| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Rogue.ControlCenter und ADWARE/Adware.Gen nach Installation von PDFCreatorWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
25.04.2012, 19:06
| #1 |
 |  Rogue.ControlCenter und ADWARE/Adware.Gen nach Installation von PDFCreator Hallo liebes Trojaner-Board-Team, nachdem sich meine Freundin den PDFCreator von chip.de (www.chip.de/downloads/PDFCreator_13009777.html) runtergeladen hat, hat sich Avira bei der Installation gemeldet mit: Code:
ATTFilter 22.04.2012 21:56 [Echtzeit Scanner] Malware gefunden
In der Datei 'C:\Users\Nele\AppData\Local\Temp\is-2T3LV.tmp\InstallManager.exe'
wurde ein Virus oder unerwünschtes Programm 'ADWARE/Adware.Gen' [adware]
gefunden.
Ausgeführte Aktion: Übergeben an Scanner
22.04.2012 21:56 [Echtzeit Scanner] Malware gefunden
In der Datei 'C:\Users\Nele\AppData\Local\Temp\is-2T3LV.tmp\InstallManager.exe'
wurde ein Virus oder unerwünschtes Programm 'ADWARE/Adware.Gen' [adware]
gefunden.
Ausgeführte Aktion: Zugriff verweigern
Nun wollte ich fragen, ob der Laptop jetzt sicher ist. Nach den Hinweisen zum Erstellen von Posts habe ich dann noch den Defogger laufen lassen, dann DDS und anschließend GMER im abgesicherten Modus (MBAM habe ich dann auch gleich nochmal im AM laufen lassen). DDS: Code:
ATTFilter .
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Nele at 9:28:34 on 2012-04-25
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.2935.1898 [GMT 2:00]
.
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Launch Manager\WisLMSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Nele\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\DllHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2319825
uDefault_Page_URL = hxxp://www.aldi.com
uInternet Settings,ProxyServer = bibliothek.fh-fresenius.de:8080
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {40C3CC16-7269-4B32-9531-17F2950FB06F} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [RtHDVBg] c:\program files\realtek\audio\hda\RtHDVBg.exe /FORPCEE3
mRun: [HotkeyApp] "c:\program files\launch manager\HotkeyApp.exe"
mRun: [LMgrVolOSD] "c:\program files\launch manager\OSD.exe"
mRun: [LMgrOSD] "c:\program files\launch manager\OSDCtrl.exe"
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\nele\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\nele\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Citavi Picker... - file://c:\programdata\swiss academic software\citavi picker\internet explorer\ShowContextMenu.html
IE: An OneNote s&enden - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-25/4
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 62.109.123.196 213.191.74.18 192.168.0.1
TCP: Interfaces\{45E7A42D-34F3-4E38-8108-0519D5D90937} : DhcpNameServer = 62.109.123.196 213.191.74.18 192.168.0.1
TCP: Interfaces\{45E7A42D-34F3-4E38-8108-0519D5D90937}\6427563756E69657374427164786C6F637 : DhcpNameServer = 192.168.172.1
TCP: Interfaces\{45E7A42D-34F3-4E38-8108-0519D5D90937}\E4544574541425 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AF1075E2-4B82-43A8-937F-DE7FCB359661} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\nele\appdata\roaming\mozilla\firefox\profiles\h7wflwku.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.ftp - 217.17.29.34
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 217.17.29.34
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 217.17.29.34
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 217.17.29.34
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 217.17.29.34
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\nele\appdata\roaming\mozilla\firefox\profiles\h7wflwku.default\extensions\zoterowinwordintegration@zotero.org\components\zoteroWinWordIntegration.dll
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\nele\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\nele\appdata\roaming\mozilla\firefox\profiles\h7wflwku.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll
FF - plugin: c:\users\nele\appdata\roaming\mozilla\firefox\profiles\h7wflwku.default\extensions\2020player_ikea@2020technologies.com\plugins\NP_2020Player_IKEA.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-16 36000]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AntiVirSchedulerService;Avira Planer;c:\program files\avira\antivir desktop\sched.exe [2011-10-16 86224]
R2 AntiVirService;Avira Echtzeit Scanner;c:\program files\avira\antivir desktop\avguard.exe [2011-10-16 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-16 74640]
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-2-3 1155072]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2010-4-22 13336]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2010-4-22 2320920]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-4-22 132352]
R3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-4-22 232960]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2010-4-14 67624]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-4-1 1009184]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
R3 WisLMSvc;WisLMSvc;c:\program files\launch manager\WisLMSvc.exe [2010-4-22 118560]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2010-4-22 13720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-31 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\common files\magix services\database\bin\fbserver.exe [2008-8-7 3276800]
S3 NxpCap;CTX capture service;c:\windows\system32\drivers\NxpCap.sys [2010-4-14 1558368]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PIXMCV;Victor Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2004-6-3 33792]
S3 PIXMCVA;Victor PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2004-3-20 38144]
S3 PIXMCVV;Victor PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2004-3-27 32768]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-4-22 191008]
S3 StkCMini;Syntek AVStream USB2.0 ATV;c:\windows\system32\drivers\StkCMini.sys [2011-10-23 1521544]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-7 52224]
S3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-9 1343400]
.
=============== Created Last 30 ================
.
2012-04-25 07:20:34 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ff8ea98c-d19f-485e-92c7-70312f209f90}\mpengine.dll
2012-04-22 21:05:25 -------- d-----w- c:\users\nele\appdata\roaming\Malwarebytes
2012-04-22 21:05:17 -------- d-----w- c:\programdata\Malwarebytes
2012-04-22 21:05:15 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-22 21:05:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-11 10:12:50 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 10:12:50 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 10:12:50 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 10:12:50 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 10:11:24 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 10:11:24 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-04 05:53:56 182160 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-03-31 13:08:28 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-28 18:28:44 -------- d-----w- c:\users\nele\appdata\roaming\ProtectDisc
2012-03-28 18:27:47 -------- d-----w- c:\users\nele\appdata\local\Apps
2012-03-28 18:27:46 -------- d-----w- c:\users\nele\appdata\local\Deployment
.
==================== Find3M ====================
.
2012-04-15 06:50:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 10:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-10 05:38:43 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-02-03 03:54:27 2343424 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 9:29:22,39 ===============
Ich danke schon vielmals für die Hilfe.  |
| Themen zu Rogue.ControlCenter und ADWARE/Adware.Gen nach Installation von PDFCreator |
| acrobat update, adobe, adware.gen, adware/adware.gen, antivir, chip.de, desktop, document, firefox, flash player, home, installation, installmanager.exe, malware, mozilla, notification, pdfcreator, plug-in, realtek, rogue.controlcenter, scan, software, svchost.exe, system, temp, virus, windows, windows 7 home |
Baum-Darstellung