:\Programme\WinRAR\RarExt.dll () MOD - C:\Programme\Ashampoo WinOptimizer 6\ContextHandler.dll () ========== Win32 Services (SafeList) ========== SRV - (SBSDWSCService) -- C:\Program Files\Spybot File not found SRV - (SkypeUpdate) -- C:\Programme\Skype\Updater\Updater.exe (Skype Technologies) SRV - (TeamViewer7) -- C:\Programme\TeamViewer\Version7\TeamViewer_Service.exe (TeamViewer GmbH) SRV - (AdobeARMservice) -- C:\Programme\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated) SRV - (AVKProxy) -- C:\Programme\Common Files\G DATA\AVKProxy\AVKProxy.exe (G Data Software AG) SRV - (GDScan) -- C:\Programme\Common Files\G DATA\GDScan\GDScan.exe (G Data Software AG) SRV - (AVKWCtl) -- C:\Programme\G Data\InternetSecurity\AVK\AVKWCtl.exe (G Data Software AG) SRV - (UMVPFSrv) -- C:\Programme\Common Files\logishrd\LVMVFM\UMVPFSrv.exe (Logitech Inc.) SRV - (GDFwSvc) -- C:\Programme\G Data\InternetSecurity\Firewall\GDFwSvc.exe (G Data Software AG) SRV - (Secunia PSI Agent) -- C:\Programme\Secunia\PSI\psia.exe (Secunia) SRV - (odserv) -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE (Microsoft Corporation) SRV - (AVKService) -- C:\Programme\G Data\InternetSecurity\AVK\AVKService.exe (G Data Software AG) SRV - (WMPNetworkSvc) -- C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) SRV - (Creative Audio Engine Licensing Service) -- C:\Programme\Common Files\Creative Labs Shared\Service\CTAELicensing.exe (Creative Labs) SRV - (SwitchBoard) -- C:\Programme\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated) SRV - (LVPrcSrv) -- C:\Programme\Common Files\logishrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.) SRV - (DfSdkS) -- C:\Programme\Ashampoo WinOptimizer 6\DfSdkS.exe (mst software GmbH, Germany) SRV - (SandraAgentSrv) -- C:\Programme\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe (SiSoftware) SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation) SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation) SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation) SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (Nero BackItUp Scheduler 4.0) -- C:\Programme\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG) SRV - (CTAudSvcService) -- C:\Programme\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd) SRV - (ose) -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (GDMnIcpt) -- C:\Windows\System32\drivers\MiniIcpt.sys (G Data Software AG) DRV - (GDBehave) -- C:\Windows\System32\drivers\GDBehave.sys (G Data Software AG) DRV - (gdwfpcd) -- C:\Windows\System32\drivers\gdwfpcd32.sys (G Data Software AG) DRV - (LVUVC) Logitech Webcam 500(UVC) -- C:\Windows\System32\drivers\lvuvc.sys (Logitech Inc.) DRV - (LVRS) -- C:\Windows\System32\drivers\lvrs.sys (Logitech Inc.) DRV - (GDPkIcpt) -- C:\Windows\System32\drivers\PktIcpt.sys (G Data Software AG) DRV - (HookCentre) -- C:\Windows\System32\drivers\HookCentre.sys (G Data Software AG) DRV - (GRD) -- C:\Windows\System32\drivers\GRD.sys (G Data Software) DRV - (GdNetMon) -- C:\Windows\System32\drivers\GdNetMon32.sys (G Data Software AG) DRV - (epmntdrv) -- C:\Windows\System32\epmntdrv.sys () DRV - (EuGdiDrv) -- C:\Windows\System32\EuGdiDrv.sys () DRV - (seehcri) -- C:\Windows\System32\drivers\seehcri.sys (Sony Ericsson Mobile Communications) DRV - (ggsemc) -- C:\Windows\System32\drivers\ggsemc.sys (Sony Ericsson Mobile Communications) DRV - (ggflt) -- C:\Windows\System32\drivers\ggflt.sys (Sony Ericsson Mobile Communications) DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation) DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation) DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation) DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation) DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation) DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (PSI) -- C:\Windows\System32\drivers\psi_mf.sys (Secunia) DRV - (P17) -- C:\Windows\System32\drivers\P17.sys (Creative Technology Ltd.) DRV - (LVPr2Mon) -- C:\Windows\System32\drivers\LVPr2Mon.sys () DRV - (SANDRA) -- C:\Programme\SiSoftware Sandra Lite 2010\WNt500x86\sandra.sys (SiSoftware) DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation) DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\Windows\System32\drivers\RTKVAC.SYS (Realtek Semiconductor Corp.) DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys () ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.spiegel.de/ IE - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DD 17 F0 04 11 5F CC 01 [binary data] IE - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\..\SearchScopes,DefaultScope = {A293F49F-4002-47EB-A47C-0DD068F87CC2} IE - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\..\SearchScopes\{A293F49F-4002-47EB-A47C-0DD068F87CC2}: "URL" = hxxp://www.google.de/search?q={searchTerms} IE - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "hxxp://www.spiegel.de/" FF - prefs.js..extensions.enabledItems: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:5.0.1 FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.5.3 FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6 FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20110323 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..extensions.enabledItems: {9AA46F4F-4DC7-4c06-97AF-5035170633FE}:22.1.11089.229 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.03.19 15:13:43 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012.01.12 17:39:04 | 000,000,000 | ---D | M] [2010.07.30 12:41:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stamm\AppData\Roaming\mozilla\Extensions [2012.03.14 19:52:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Stamm\AppData\Roaming\mozilla\Firefox\Profiles\o3zdvqm8.default\extensions [2012.03.04 10:51:18 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Stamm\AppData\Roaming\mozilla\Firefox\Profiles\o3zdvqm8.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2012.03.14 19:52:15 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\Stamm\AppData\Roaming\mozilla\Firefox\Profiles\o3zdvqm8.default\extensions\firefox@ghostery.com [2011.12.26 11:26:33 | 000,000,933 | ---- | M] () -- C:\Users\Stamm\AppData\Roaming\Mozilla\Firefox\Profiles\o3zdvqm8.default\searchplugins\11-suche.xml [2011.12.26 11:26:33 | 000,002,419 | ---- | M] () -- C:\Users\Stamm\AppData\Roaming\Mozilla\Firefox\Profiles\o3zdvqm8.default\searchplugins\englische-ergebnisse.xml [2011.12.26 11:26:33 | 000,010,525 | ---- | M] () -- C:\Users\Stamm\AppData\Roaming\Mozilla\Firefox\Profiles\o3zdvqm8.default\searchplugins\gmx-suche.xml [2011.12.26 11:26:33 | 000,002,457 | ---- | M] () -- C:\Users\Stamm\AppData\Roaming\Mozilla\Firefox\Profiles\o3zdvqm8.default\searchplugins\lastminute.xml [2011.12.26 11:26:32 | 000,005,508 | ---- | M] () -- C:\Users\Stamm\AppData\Roaming\Mozilla\Firefox\Profiles\o3zdvqm8.default\searchplugins\webde-suche.xml [2012.02.13 18:17:32 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.02.13 18:56:29 | 000,000,000 | ---D | M] (G Data BankGuard) -- C:\Programme\Mozilla Firefox\extensions\{906305f7-aafc-45e9-8bbd-941950a84dad} [2012.02.13 18:56:29 | 000,000,000 | ---D | M] (G Data WebFilter) -- C:\Programme\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE} () (No name found) -- C:\USERS\STAMM\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\O3ZDVQM8.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI () (No name found) -- C:\USERS\STAMM\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\O3ZDVQM8.DEFAULT\EXTENSIONS\{EF522540-89F5-46B9-B6FE-1829E2B572C6}.XPI () (No name found) -- C:\USERS\STAMM\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\O3ZDVQM8.DEFAULT\EXTENSIONS\COMPATIBILITY@ADDONS.MOZILLA.ORG.XPI () (No name found) -- C:\USERS\STAMM\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\O3ZDVQM8.DEFAULT\EXTENSIONS\SHAREMENOT@FRANZIROESNER.COM.XPI [2012.03.19 15:13:43 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011.10.03 05:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2012.02.08 18:36:16 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.02.08 18:21:19 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012.02.08 18:36:16 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml [2012.02.08 18:36:16 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml [2012.02.08 18:36:16 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml [2012.02.08 18:36:16 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2011.05.14 11:12:10 | 000,418,884 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 127.0.0.1 1-2005-search.com O1 - Hosts: 127.0.0.1 123fporn.info O1 - Hosts: 14447 more lines... O2 - BHO: (G Data WebFilter) - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G Data\InternetSecurity\WebFilter\AvkWebIE.dll (G Data Software AG) O2 - BHO: (G Data BankGuard) - {BA3295CF-17ED-4F49-9E95-D999A0ADBFDC} - C:\Programme\Common Files\G DATA\AVKProxy\BanksafeBHO.dll (G Data Software AG) O3 - HKLM\..\Toolbar: (G Data WebFilter) - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G Data\InternetSecurity\WebFilter\AvkWebIE.dll (G Data Software AG) O4 - HKLM..\Run: [G Data AntiVirus Tray Application] C:\Programme\G Data\InternetSecurity\AVKTray\AVKTray.exe (G Data Software AG) O4 - HKLM..\Run: [GDFirewallTray] C:\Programme\G Data\InternetSecurity\Firewall\GDFirewallTray.exe (G Data Software AG) O4 - HKLM..\Run: [P17RunE] C:\Windows\System32\P17RunE.dll (Creative Technology Ltd.) O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation) O4 - Startup: C:\Users\Stamm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Stamm\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1949152909-3402139666-2300823091-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab (Creative Software AutoUpdate) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15112/CTPID.cab (Creative Software AutoUpdate Support Package) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{740B1510-2513-4301-9C17-6B6EF483E9D6}: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2012.03.23 14:56:12 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Stamm\Desktop\mbam-setup-1.60.1.1000.exe [2012.03.23 14:56:12 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Users\Stamm\Desktop\OTL.exe [2012.03.22 18:05:24 | 000,000,000 | ---D | C] -- C:\Users\Stamm\AppData\Roaming\TeamViewer [2012.03.14 17:10:44 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe [2012.03.14 17:10:41 | 003,913,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe [2012.03.14 16:54:00 | 002,343,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2012.03.14 16:53:59 | 001,077,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll [2012.03.14 16:53:36 | 000,129,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpcorekmts.dll [2012.03.14 16:53:36 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpwsx.dll [2012.03.14 16:53:36 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdrmemptylst.exe [2012.03.14 16:53:34 | 000,826,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpcore.dll ========== Files - Modified Within 30 Days ========== [2012.03.23 14:52:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.03.23 14:46:58 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\Stamm\Desktop\OTL.exe [2012.03.23 14:27:52 | 000,662,276 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.03.23 14:27:52 | 000,622,856 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.03.23 14:27:52 | 000,133,346 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.03.23 14:27:52 | 000,108,978 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012.03.23 13:49:38 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Stamm\Desktop\mbam-setup-1.60.1.1000.exe [2012.03.23 08:40:47 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs [2012.03.22 17:06:56 | 000,013,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.03.22 17:06:56 | 000,013,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.03.22 14:09:03 | 000,001,057 | ---- | M] () -- C:\Users\Stamm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0.4194274011065664.exe.lnk [2012.03.22 13:52:59 | 000,588,494 | ---- | M] () -- C:\Windows\System32\sig.bin [2012.03.22 13:52:59 | 000,038,133 | ---- | M] () -- C:\Windows\System32\nmp.map [2012.03.14 19:31:39 | 003,693,520 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.03.03 14:18:20 | 000,001,017 | ---- | M] () -- C:\Users\Stamm\Desktop\Dropbox.lnk [2012.03.03 14:18:20 | 000,000,997 | ---- | M] () -- C:\Users\Stamm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2012.02.23 09:18:36 | 000,237,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe ========== Files Created - No Company Name ========== [2012.03.22 14:09:03 | 000,001,057 | ---- | C] () -- C:\Users\Stamm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0.4194274011065664.exe.lnk [2011.10.28 11:42:48 | 000,000,132 | ---- | C] () -- C:\Users\Stamm\AppData\Roaming\Adobe BMP Format CS5 Prefs [2011.08.19 09:26:20 | 010,898,456 | ---- | C] () -- C:\Windows\System32\LogiDPP.dll [2011.08.19 09:26:20 | 000,336,408 | ---- | C] () -- C:\Windows\System32\DevManagerCore.dll [2011.08.19 09:26:20 | 000,104,472 | ---- | C] () -- C:\Windows\System32\LogiDPPApp.exe [2011.08.07 12:32:49 | 002,340,992 | ---- | C] () -- C:\Windows\System32\BootMan.exe [2011.08.07 12:32:49 | 000,018,048 | ---- | C] () -- C:\Windows\System32\EuEpmGdi.dll [2011.08.07 12:32:48 | 000,086,408 | ---- | C] () -- C:\Windows\System32\setupempdrv03.exe [2011.08.07 12:32:48 | 000,014,216 | ---- | C] () -- C:\Windows\System32\epmntdrv.sys [2011.08.07 12:32:48 | 000,008,456 | ---- | C] () -- C:\Windows\System32\EuGdiDrv.sys [2011.07.26 06:48:54 | 000,028,418 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini [2011.05.09 20:45:17 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe [2011.04.16 12:42:55 | 000,588,494 | ---- | C] () -- C:\Windows\System32\sig.bin [2010.12.02 16:45:47 | 000,165,376 | ---- | C] () -- C:\Windows\UNWISE.EXE [2010.11.10 20:29:00 | 000,545,245 | ---- | C] () -- C:\Users\Stamm\AppData\Roaming\mdbu.bin [2010.07.30 13:14:03 | 000,166,912 | ---- | C] () -- C:\Windows\System32\APOMngr.DLL [2010.07.30 13:14:03 | 000,073,728 | ---- | C] () -- C:\Windows\System32\CmdRtr.DLL [2010.07.30 12:41:48 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat [2010.07.30 12:41:27 | 012,824,576 | ---- | C] () -- C:\ProgramData\sandra.mda ========== Alternate Data Streams ========== @Alternate Data Stream - 200 bytes -> C:\ProgramData\TEMP:D282699C < End of report > Code:
ATTFilter OTL Extras logfile created on: 23.03.2012 14:59:08 - Run 1 OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Stamm\Desktop Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,00 Gb Total Physical Memory | 1,62 Gb Available Physical Memory | 80,80% Memory free 4,00 Gb Paging File | 3,64 Gb Available in Paging File | 91,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 29,45 Gb Total Space | 4,61 Gb Free Space | 15,65% Space Free | Partition Type: NTFS Drive D: | 160,46 Gb Total Space | 28,78 Gb Free Space | 17,94% Space Free | Partition Type: NTFS Drive G: | 7,49 Gb Total Space | 7,48 Gb Free Space | 99,83% Space Free | Partition Type: FAT32 Computer Name: STAMM-PC | User Name: Stamm | Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_USERS\S-1-5-21-1949152909-3402139666-2300823091-1000\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.) Directory [CEWE FOTOSCHAU] -- "C:\Program Files\dm\dm-Fotowelt\CEWE FOTOSCHAU.exe" -d "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [dm-Fotowelt] -- "C:\Program Files\dm\dm-Fotowelt\dm-Fotowelt.exe" "%1" () Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [explore] -- Reg Error: Value error. Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "VistaSp1" = Reg Error: Unknown registry data type -- File not found "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 0 ========== Authorized Applications List ========== ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86 "{086A7D8C-0A38-4C7F-819A-620275550D5C}" = Nero Burning ROM Help "{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86 "{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help "{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86 "{15FEDA5F-141C-4127-8D7E-B962D1742728}" = Adobe Photoshop CS5 "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{2348B586-C9AE-46CE-936C-A68E9426E214}" = Nero StartSmart Help "{254BEB3E-1085-4D66-9CDC-0152C0DC2E93}" = EPSON TWAIN 5 "{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 29 "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{409ECFF1-9CC7-43A8-B28A-B7F0B7CB04D1}_is1" = Classic Menu for Office 2007 v5.20 "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4d3b7173-86fa-4f3b-b9e5-4443c08b7910}" = Nero 9 "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml "{6006059E-013D-4B77-BC5C-4DD5E4A6570D}" = G Data InternetSecurity 2012 "{60C731FB-C951-41CE-AD41-8E54C8594609}" = Nero Disc Copy Gadget Help "{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86 "{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable "{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart "{7829DB6F-A066-4E40-8912-CB07887C20BB}" = Nero BurnRights "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007 "{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007 "{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007 "{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{928D7B99-2BEA-49F9-83B8-20FA57860643}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{A23BFC95-4A73-410F-9248-4C2B48E38C49}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007 "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007 "{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{A6353E8F-5B8D-47CC-8737-DFF032ED3973}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007 "{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}" = Microsoft Office 2007 Service Pack 3 (SP3) "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In "{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86 "{97B56D25-365E-4BD6-BD70-2C3FAE3B279D}" = Logitech for Business Webcam Software "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5 "{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress "{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.2) - Deutsch "{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles "{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center "{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Systemsteuerung 260.99 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Grafiktreiber 260.99 "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit "{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter "{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1" = SiSoftware Sandra Lite 2010.SP2 "{D025A639-B9C9-417D-8531-208859000AF8}" = NeroBurningROM "{D0ACE207-0F90-402C-8CFA-2CB3D44CE689}" = Adobe Photoshop Lightroom 3.6 "{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86 "{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005 "{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86 "{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player "{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer "{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8 "{F1861F30-3419-44DB-B2A1-C274825698B3}" = Nero Disc Copy Gadget "{F4041DCE-3FE1-4E18-8A9E-9DE65231EE36}" = Nero ControlCenter "{F6BDD7C5-89ED-4569-9318-469AA9732572}" = Nero BurnRights Help "{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio "{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Aldi Süd Foto Service" = Aldi Süd Foto Service 4.6 "ALDI Süd Online Druck Service" = ALDI Süd Online Druck Service 4.6 "ALDI Sued Fotoservice_is1" = Aldi Sued Fotoservice 2.7 "Ashampoo WinOptimizer 6_is1" = Ashampoo WinOptimizer 6.60 "AudioCS" = Creative Audio-Systemsteuerung "BDE Information Utility" = BDE Information Utility "CCleaner" = CCleaner "chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help "com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player "Creative Software AutoUpdate" = Creative Software AutoUpdate "Creative Sound Blaster Properties" = Eigenschaften von Creative Sound Blaster "Defraggler" = Defraggler "dm-Fotowelt" = dm-Fotowelt "EASEUS Partition Master Home Edition_is1" = EASEUS Partition Master 8.0.1 Home Edition "ENTERPRISE" = Microsoft Office Enterprise 2007 "FKC22153088_is1" = fotokasten comfort "Foxit PDF Editor" = Foxit PDF Editor "IrfanView" = IrfanView (remove only) "lvdrivers_12.10" = Logitech for Business Webcam Software-Treiberpaket "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Mozilla Firefox 11.0 (x86 de)" = Mozilla Firefox 11.0 (x86 de) "PDF Blender" = PDF Blender "Revo Uninstaller" = Revo Uninstaller 1.92 "Secunia PSI" = Secunia PSI (2.0.0.4002) "SystemRequirementsLab" = System Requirements Lab "TeamViewer 7" = TeamViewer 7 "Update Service" = Sony Ericsson Update Service "VirtualCloneDrive" = VirtualCloneDrive "VLC media player" = VLC media player 2.0.0 "WinRAR archiver" = WinRAR ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-1949152909-3402139666-2300823091-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "Dropbox" = Dropbox ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 29.08.2011 13:12:48 | Computer Name = Stamm-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107 Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 29.08.2011 13:12:58 | Computer Name = Stamm-PC | Source = SideBySide | ID = 16842815 Description = Fehler beim Generieren des Aktivierungskontextes für "C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll". Fehler in Manifest- oder Richtliniendatei "C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" in Zeile 3. Der Wert "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" des "version"-Attributs im assemblyIdentity-Element ist ungültig. Error - 29.08.2011 16:53:55 | Computer Name = Stamm-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107 Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 29.08.2011 21:48:49 | Computer Name = Stamm-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107 Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 30.08.2011 04:31:09 | Computer Name = Stamm-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107 Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 30.08.2011 05:14:35 | Computer Name = Stamm-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107 Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 30.08.2011 06:02:52 | Computer Name = Stamm-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107 Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 30.08.2011 11:43:44 | Computer Name = Stamm-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107 Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 31.08.2011 06:37:21 | Computer Name = Stamm-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107 Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . Error - 31.08.2011 07:12:42 | Computer Name = Stamm-PC | Source = Microsoft-Windows-CAPI2 | ID = 4107 Description = Fehler beim Extrahieren der Drittanbieterstammliste aus der automatischen Aktualisierungs-CAB-Datei bei <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>. Fehler: Ein erforderliches Zertifikat befindet sich nicht im Gültigkeitszeitraum gemessen an der aktuellen Systemzeit oder dem Zeitstempel in der signierten Datei. . [ OSession Events ] Error - 13.12.2010 12:06:44 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 45 seconds with 0 seconds of active time. This session ended with a crash. Error - 17.12.2010 06:50:10 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1167 seconds with 240 seconds of active time. This session ended with a crash. Error - 31.12.2010 06:14:58 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 814 seconds with 60 seconds of active time. This session ended with a crash. Error - 17.01.2011 08:17:22 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 48 seconds with 0 seconds of active time. This session ended with a crash. Error - 09.03.2011 05:05:29 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 100 seconds with 60 seconds of active time. This session ended with a crash. Error - 15.03.2011 09:46:10 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 113 seconds with 60 seconds of active time. This session ended with a crash. Error - 30.03.2011 12:06:47 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 292 seconds with 240 seconds of active time. This session ended with a crash. Error - 23.05.2011 13:33:10 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 937 seconds with 780 seconds of active time. This session ended with a crash. Error - 17.12.2011 12:37:57 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 384 seconds with 120 seconds of active time. This session ended with a crash. Error - 23.01.2012 11:24:35 | Computer Name = Stamm-PC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 65 seconds with 60 seconds of active time. This session ended with a crash. [ System Events ] Error - 23.03.2012 09:52:16 | Computer Name = Stamm-PC | Source = DCOM | ID = 10005 Description = Error - 23.03.2012 09:52:24 | Computer Name = Stamm-PC | Source = DCOM | ID = 10005 Description = Error - 23.03.2012 09:52:28 | Computer Name = Stamm-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 23.03.2012 09:52:28 | Computer Name = Stamm-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 23.03.2012 09:52:28 | Computer Name = Stamm-PC | Source = Service Control Manager | ID = 7001 Description = Der Dienst "Computerbrowser" ist vom Dienst "Server" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: %%1068 Error - 23.03.2012 09:52:29 | Computer Name = Stamm-PC | Source = DCOM | ID = 10005 Description = Error - 23.03.2012 09:52:30 | Computer Name = Stamm-PC | Source = DCOM | ID = 10005 Description = Error - 23.03.2012 09:55:39 | Computer Name = Stamm-PC | Source = DCOM | ID = 10005 Description = Error - 23.03.2012 09:55:39 | Computer Name = Stamm-PC | Source = DCOM | ID = 10005 Description = Error - 23.03.2012 09:56:10 | Computer Name = Stamm-PC | Source = DCOM | ID = 10005 Description = < End of report > |
24.03.2012, 23:07 | #2 |
/// Selecta Jahrusso | BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Was genau wurde von dieser "Anleitung" ausgeführt ?
__________________
__________________ |
25.03.2012, 01:13 | #3 | |
| BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Hallo, danke erst einmal, dass jemand antwortet.
__________________Tut mir auch leid, dass ich nicht alles ganz genau befolgt habe, z.B. defogger, DDS und GMER durchlaufen lassen. Habe ich jetzt alles gemacht und werde die Dateien noch einmal anhängen. Von der Anleitung habe ich nicht wirklich viel gemacht, sondern einfach nur den PC im abgesicherten Modus mit Netzwerktreibern gestartet und dann diese Anweisung befolgt, dass war es dann auch schon: Zitiert aus dieser "Anleitung": http://www.trojaner-board.de/107703-...lorer-exe.html Zitat:
Ich hänge jetzt noch anschließend die Dateien von DDS und GMER an. Ich habe gemerkt, dass ich leider die defogger_disable vergessen gerade nicht habe, lasse diese mir später noch einmal von meinen Eltern zuschicken. Ich befinde mich derzeit im Ausland und muss ihnen von hier Hilfestellung leisten, deswegen ist das alles ein wenig kompliziert. Hoffe ihr habt Verständnis. dds.txt [CODE].DDS Logfile: DDS Logfile: Code:
ATTFilter DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29 Run by Stamm at 10:34:18 on 2012-03-24 Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.2048.1653 [GMT 1:00] . AV: G Data InternetSecurity 2012 *Enabled/Updated* {39B780B4-63C2-05B0-3B40-8F7A21E4F496} SP: G Data InternetSecurity 2012 *Enabled/Updated* {82D66150-45F8-0A3E-01F0-B4085A63BE2B} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: G Data Personal Firewall *Enabled* {018C0191-29AD-04E8-101F-264FDF37B3ED} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.spiegel.de/ BHO: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\internetsecurity\webfilter\AVKWebIE.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: G Data BankGuard: {ba3295cf-17ed-4f49-9e95-d999a0adbfdc} - c:\program files\common files\g data\avkproxy\BanksafeBHO.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\internetsecurity\webfilter\AVKWebIE.dll uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry mRun: [G Data AntiVirus Tray Application] c:\program files\g data\internetsecurity\avktray\AVKTray.exe mRun: [GDFirewallTray] c:\program files\g data\internetsecurity\firewall\GDFirewallTray.exe mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" StartupFolder: c:\users\stamm\appdata\roaming\micros~1\windows\startm~1\programs\startup\0.4194274011065664.exe.lnk - c:\windows\system32\rundll32.exe StartupFolder: c:\users\stamm\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\stamm\appdata\roaming\dropbox\bin\Dropbox.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secunia psi tray.lnk - c:\program files\secunia\psi\psi_tray.exe uPolicies-system: DisableTaskMgr = 1 (0x1) mPolicies-explorer: NoResolveTrack = 1 (0x1) mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~1\office12\EXCEL.EXE/3000 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15112/CTPID.cab TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{740B1510-2513-4301-9C17-6B6EF483E9D6} : DhcpNameServer = 192.168.2.1 Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll Hosts: 127.0.0.1 www.spywareinfo.com Hosts: 127.0.0.2 serial.alcohol-soft.com # alcohol 120% . ================= FIREFOX =================== . FF - ProfilePath - c:\users\stamm\appdata\roaming\mozilla\firefox\profiles\o3zdvqm8.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.spiegel.de/ FF - component: c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\avkwebfilterff.dll FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll . ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-connections-per-server - 8 FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . ============= SERVICES / DRIVERS =============== . R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2011-4-16 40440] R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2011-1-15 27632] S1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2011-4-16 79992] S1 gdwfpcd;G Data WFP CD;c:\windows\system32\drivers\gdwfpcd32.sys [2011-4-16 54648] S1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2011-4-16 30256] S1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-4-16 39800] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928] S2 AVKProxy;G Data AntiVirus Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2012-2-13 1506824] S2 AVKService;G Data Scheduler;c:\program files\g data\internetsecurity\avk\AVKService.exe [2011-4-1 409608] S2 AVKWCtl;G Data Dateisystem Wächter;c:\program files\g data\internetsecurity\avk\AVKWCtl.exe [2012-2-13 1554184] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-7-30 1153368] S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-7-29 994360] S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-1-31 158856] S2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-2-13 3027840] S2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-7-30 79360] S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo winoptimizer 6\DfSdkS.exe [2010-11-28 406016] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-8-7 14216] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-8-7 8456] S3 GDFwSvc;G Data Personal Firewall;c:\program files\g data\internetsecurity\firewall\GDFwSvc.exe [2011-8-18 1613424] S3 GdNetMon;G Data Network Monitor;c:\windows\system32\drivers\GdNetMon32.sys [2011-4-16 29400] S3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys [2010-7-30 49016] S3 GDScan;G Data Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2012-2-13 457536] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2011-1-15 13224] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544] S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware sandra lite 2010\RpcAgentSrv.exe [2010-7-30 93848] S3 StorSvc;Speicherdienst;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992] S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096] S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-9 52224] . =============== Created Last 30 ================ . 2012-03-24 09:29:40 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0e78e61e-a772-415d-bac1-fd1f011f7a06}\offreg.dll 2012-03-22 17:05:24 -------- d-----w- c:\users\stamm\appdata\roaming\TeamViewer 2012-03-20 08:16:21 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0e78e61e-a772-415d-bac1-fd1f011f7a06}\mpengine.dll 2012-03-19 14:13:43 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll 2012-03-19 14:13:43 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll 2012-03-14 16:10:44 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-03-14 16:10:41 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-03-14 15:54:00 2343424 ----a-w- c:\windows\system32\win32k.sys 2012-03-14 15:53:59 1077248 ----a-w- c:\windows\system32\DWrite.dll 2012-03-14 15:53:36 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-03-14 15:53:36 58880 ----a-w- c:\windows\system32\rdpwsx.dll 2012-03-14 15:53:36 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-03-14 15:53:34 826880 ----a-w- c:\windows\system32\rdpcore.dll 2012-03-14 15:53:34 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2012-03-14 15:53:33 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys . ==================== Find3M ==================== . 2012-03-22 12:52:59 588494 ----a-w- c:\windows\system32\sig.bin 2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe 2012-02-13 17:56:30 79992 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys 2012-02-13 17:56:30 40440 ----a-w- c:\windows\system32\drivers\GDBehave.sys 2012-02-13 17:56:29 54648 ----a-w- c:\windows\system32\drivers\gdwfpcd32.sys 2012-02-13 17:16:28 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-01-04 08:58:41 442880 ----a-w- c:\windows\system32\ntshrui.dll 2011-12-30 05:27:56 478720 ----a-w- c:\windows\system32\timedate.cpl . ============= FINISH: 10:35:08,06 =============== --- --- --- attach.txt Code:
ATTFilter . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft Windows 7 Professional Boot Device: \Device\HarddiskVolume1 Install Date: 30.07.2010 12:03:37 System Uptime: 24.03.2012 10:15:09 (0 hours ago) . Motherboard: ASUSTeK Computer INC. | | A8N-SLI Processor: AMD Athlon(tm) 64 Processor 3000+ | Socket 939 | 1813/200mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 29 GiB total, 4,598 GiB free. D: is FIXED (NTFS) - 160 GiB total, 28,783 GiB free. E: is CDROM () F: is CDROM () H: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1} Description: Security Processor Loader Driver Device ID: ROOT\LEGACY_SPLDR\0000 Manufacturer: Name: Security Processor Loader Driver PNP Device ID: ROOT\LEGACY_SPLDR\0000 Service: spldr . Class GUID: Description: Device ID: ACPI\PNPB006\3&2411E6FE&1 Manufacturer: Name: PNP Device ID: ACPI\PNPB006\3&2411E6FE&1 Service: . ==== System Restore Points =================== . No restore point in system. . ==== Installed Programs ====================== . Update for Microsoft Office 2007 (KB2508958) Adobe AIR Adobe Community Help Adobe Flash Player 10 ActiveX Adobe Flash Player 11 Plugin Adobe Media Player Adobe Photoshop CS5 Adobe Photoshop Lightroom 3.6 Adobe Reader X (10.1.2) - Deutsch Advertising Center Aldi Süd Foto Service 4.6 ALDI Süd Online Druck Service 4.6 Aldi Sued Fotoservice 2.7 Ashampoo WinOptimizer 6.60 BDE Information Utility CCleaner Classic Menu for Office 2007 v5.20 Creative Audio-Systemsteuerung Creative Software AutoUpdate Defraggler dm-Fotowelt DolbyFiles Dropbox EASEUS Partition Master 8.0.1 Home Edition Eigenschaften von Creative Sound Blaster EPSON TWAIN 5 fotokasten comfort Foxit PDF Editor G Data InternetSecurity 2012 ImagXpress IrfanView (remove only) Java Auto Updater Java(TM) 6 Update 29 Logitech for Business Webcam Software Logitech for Business Webcam Software-Treiberpaket Menu Templates - Starter Kit Microsoft .NET Framework 4 Client Profile Microsoft Office 2007 Service Pack 3 (SP3) Microsoft Office Access MUI (German) 2007 Microsoft Office Enterprise 2007 Microsoft Office Excel MUI (German) 2007 Microsoft Office File Validation Add-In Microsoft Office Groove MUI (German) 2007 Microsoft Office InfoPath MUI (German) 2007 Microsoft Office OneNote MUI (German) 2007 Microsoft Office Outlook MUI (German) 2007 Microsoft Office PowerPoint MUI (German) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (German) 2007 Microsoft Office Proof (Italian) 2007 Microsoft Office Proofing (German) 2007 Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) Microsoft Office Publisher MUI (German) 2007 Microsoft Office Shared MUI (German) 2007 Microsoft Office Word MUI (German) 2007 Microsoft Primary Interoperability Assemblies 2005 Microsoft Silverlight Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft_VC80_ATL_x86 Microsoft_VC80_CRT_x86 Microsoft_VC80_MFC_x86 Microsoft_VC80_MFCLOC_x86 Microsoft_VC90_ATL_x86 Microsoft_VC90_CRT_x86 Microsoft_VC90_MFC_x86 Mozilla Firefox 11.0 (x86 de) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Nero 9 Nero Burning ROM Help Nero BurnRights Nero BurnRights Help Nero ControlCenter Nero Disc Copy Gadget Nero Disc Copy Gadget Help Nero Installer Nero StartSmart Nero StartSmart Help NeroBurningROM neroxml NVIDIA Grafiktreiber 260.99 NVIDIA Install Application NVIDIA Systemsteuerung 260.99 PDF Blender PDF Settings CS5 Realtek AC'97 Audio Revo Uninstaller 1.92 Secunia PSI (2.0.0.4002) Security Update for CAPICOM (KB931906) Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition SiSoftware Sandra Lite 2010.SP2 Skype™ 5.8 Sony Ericsson Update Service Spybot - Search & Destroy System Requirements Lab TeamViewer 7 Update für Microsoft Office Excel 2007 Help (KB963678) Update für Microsoft Office Outlook 2007 Help (KB963677) Update für Microsoft Office Powerpoint 2007 Help (KB963669) Update für Microsoft Office Word 2007 Help (KB963665) Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition Update for Microsoft Office 2007 suites (KB2597998) 32-Bit Edition Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition VirtualCloneDrive VLC media player 2.0.0 WinRAR . ==== End Of File =========================== Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net Rootkit scan 2012-03-24 11:05:47 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Maxtor_6B200P0 rev.BAH41E00 Running: GMER 1.0.15.15641.exe; Driver: C:\Users\Stamm\AppData\Local\Temp\agloypoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 81E573D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E90D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? C:\Users\Stamm\AppData\Local\Temp\mbr.sys Das System kann die angegebene Datei nicht finden. ! ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- Sorry für die anfangs nicht genau Befolgung. |
25.03.2012, 01:16 | #4 | |
/// Selecta Jahrusso | BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Warum schickst du nicht deine Eltern hier ins Forum ? Zitat:
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
25.03.2012, 01:50 | #5 |
| BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Weil meine Eltern nicht so einfach damit klar kommen. Ist einfacher, wenn ich das regel. Bezüglich der Host Datei. Ja muss zugeben, dass ich Alcohol 120 von nem Freund bekommen habe und der hat das aus dem Internet, also ich denke es bewegt sich eher ini dem nicht legalen Bereich. Hmm tut mir leid. Dachte eigentlich, dass ich nur legale Software auf den PC meiner Eltern gespielt hätte, tut mir leid. Wird mir jetzt die Unterstützung versagt? Das war so nicht vorgesehen, hoffe ihr könnt mir noch einmal verzeihen |
25.03.2012, 14:45 | #6 |
/// Selecta Jahrusso | BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Deinstalliere diese Software und poste neue DDS Logs
__________________ --> BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt |
26.03.2012, 14:38 | #7 |
| BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Nach der Deinstallation hier die neue DDS-Datei. [CODE].DDS Logfile: Code:
ATTFilter DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29 Run by Stamm at 15:25:59 on 2012-03-26 Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.2048.1716 [GMT 2:00] . AV: G Data InternetSecurity 2012 *Enabled/Updated* {39B780B4-63C2-05B0-3B40-8F7A21E4F496} SP: G Data InternetSecurity 2012 *Enabled/Updated* {82D66150-45F8-0A3E-01F0-B4085A63BE2B} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: G Data Personal Firewall *Enabled* {018C0191-29AD-04E8-101F-264FDF37B3ED} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.spiegel.de/ BHO: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\internetsecurity\webfilter\AVKWebIE.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: G Data BankGuard: {ba3295cf-17ed-4f49-9e95-d999a0adbfdc} - c:\program files\common files\g data\avkproxy\BanksafeBHO.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: G Data WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\g data\internetsecurity\webfilter\AVKWebIE.dll uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry mRun: [G Data AntiVirus Tray Application] c:\program files\g data\internetsecurity\avktray\AVKTray.exe mRun: [GDFirewallTray] c:\program files\g data\internetsecurity\firewall\GDFirewallTray.exe mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" StartupFolder: c:\users\stamm\appdata\roaming\micros~1\windows\startm~1\programs\startup\0.4194274011065664.exe.lnk - c:\windows\system32\rundll32.exe StartupFolder: c:\users\stamm\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\stamm\appdata\roaming\dropbox\bin\Dropbox.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secunia psi tray.lnk - c:\program files\secunia\psi\psi_tray.exe uPolicies-system: DisableTaskMgr = 1 (0x1) mPolicies-explorer: NoResolveTrack = 1 (0x1) mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~1\office12\EXCEL.EXE/3000 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15112/CTPID.cab TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{740B1510-2513-4301-9C17-6B6EF483E9D6} : DhcpNameServer = 192.168.2.1 Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll Hosts: 127.0.0.1 www.spywareinfo.com Hosts: 12# End of entries inserted by Spybot - Search & Destroy . ================= FIREFOX =================== . FF - ProfilePath - c:\users\stamm\appdata\roaming\mozilla\firefox\profiles\o3zdvqm8.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.spiegel.de/ FF - component: c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\avkwebfilterff.dll FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll . ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-connections-per-server - 8 FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . ============= SERVICES / DRIVERS =============== . R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2011-4-16 40440] R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2011-1-15 27632] S1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2011-4-16 79992] S1 gdwfpcd;G Data WFP CD;c:\windows\system32\drivers\gdwfpcd32.sys [2011-4-16 54648] S1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2011-4-16 30256] S1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-4-16 39800] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928] S2 AVKProxy;G Data AntiVirus Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2012-2-13 1506824] S2 AVKService;G Data Scheduler;c:\program files\g data\internetsecurity\avk\AVKService.exe [2011-4-1 409608] S2 AVKWCtl;G Data Dateisystem Wächter;c:\program files\g data\internetsecurity\avk\AVKWCtl.exe [2012-2-13 1554184] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-7-30 1153368] S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-7-29 994360] S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-1-31 158856] S2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-2-13 3027840] S2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-7-30 79360] S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo winoptimizer 6\DfSdkS.exe [2010-11-28 406016] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-8-7 14216] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-8-7 8456] S3 GDFwSvc;G Data Personal Firewall;c:\program files\g data\internetsecurity\firewall\GDFwSvc.exe [2011-8-18 1613424] S3 GdNetMon;G Data Network Monitor;c:\windows\system32\drivers\GdNetMon32.sys [2011-4-16 29400] S3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys [2010-7-30 49016] S3 GDScan;G Data Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2012-2-13 457536] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2011-1-15 13224] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544] S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware sandra lite 2010\RpcAgentSrv.exe [2010-7-30 93848] S3 StorSvc;Speicherdienst;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992] S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096] S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-9 52224] . =============== Created Last 30 ================ . 2012-03-22 17:05:24 -------- d-----w- c:\users\stamm\appdata\roaming\TeamViewer 2012-03-20 08:16:21 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0e78e61e-a772-415d-bac1-fd1f011f7a06}\mpengine.dll 2012-03-19 14:13:43 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll 2012-03-19 14:13:43 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll 2012-03-14 16:10:44 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-03-14 16:10:41 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-03-14 15:54:00 2343424 ----a-w- c:\windows\system32\win32k.sys 2012-03-14 15:53:59 1077248 ----a-w- c:\windows\system32\DWrite.dll 2012-03-14 15:53:36 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-03-14 15:53:36 58880 ----a-w- c:\windows\system32\rdpwsx.dll 2012-03-14 15:53:36 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-03-14 15:53:34 826880 ----a-w- c:\windows\system32\rdpcore.dll 2012-03-14 15:53:34 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2012-03-14 15:53:33 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys . ==================== Find3M ==================== . 2012-03-22 12:52:59 588494 ----a-w- c:\windows\system32\sig.bin 2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe 2012-02-13 17:56:30 79992 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys 2012-02-13 17:56:30 40440 ----a-w- c:\windows\system32\drivers\GDBehave.sys 2012-02-13 17:56:29 54648 ----a-w- c:\windows\system32\drivers\gdwfpcd32.sys 2012-02-13 17:16:28 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-01-04 08:58:41 442880 ----a-w- c:\windows\system32\ntshrui.dll 2011-12-30 05:27:56 478720 ----a-w- c:\windows\system32\timedate.cpl . ============= FINISH: 15:27:17,43 =============== |
26.03.2012, 14:54 | #8 | |
/// Selecta Jahrusso | BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführtCombofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!Downloade dir bitte Combofix von einem dieser Downloadspiegel Link 1 Link 2 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
28.03.2012, 15:07 | #9 |
| BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Hier jetzt endlich die ComboFix.txt. Musste erst die Virenscanner (GData) über Eingabeaufforderung mit msconfig deaktivieren (Autostart und Dienste). Code:
ATTFilter ComboFix 12-03-27.02 - Stamm 28.03.2012 15:46:06.1.1 - x86 NETWORK Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.2048.1682 [GMT 2:00] ausgeführt von:: c:\users\Stamm\Desktop\ComboFix.exe AV: G Data InternetSecurity 2012 *Disabled/Updated* {39B780B4-63C2-05B0-3B40-8F7A21E4F496} FW: G Data Personal Firewall *Disabled* {018C0191-29AD-04E8-101F-264FDF37B3ED} SP: G Data InternetSecurity 2012 *Disabled/Updated* {82D66150-45F8-0A3E-01F0-B4085A63BE2B} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Neuer Wiederherstellungspunkt wurde erstellt . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Stamm\4.0 . . ((((((((((((((((((((((( Dateien erstellt von 2012-02-28 bis 2012-03-28 )))))))))))))))))))))))))))))) . . 2012-03-28 13:52 . 2012-03-28 13:52 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-03-22 17:05 . 2012-03-22 17:05 -------- d-----w- c:\users\Stamm\AppData\Roaming\TeamViewer 2012-03-20 08:16 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0E78E61E-A772-415D-BAC1-FD1F011F7A06}\mpengine.dll 2012-03-19 14:13 . 2012-03-19 14:13 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll 2012-03-19 14:13 . 2012-03-19 14:13 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll 2012-03-14 16:10 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-03-14 16:10 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-03-14 15:54 . 2012-02-03 03:54 2343424 ----a-w- c:\windows\system32\win32k.sys 2012-03-14 15:53 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\system32\DWrite.dll 2012-03-14 15:53 . 2012-01-25 05:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll 2012-03-14 15:53 . 2012-01-25 05:32 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-03-14 15:53 . 2012-01-25 05:27 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-03-14 15:53 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll 2012-03-14 15:53 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2012-03-14 15:53 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-02-23 08:18 . 2010-07-30 11:16 237072 ------w- c:\windows\system32\MpSigStub.exe 2012-02-13 17:56 . 2011-04-16 11:34 79992 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys 2012-02-13 17:56 . 2011-04-16 11:34 40440 ----a-w- c:\windows\system32\drivers\GDBehave.sys 2012-02-13 17:56 . 2011-04-16 11:34 54648 ----a-w- c:\windows\system32\drivers\gdwfpcd32.sys 2012-02-13 17:16 . 2011-06-28 15:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-01-04 08:58 . 2012-02-16 11:34 442880 ----a-w- c:\windows\system32\ntshrui.dll 2011-12-30 05:27 . 2012-02-16 11:34 478720 ----a-w- c:\windows\system32\timedate.cpl 2012-03-19 14:13 . 2012-02-13 17:17 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-10-31 21:02 94208 ----a-w- c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-10-31 21:02 94208 ----a-w- c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-10-31 21:02 94208 ----a-w- c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-10-31 21:02 94208 ----a-w- c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "P17RunE"="P17RunE.dll" [2008-03-28 14848] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . c:\users\Stamm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\Stamm\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-15 24246216] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-7-29 291896] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G Data AntiVirus Tray Application] 2011-05-11 10:18 923144 ----a-w- c:\program files\G Data\InternetSecurity\AVKTray\AVKTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GDFirewallTray] 2011-10-28 13:36 1617416 ----a-w- c:\program files\G Data\InternetSecurity\Firewall\GDFirewallTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] 2009-09-15 17:21 2788624 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" /logon . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" . R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2012-02-13 79992] R1 gdwfpcd;G Data WFP CD;c:\windows\system32\drivers\gdwfpcd32.sys [2012-02-13 54648] R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2011-04-16 30256] R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-06-07 39800] R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368] R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-07-29 994360] R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-01-31 158856] R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-01-19 3027840] R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848] R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-07-30 79360] R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016] R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-03-24 14216] R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-03-24 8456] R3 GdNetMon;G Data Network Monitor;c:\windows\system32\drivers\GdNetMon32.sys [2011-04-16 29400] R3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys [2011-08-18 49016] R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2011-01-15 13224] R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544] R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe [2009-08-10 93848] R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224] R4 AVKProxy;G Data AntiVirus Proxy;c:\program files\Common Files\G DATA\AVKProxy\AVKProxy.exe [2011-10-28 1506824] R4 AVKService;G Data Scheduler;c:\program files\G Data\InternetSecurity\AVK\AVKService.exe [2011-04-01 409608] R4 AVKWCtl;G Data Dateisystem Wächter;c:\program files\G Data\InternetSecurity\AVK\AVKWCtl.exe [2011-10-28 1554184] R4 GDFwSvc;G Data Personal Firewall;c:\program files\G Data\InternetSecurity\Firewall\GDFwSvc.exe [2011-08-10 1613424] R4 GDScan;G Data Scanner;c:\program files\Common Files\G DATA\GDScan\GDScan.exe [2011-10-28 457536] S0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2012-02-13 40440] S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2011-01-15 27632] . . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.spiegel.de/ IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.2.1 FF - ProfilePath - c:\users\Stamm\AppData\Roaming\Mozilla\Firefox\Profiles\o3zdvqm8.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.spiegel.de/ FF - user.js: network.http.max-connections-per-server - 8 FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . - - - - Entfernte verwaiste Registrierungseinträge - - - - . MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- . - - - - - - - > 'Explorer.exe'(1608) c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . Zeit der Fertigstellung: 2012-03-28 15:55:14 ComboFix-quarantined-files.txt 2012-03-28 13:55 . Vor Suchlauf: 4.835.733.504 Bytes frei Nach Suchlauf: 4.701.331.456 Bytes frei . - - End Of File - - B420A0E6E541F6ED1174B1D4976FDC75 |
28.03.2012, 15:23 | #10 |
/// Selecta Jahrusso | BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Starte den Rechner bitte mal in den Normalmodus und lass Combofix erneut laufen. Gehe sicher, dass deine Anti Viren Software temporär abgestellt ist.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
28.03.2012, 17:45 | #11 |
| BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Hallo. Also PC konnte gestartet werden, kam anschließend keine BKA-Trojaner-Meldung. Hier die Logfile von ComboFix Code:
ATTFilter ComboFix 12-03-27.02 - Stamm 28.03.2012 18:16:39.2.1 - x86 Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.2048.1445 [GMT 2:00] ausgeführt von:: c:\users\Stamm\Desktop\ComboFix.exe AV: G Data InternetSecurity 2012 *Disabled/Updated* {39B780B4-63C2-05B0-3B40-8F7A21E4F496} FW: G Data Personal Firewall *Disabled* {018C0191-29AD-04E8-101F-264FDF37B3ED} SP: G Data InternetSecurity 2012 *Disabled/Updated* {82D66150-45F8-0A3E-01F0-B4085A63BE2B} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Neuer Wiederherstellungspunkt wurde erstellt . . ((((((((((((((((((((((( Dateien erstellt von 2012-02-28 bis 2012-03-28 )))))))))))))))))))))))))))))) . . 2012-03-28 16:26 . 2012-03-28 16:26 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-03-22 17:05 . 2012-03-22 17:05 -------- d-----w- c:\users\Stamm\AppData\Roaming\TeamViewer 2012-03-20 08:16 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0E78E61E-A772-415D-BAC1-FD1F011F7A06}\mpengine.dll 2012-03-19 14:13 . 2012-03-19 14:13 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll 2012-03-19 14:13 . 2012-03-19 14:13 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll 2012-03-14 16:10 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-03-14 16:10 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-03-14 15:54 . 2012-02-03 03:54 2343424 ----a-w- c:\windows\system32\win32k.sys 2012-03-14 15:53 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\system32\DWrite.dll 2012-03-14 15:53 . 2012-01-25 05:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll 2012-03-14 15:53 . 2012-01-25 05:32 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-03-14 15:53 . 2012-01-25 05:27 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-03-14 15:53 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll 2012-03-14 15:53 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2012-03-14 15:53 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-02-23 08:18 . 2010-07-30 11:16 237072 ------w- c:\windows\system32\MpSigStub.exe 2012-02-13 17:56 . 2011-04-16 11:34 79992 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys 2012-02-13 17:56 . 2011-04-16 11:34 40440 ----a-w- c:\windows\system32\drivers\GDBehave.sys 2012-02-13 17:56 . 2011-04-16 11:34 54648 ----a-w- c:\windows\system32\drivers\gdwfpcd32.sys 2012-02-13 17:16 . 2011-06-28 15:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-01-04 08:58 . 2012-02-16 11:34 442880 ----a-w- c:\windows\system32\ntshrui.dll 2011-12-30 05:27 . 2012-02-16 11:34 478720 ----a-w- c:\windows\system32\timedate.cpl 2012-03-19 14:13 . 2012-02-13 17:17 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-10-31 21:02 94208 ----a-w- c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-10-31 21:02 94208 ----a-w- c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-10-31 21:02 94208 ----a-w- c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-10-31 21:02 94208 ----a-w- c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "P17RunE"="P17RunE.dll" [2008-03-28 14848] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . c:\users\Stamm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\Stamm\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-15 24246216] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-7-29 291896] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G Data AntiVirus Tray Application] 2011-05-11 10:18 923144 ----a-w- c:\program files\G Data\InternetSecurity\AVKTray\AVKTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GDFirewallTray] 2011-10-28 13:36 1617416 ----a-w- c:\program files\G Data\InternetSecurity\Firewall\GDFirewallTray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] 2009-09-15 17:21 2788624 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" /logon . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368] R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-01-31 158856] R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-07-30 79360] R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016] R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-03-24 14216] R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-03-24 8456] R3 GdNetMon;G Data Network Monitor;c:\windows\system32\drivers\GdNetMon32.sys [2011-04-16 29400] R3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys [2011-08-18 49016] R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2011-01-15 13224] R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544] R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware Sandra Lite 2010\RpcAgentSrv.exe [2009-08-10 93848] R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224] R4 AVKProxy;G Data AntiVirus Proxy;c:\program files\Common Files\G DATA\AVKProxy\AVKProxy.exe [2011-10-28 1506824] R4 AVKService;G Data Scheduler;c:\program files\G Data\InternetSecurity\AVK\AVKService.exe [2011-04-01 409608] R4 AVKWCtl;G Data Dateisystem Wächter;c:\program files\G Data\InternetSecurity\AVK\AVKWCtl.exe [2011-10-28 1554184] R4 GDFwSvc;G Data Personal Firewall;c:\program files\G Data\InternetSecurity\Firewall\GDFwSvc.exe [2011-08-10 1613424] R4 GDScan;G Data Scanner;c:\program files\Common Files\G DATA\GDScan\GDScan.exe [2011-10-28 457536] S0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2012-02-13 40440] S1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2012-02-13 79992] S1 gdwfpcd;G Data WFP CD;c:\windows\system32\drivers\gdwfpcd32.sys [2012-02-13 54648] S1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2011-04-16 30256] S1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-06-07 39800] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-07-29 994360] S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-01-19 3027840] S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848] S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2011-01-15 27632] . . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.spiegel.de/ IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.2.1 FF - ProfilePath - c:\users\Stamm\AppData\Roaming\Mozilla\Firefox\Profiles\o3zdvqm8.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.spiegel.de/ FF - user.js: network.http.max-connections-per-server - 8 FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- . - - - - - - - > 'Explorer.exe'(2880) c:\users\Stamm\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . Zeit der Fertigstellung: 2012-03-28 18:31:55 ComboFix-quarantined-files.txt 2012-03-28 16:31 ComboFix2.txt 2012-03-28 13:55 . Vor Suchlauf: 4.513.013.760 Bytes frei Nach Suchlauf: 4.460.646.400 Bytes frei . - - End Of File - - 983887D0417A21514885ED47CE710961 |
28.03.2012, 17:55 | #12 |
/// Selecta Jahrusso | BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Downloade Dir bitte Malwarebytes
ESET Online Scanner
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
31.03.2012, 07:44 | #13 |
| BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Hey, hier anbei die Ergebnisse von Malwarebytes und ESET. Code:
ATTFilter Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Datenbank Version: v2012.03.28.05 Windows 7 Service Pack 1 x86 NTFS (Abgesichertenmodus/Netzwerkfähig) Internet Explorer 9.0.8112.16421 Stamm :: STAMM-PC [Administrator] 29.03.2012 16:46:59 mbam-log-2012-03-29 (16-46-59).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 177340 Laufzeit: 2 Minute(n), 58 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter C:\Users\Stamm\AppData\Local\Mozilla\Firefox\Profiles\o3zdvqm8.default\Cache\3\40\7AE0Dd01 JS/Kryptik.KP.Gen trojan C:\Users\Stamm\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\1af16d9c-27993e8c Java/Agent.EI trojan C:\Users\Stamm\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\4620d1a1-7966f5eb a variant of Java/Exploit.CVE-2012-0507.B trojan C:\Users\Stamm\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\4ca9867b-1c072284 Java/TrojanDownloader.Agent.NDR trojan -- |
31.03.2012, 14:15 | #14 |
/// Selecta Jahrusso | BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Hy, sieht ganz gut aus. Noch irgendwelche Probleme ?
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
31.03.2012, 17:10 | #15 |
| BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt Aber diese gefundenen Threads wurden doch jetzt nicht gelöscht. Also müssen diese doch jetzt eigentlich noch gelöscht werden oder? Weil ich ja extra darauf achten sollte das KEIN Haken bei Remove Found Threads gesetzt ist. Sollte ich Java mal vollständig deinstallieren und anschließend wieder neu aufspielen? Nachdem die Viren entfernt wurden, sollte ich dann des Öfteren CCleaner drüberlaufen lassen? Dann müsste z.B. doch auch der Cache von Firefox gelöscht werden. |
Themen zu BKA-Trojaner Windows 7 (32-bit) Virus in "explorer.exe" OTL schon durchgeführt |
.dll, alternate, bankguard, bho, defender, disabletaskmgr, error, fehler, fehler 5, firefox, firewall, flash player, format, gdata, install.exe, internet, kaspersky, langs, locker, logfile, microsoft office word, netzwerk, nicht möglich, nvidia, object, office 2007, photoshop, plug-in, problem, programme, realtek, registry, revo uninstaller, richtlinie, rundll, scan, searchscopes, secunia psi, version=1.0, virus, windows, windowsunlocker |