![]() |
|
Plagegeister aller Art und deren Bekämpfung: Rogue.ControlCenter und ADWARE/Adware.Gen nach Installation von PDFCreatorWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
![]() | #1 |
![]() | ![]() Rogue.ControlCenter und ADWARE/Adware.Gen nach Installation von PDFCreator Hallo liebes Trojaner-Board-Team, nachdem sich meine Freundin den PDFCreator von chip.de (www.chip.de/downloads/PDFCreator_13009777.html) runtergeladen hat, hat sich Avira bei der Installation gemeldet mit: Code:
ATTFilter 22.04.2012 21:56 [Echtzeit Scanner] Malware gefunden In der Datei 'C:\Users\Nele\AppData\Local\Temp\is-2T3LV.tmp\InstallManager.exe' wurde ein Virus oder unerwünschtes Programm 'ADWARE/Adware.Gen' [adware] gefunden. Ausgeführte Aktion: Übergeben an Scanner 22.04.2012 21:56 [Echtzeit Scanner] Malware gefunden In der Datei 'C:\Users\Nele\AppData\Local\Temp\is-2T3LV.tmp\InstallManager.exe' wurde ein Virus oder unerwünschtes Programm 'ADWARE/Adware.Gen' [adware] gefunden. Ausgeführte Aktion: Zugriff verweigern Nun wollte ich fragen, ob der Laptop jetzt sicher ist. Nach den Hinweisen zum Erstellen von Posts habe ich dann noch den Defogger laufen lassen, dann DDS und anschließend GMER im abgesicherten Modus (MBAM habe ich dann auch gleich nochmal im AM laufen lassen). DDS: Code:
ATTFilter . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 Run by Nele at 9:28:34 on 2012-04-25 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.2935.1898 [GMT 2:00] . AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C} SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Windows\system32\conhost.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskhost.exe C:\Windows\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe C:\Program Files\Launch Manager\HotkeyApp.exe C:\Program Files\Launch Manager\OSD.exe C:\Program Files\Launch Manager\WButton.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe C:\Program Files\Launch Manager\WisLMSvc.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Users\Nele\AppData\Roaming\Dropbox\bin\Dropbox.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\DllHost.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2319825 uDefault_Page_URL = hxxp://www.aldi.com uInternet Settings,ProxyServer = bibliothek.fh-fresenius.de:8080 uInternet Settings,ProxyOverride = <local> uURLSearchHooks: H - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File TB: {40C3CC16-7269-4B32-9531-17F2950FB06F} - No File uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s mRun: [RtHDVBg] c:\program files\realtek\audio\hda\RtHDVBg.exe /FORPCEE3 mRun: [HotkeyApp] "c:\program files\launch manager\HotkeyApp.exe" mRun: [LMgrVolOSD] "c:\program files\launch manager\OSD.exe" mRun: [LMgrOSD] "c:\program files\launch manager\OSDCtrl.exe" mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe" mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe" mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min StartupFolder: c:\users\nele\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\nele\appdata\roaming\dropbox\bin\Dropbox.exe mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: &Citavi Picker... - file://c:\programdata\swiss academic software\citavi picker\internet explorer\ShowContextMenu.html IE: An OneNote s&enden - c:\progra~1\micros~3\office14\ONBttnIE.dll/105 IE: Nach Microsoft E&xcel exportieren - c:\progra~1\micros~3\office14\EXCEL.EXE/3000 IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-25/4 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab TCP: DhcpNameServer = 62.109.123.196 213.191.74.18 192.168.0.1 TCP: Interfaces\{45E7A42D-34F3-4E38-8108-0519D5D90937} : DhcpNameServer = 62.109.123.196 213.191.74.18 192.168.0.1 TCP: Interfaces\{45E7A42D-34F3-4E38-8108-0519D5D90937}\6427563756E69657374427164786C6F637 : DhcpNameServer = 192.168.172.1 TCP: Interfaces\{45E7A42D-34F3-4E38-8108-0519D5D90937}\E4544574541425 : DhcpNameServer = 192.168.1.1 TCP: Interfaces\{AF1075E2-4B82-43A8-937F-DE7FCB359661} : DhcpNameServer = 192.168.1.1 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll Notify: igfxcui - igfxdev.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\users\nele\appdata\roaming\mozilla\firefox\profiles\h7wflwku.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (de) FF - prefs.js: browser.startup.homepage - about:home FF - prefs.js: network.proxy.ftp - 217.17.29.34 FF - prefs.js: network.proxy.ftp_port - 8080 FF - prefs.js: network.proxy.gopher - 217.17.29.34 FF - prefs.js: network.proxy.gopher_port - 8080 FF - prefs.js: network.proxy.http - 217.17.29.34 FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.socks - 217.17.29.34 FF - prefs.js: network.proxy.socks_port - 8080 FF - prefs.js: network.proxy.ssl - 217.17.29.34 FF - prefs.js: network.proxy.ssl_port - 8080 FF - prefs.js: network.proxy.type - 0 FF - component: c:\users\nele\appdata\roaming\mozilla\firefox\profiles\h7wflwku.default\extensions\zoterowinwordintegration@zotero.org\components\zoteroWinWordIntegration.dll FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - plugin: c:\users\nele\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\users\nele\appdata\roaming\mozilla\firefox\profiles\h7wflwku.default\extensions\2020player@2020technologies.com\plugins\NP2020Player.dll FF - plugin: c:\users\nele\appdata\roaming\mozilla\firefox\profiles\h7wflwku.default\extensions\2020player_ikea@2020technologies.com\plugins\NP_2020Player_IKEA.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll . ============= SERVICES / DRIVERS =============== . R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-16 36000] R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128] R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928] R2 AntiVirSchedulerService;Avira Planer;c:\program files\avira\antivir desktop\sched.exe [2011-10-16 86224] R2 AntiVirService;Avira Echtzeit Scanner;c:\program files\avira\antivir desktop\avguard.exe [2011-10-16 110032] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-16 74640] R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-2-3 1155072] R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2010-4-22 13336] R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2010-4-22 2320920] R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-4-22 132352] R3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-4-22 232960] R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2010-4-14 67624] R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-4-1 1009184] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336] R3 WisLMSvc;WisLMSvc;c:\program files\launch manager\WisLMSvc.exe [2010-4-22 118560] R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2010-4-22 13720] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-31 253088] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\common files\magix services\database\bin\fbserver.exe [2008-8-7 3276800] S3 NxpCap;CTX capture service;c:\windows\system32\drivers\NxpCap.sys [2010-4-14 1558368] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 PIXMCV;Victor Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2004-6-3 33792] S3 PIXMCVA;Victor PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2004-3-20 38144] S3 PIXMCVV;Victor PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2004-3-27 32768] S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-4-22 191008] S3 StkCMini;Syntek AVStream USB2.0 ATV;c:\windows\system32\drivers\StkCMini.sys [2011-10-23 1521544] S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-7 52224] S3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-9 1343400] . =============== Created Last 30 ================ . 2012-04-25 07:20:34 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ff8ea98c-d19f-485e-92c7-70312f209f90}\mpengine.dll 2012-04-22 21:05:25 -------- d-----w- c:\users\nele\appdata\roaming\Malwarebytes 2012-04-22 21:05:17 -------- d-----w- c:\programdata\Malwarebytes 2012-04-22 21:05:15 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-22 21:05:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-04-11 10:12:50 5120 ----a-w- c:\windows\system32\wmi.dll 2012-04-11 10:12:50 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2012-04-11 10:12:50 172544 ----a-w- c:\windows\system32\wintrust.dll 2012-04-11 10:12:50 159232 ----a-w- c:\windows\system32\imagehlp.dll 2012-04-11 10:11:24 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-11 10:11:24 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-04-04 05:53:56 182160 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll 2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll 2012-03-31 13:08:28 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-03-28 18:28:44 -------- d-----w- c:\users\nele\appdata\roaming\ProtectDisc 2012-03-28 18:27:47 -------- d-----w- c:\users\nele\appdata\local\Apps 2012-03-28 18:27:46 -------- d-----w- c:\users\nele\appdata\local\Deployment . ==================== Find3M ==================== . 2012-04-15 06:50:57 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll 2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl 2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll 2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe 2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll 2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys 2012-02-14 10:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX 2012-02-10 05:38:43 1077248 ----a-w- c:\windows\system32\DWrite.dll 2012-02-03 03:54:27 2343424 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 9:29:22,39 =============== Ich danke schon vielmals für die Hilfe. ![]() |
Themen zu Rogue.ControlCenter und ADWARE/Adware.Gen nach Installation von PDFCreator |
acrobat update, adobe, adware.gen, adware/adware.gen, antivir, chip.de, desktop, document, firefox, flash player, home, installation, installmanager.exe, malware, mozilla, notification, pdfcreator, plug-in, realtek, rogue.controlcenter, scan, software, svchost.exe, system, temp, virus, windows, windows 7 home |