|
Log-Analyse und Auswertung: Trojaner TR/Agent.aotx.1Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
16.07.2012, 17:02 | #1 |
| Trojaner TR/Agent.aotx.1 Hallo! Diesmal habe ich den Laptop einer Bekannten zur "Pflege". Hier wurde von Avira obiger Trojaner gemeldet. OTL - Extras.txt Code:
ATTFilter OTL Extras logfile created on: 16.07.2012 17:51:11 - Run 1 OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Test\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,93 Gb Total Physical Memory | 1,73 Gb Available Physical Memory | 58,90% Memory free 6,10 Gb Paging File | 4,95 Gb Available in Paging File | 81,15% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 219,21 Gb Total Space | 146,69 Gb Free Space | 66,92% Space Free | Partition Type: NTFS Drive D: | 925,88 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS Computer Name: TEST-PC | User Name: Test | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 Code:
ATTFilter OTL logfile created on: 16.07.2012 17:51:06 - Run 1 OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Test\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,93 Gb Total Physical Memory | 1,73 Gb Available Physical Memory | 58,90% Memory free 6,10 Gb Paging File | 4,95 Gb Available in Paging File | 81,15% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 219,21 Gb Total Space | 146,69 Gb Free Space | 66,92% Space Free | Partition Type: NTFS Drive D: | 925,88 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS Computer Name: TEST-PC | User Name: Test | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.07.16 17:48:31 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Test\Desktop\OTL.exe PRC - [2012.07.16 17:45:07 | 000,050,477 | ---- | M] () -- C:\Users\Test\Desktop\Defogger.exe PRC - [2012.06.20 13:18:08 | 001,568,976 | ---- | M] (Ask) -- C:\Programme\Ask.com\Updater\Updater.exe PRC - [2012.06.02 11:08:27 | 000,748,664 | ---- | M] (Microsoft Corporation) -- C:\Programme\Internet Explorer\iexplore.exe PRC - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.02 00:55:21 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe PRC - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2012.05.02 00:31:35 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.05.02 00:22:53 | 000,391,632 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avcenter.exe PRC - [2012.04.24 02:11:55 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2012.02.28 16:36:39 | 000,307,824 | ---- | M] (Google Inc.) -- C:\Programme\Google\Google Toolbar\GoogleToolbarUser_32.exe PRC - [2012.01.23 14:15:54 | 000,127,040 | ---- | M] (ICQ, LLC.) -- C:\Programme\ICQ7.7\ICQ.exe PRC - [2011.12.05 13:42:22 | 000,114,992 | R--- | M] (SweetIM Technologies Ltd.) -- C:\Programme\SweetIM\Messenger\SweetIM.exe PRC - [2011.05.27 16:23:00 | 004,999,976 | ---- | M] (Synaptics Incorporated) -- C:\Programme\Synaptics\Scrybe\scrybe.exe PRC - [2011.05.27 16:23:00 | 001,300,264 | ---- | M] (Synaptics, Inc.) -- C:\Programme\Synaptics\Scrybe\Service\ScrybeUpdater.exe PRC - [2010.06.23 22:41:43 | 000,200,704 | ---- | M] () -- C:\Windows\plfseti.exe PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2009.02.12 06:20:52 | 000,862,728 | ---- | M] (Dritek System Inc.) -- C:\Programme\Launch Manager\LManager.exe PRC - [2009.02.06 13:07:08 | 000,686,624 | ---- | M] (Acer Incorporated) -- C:\Programme\eMachines\eMachines Power Management\ePowerTray.exe PRC - [2009.02.06 13:07:06 | 000,653,856 | ---- | M] (Acer Incorporated) -- C:\Programme\eMachines\eMachines Power Management\ePowerSvc.exe PRC - [2007.01.04 19:48:50 | 000,112,152 | ---- | M] (InterVideo) -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe ========== Modules (No Company Name) ========== MOD - [2012.07.16 17:45:07 | 000,050,477 | ---- | M] () -- C:\Users\Test\Desktop\Defogger.exe MOD - [2011.03.31 19:31:02 | 000,066,856 | ---- | M] () -- C:\Programme\Synaptics\SynTP\SynTPEnhPS.dll MOD - [2010.07.21 20:02:08 | 000,034,816 | ---- | M] () -- C:\Programme\Google\Google Desktop Search\gzlib.dll MOD - [2010.06.23 22:41:43 | 000,200,704 | ---- | M] () -- C:\Windows\plfseti.exe MOD - [2003.06.07 07:30:08 | 000,057,344 | ---- | M] () -- C:\Programme\Launch Manager\PowerUtl.dll ========== Win32 Services (SafeList) ========== SRV - [2012.05.02 01:42:28 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.02 00:55:21 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe -- (AntiVirWebService) SRV - [2012.05.02 00:34:34 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2011.07.20 06:18:24 | 000,440,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv) SRV - [2011.05.27 16:23:00 | 001,300,264 | ---- | M] (Synaptics, Inc.) [Auto | Running] -- C:\Programme\Synaptics\Scrybe\Service\ScrybeUpdater.exe -- (ScrybeUpdater) SRV - [2009.02.06 13:07:06 | 000,653,856 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Programme\eMachines\eMachines Power Management\ePowerSvc.exe -- (ePowerSvc) SRV - [2008.05.06 00:25:46 | 000,165,416 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Programme\eMachines Games\eMachines Game Console\GameConsoleService.exe -- (GameConsoleService) SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2007.01.04 19:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Running] -- C:\Programme\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr) SRV - [2006.10.26 15:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\L1C60x86.sys -- (L1C) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) DRV - [2012.04.27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2012.04.25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2012.04.16 21:17:40 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2008.11.04 23:13:32 | 000,952,320 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2007.04.17 20:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi) DRV - [2006.11.02 15:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Programme\Launch Manager\DPortIO.sys -- (DritekPortIO) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0410&m=e525 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://home.sweetim.com/?barid={67A25F9F-064C-4D85-8EAB-DC6F0C5CAEE0} IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&barid={67A25F9F-064C-4D85-8EAB-DC6F0C5CAEE0} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0407&s=2&o=vp32&d=0410&m=e525 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\..\URLSearchHook: - No CLSID value found IE - HKCU\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ) IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.) IE - HKCU\..\SearchScopes,DefaultScope = {A8EE9393-6F22-41DB-B2E4-0C6F67CB18E9} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}: "URL" = hxxp://search.icq.com/search/results.php?q={searchTerms}&ch_id=osd IE - HKCU\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACEW IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = hxxp://127.0.0.1:4664/search&s=b5lTpTWrnT6BNmDJ0IXbyi7g9sQ?q={searchTerms} IE - HKCU\..\SearchScopes\{A8EE9393-6F22-41DB-B2E4-0C6F67CB18E9}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ACEW_deDE385 IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = hxxp://search.sweetim.com/search.asp?src=6&q={searchTerms}&barid={67A25F9F-064C-4D85-8EAB-DC6F0C5CAEE0} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Avira SearchFree Toolbar plus Web Protection) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O2 - BHO: (ICQ Sparberater) - {EC136321-1AE5-4A7F-B01C-5380D666175B} - C:\Programme\icq\Internet Explorer\icq.dll (solute gmbh) O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ) O3 - HKLM\..\Toolbar: (Avira SearchFree Toolbar plus Web Protection) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Programme\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [Acer ePower Management] C:\Programme\eMachines\eMachines Power Management\ePowerTray.exe (Acer Incorporated) O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [LManager] C:\Programme\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [PLFSetI] C:\Windows\plfseti.exe () O4 - HKLM..\Run: [SweetIM] C:\Programme\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.) O4 - HKLM..\Run: [WarReg_PopUp] C:\Programme\eMachines\WR_PopUp\WarReg_PopUp.exe (eMachines) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [ICQ] C:\Program Files\ICQ7.7\ICQ.exe (ICQ, LLC.) O4 - HKCU..\Run: [msnmsgr] ~"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found O4 - HKCU..\Run: [Userinit] C:\Users\Test\AppData\Roaming\appconf32.exe () O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10k_ActiveX.exe (Adobe Systems, Inc.) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Web-Suche - C:\Programme\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html () O9 - Extra Button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: ICQ7.7 - {77F665FD-3F60-4B0A-AE14-EC124B7A7FCE} - C:\Programme\ICQ7.7\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7.7 - {77F665FD-3F60-4B0A-AE14-EC124B7A7FCE} - C:\Programme\ICQ7.7\ICQ.exe (ICQ, LLC.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O13 - gopher Prefix: missing O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet) O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{630552E6-0066-4380-A077-2B18F4453502}: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\eM3_Wide.bmp O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\eM3_Wide.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2010.11.25 16:17:40 | 000,000,000 | ---D | M] - D:\autorun -- [ CDFS ] O32 - AutoRun File - [2010.10.15 09:52:30 | 000,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ] O33 - MountPoints2\{f004a16d-41b7-11df-9962-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{f004a16d-41b7-11df-9962-806e6f6e6963}\Shell\AutoRun\command - "" = D:\cdstart.exe -- [2010.11.18 16:27:48 | 001,419,984 | R--- | M] () O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012.07.16 17:48:31 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Test\Desktop\OTL.exe [2012.07.16 16:39:31 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2012.07.13 16:25:27 | 000,000,000 | -HSD | C] -- C:\Config.Msi [2012.07.13 12:32:50 | 000,000,000 | ---D | C] -- C:\Users\Test\AppData\Roaming\Avira [2012.07.13 12:27:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2012.07.13 12:26:33 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com [2012.07.13 12:26:06 | 000,137,928 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys [2012.07.13 12:26:06 | 000,083,392 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys [2012.07.13 12:26:06 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avkmgr.sys [2012.07.13 12:26:06 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys [2012.07.13 12:25:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira [2012.07.13 12:25:59 | 000,000,000 | ---D | C] -- C:\Program Files\Avira [2012.06.20 14:17:55 | 000,000,000 | ---D | C] -- C:\Users\Test\AppData\Roaming\World4 [1 C:\Users\Test\AppData\Roaming\*.tmp files -> C:\Users\Test\AppData\Roaming\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.07.16 17:48:31 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Test\Desktop\OTL.exe [2012.07.16 17:47:59 | 000,000,000 | ---- | M] () -- C:\Users\Test\defogger_reenable [2012.07.16 17:45:07 | 000,050,477 | ---- | M] () -- C:\Users\Test\Desktop\Defogger.exe [2012.07.16 17:42:01 | 000,167,104 | ---- | M] () -- C:\Users\Test\AppData\Roaming\AcroIEHelpe169.dll [2012.07.16 17:42:01 | 000,006,400 | ---- | M] () -- C:\Users\Test\AppData\Roaming\BAcroIEHelpe169.dll [2012.07.16 17:41:52 | 000,000,051 | ---- | M] () -- C:\Users\Test\AppData\Roaming\blckdom.res [2012.07.16 17:41:10 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.07.16 16:40:43 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.07.16 16:39:33 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012.07.16 16:31:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.07.13 20:49:01 | 000,004,384 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012.07.13 20:49:01 | 000,004,384 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012.07.13 20:48:19 | 3147,808,768 | -HS- | M] () -- C:\hiberfil.sys [2012.07.13 17:51:34 | 000,304,112 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2012.07.13 12:27:19 | 000,001,849 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2012.06.29 14:17:07 | 000,628,742 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2012.06.29 14:17:07 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012.06.29 14:17:07 | 000,126,454 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2012.06.29 14:17:07 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat [1 C:\Users\Test\AppData\Roaming\*.tmp files -> C:\Users\Test\AppData\Roaming\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.07.16 17:47:59 | 000,000,000 | ---- | C] () -- C:\Users\Test\defogger_reenable [2012.07.16 17:45:06 | 000,050,477 | ---- | C] () -- C:\Users\Test\Desktop\Defogger.exe [2012.07.16 17:42:01 | 000,167,104 | ---- | C] () -- C:\Users\Test\AppData\Roaming\AcroIEHelpe169.dll [2012.07.16 17:42:01 | 000,006,400 | ---- | C] () -- C:\Users\Test\AppData\Roaming\BAcroIEHelpe169.dll [2012.07.16 16:39:33 | 000,000,806 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012.07.13 12:27:19 | 000,001,849 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk [2012.06.16 14:12:46 | 000,000,051 | ---- | C] () -- C:\Users\Test\AppData\Roaming\blckdom.res [2012.01.09 14:34:13 | 269,781,597 | ---- | C] () -- C:\Users\Test\mvp.exe [2010.08.25 19:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin [2010.08.25 19:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin [2010.08.25 19:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin [2010.08.25 18:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll [2010.08.25 18:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config [2010.08.25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll [2010.08.25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll [2010.08.08 13:27:01 | 000,000,061 | ---- | C] () -- C:\Windows\wininit.ini [2010.07.21 20:35:03 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2010.07.21 20:35:03 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2010.06.23 22:44:53 | 000,012,288 | ---- | C] () -- C:\Users\Test\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010.06.22 19:56:28 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2008.12.09 17:23:13 | 000,053,712 | RHS- | C] () -- C:\Users\Test\AppData\Roaming\appconf32.exe ========== LOP Check ========== [2012.05.10 13:59:24 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\.minecraft [2011.08.25 16:57:18 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\FarmingSimulator2008 [2012.05.19 12:25:49 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\ICQ [2012.06.16 14:12:18 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\kock [2011.07.20 19:21:55 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\Synaptics [2012.06.17 12:36:30 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\UAs [2012.06.20 14:17:55 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\World4 [2012.06.17 12:36:53 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\xmldm [2012.07.13 18:21:38 | 000,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== < End of report > Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net Rootkit scan 2012-07-16 18:59:37 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK2555GSX rev.FG001J Running: ostqxwog.exe; Driver: C:\Users\Test\AppData\Local\Temp\pxldipow.sys ---- System - GMER 1.0.15 ---- SSDT 8CDB556E ZwCreateSection SSDT 8CDB5578 ZwRequestWaitReplyPort SSDT 8CDB5573 ZwSetContextThread SSDT 8CDB557D ZwSetSecurityObject SSDT 8CDB5582 ZwSystemDebugControl SSDT 8CDB550F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 215 81EE58D8 4 Bytes [6E, 55, DB, 8C] .text ntkrnlpa.exe!KeSetEvent + 539 81EE5BFC 4 Bytes [78, 55, DB, 8C] .text ntkrnlpa.exe!KeSetEvent + 56D 81EE5C30 4 Bytes [73, 55, DB, 8C] .text ntkrnlpa.exe!KeSetEvent + 5D1 81EE5C94 4 Bytes [7D, 55, DB, 8C] .text ntkrnlpa.exe!KeSetEvent + 619 81EE5CDC 4 Bytes [82, 55, DB, 8C] {ADC BYTE [EBP-0x25], -0x74} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\taskeng.exe[312] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Windows\system32\igfxsrvc.exe[1608] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Windows\system32\Dwm.exe[1716] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Windows\Explorer.EXE[1776] kernel32.dll!CreateProcessW 75951BF3 5 Bytes JMP 05F350CA .text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1904] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe[1912] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Program Files\Internet Explorer\iexplore.exe[1920] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Program Files\Internet Explorer\iexplore.exe[1920] kernel32.dll!CreateThread 7599CB2E 5 Bytes JMP 717D75CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] ADVAPI32.dll!RegOpenKeyExW 75E77BA1 5 Bytes JMP 0248121E C:\Users\Test\AppData\Roaming\BAcroIEHelpe169.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!SetWindowsHookExW 758B87AD 5 Bytes JMP 718125AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!CallNextHookEx 758B8E3B 5 Bytes JMP 71837FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!UnhookWindowsHookEx 758B98DB 5 Bytes JMP 7185ECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!EnableWindow 758BCD8B 5 Bytes JMP 71819EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!DefWindowProcA 758BDB88 7 Bytes JMP 717D97F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!CreateWindowExA 758BDC2A 5 Bytes JMP 717E362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!CreateWindowExW 758C1305 5 Bytes JMP 718403B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!DefWindowProcW 758D03B4 7 Bytes JMP 71838042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!DialogBoxParamW 758E10B0 5 Bytes JMP 7177187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!DialogBoxIndirectParamW 758E2EF5 5 Bytes JMP 71968D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!DialogBoxParamA 758F8152 5 Bytes JMP 71968D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!DialogBoxIndirectParamA 758F847D 5 Bytes JMP 71968DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!MessageBoxIndirectA 7590D4D9 5 Bytes JMP 71968CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!MessageBoxIndirectW 7590D5D3 5 Bytes JMP 71968C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!MessageBoxExA 7590D639 5 Bytes JMP 71968BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] USER32.dll!MessageBoxExW 7590D65D 5 Bytes JMP 71968B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] ole32.dll!OleLoadFromStream 75A51E80 5 Bytes JMP 7196955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1920] WININET.dll!InternetOpenA 757AD5E8 5 Bytes JMP 002B99B2 .text C:\Program Files\Internet Explorer\iexplore.exe[1920] WININET.dll!InternetCrackUrlA 757B027E 5 Bytes JMP 002B961A .text C:\Program Files\Internet Explorer\iexplore.exe[1920] WININET.dll!InternetConnectA 757C567E 5 Bytes JMP 002B9718 .text C:\Program Files\Internet Explorer\iexplore.exe[1920] WININET.dll!InternetOpenW 757CC596 5 Bytes JMP 002B99C4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1928] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Program Files\Internet Explorer\iexplore.exe[2088] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Program Files\Internet Explorer\iexplore.exe[2088] ADVAPI32.dll!RegOpenKeyExW 75E77BA1 5 Bytes JMP 02C8121E C:\Users\Test\AppData\Roaming\BAcroIEHelpe169.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!EnableWindow 758BCD8B 5 Bytes JMP 71819EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!DialogBoxParamW 758E10B0 5 Bytes JMP 7177187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!DialogBoxIndirectParamW 758E2EF5 5 Bytes JMP 71968D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!DialogBoxParamA 758F8152 5 Bytes JMP 71968D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!DialogBoxIndirectParamA 758F847D 5 Bytes JMP 71968DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!MessageBoxIndirectA 7590D4D9 5 Bytes JMP 71968CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!MessageBoxIndirectW 7590D5D3 5 Bytes JMP 71968C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!MessageBoxExA 7590D639 5 Bytes JMP 71968BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!MessageBoxExW 7590D65D 5 Bytes JMP 71968B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2088] WININET.dll!InternetOpenA 757AD5E8 5 Bytes JMP 006D99B2 .text C:\Program Files\Internet Explorer\iexplore.exe[2088] WININET.dll!InternetCrackUrlA 757B027E 5 Bytes JMP 006D961A .text C:\Program Files\Internet Explorer\iexplore.exe[2088] WININET.dll!InternetConnectA 757C567E 5 Bytes JMP 006D9718 .text C:\Program Files\Internet Explorer\iexplore.exe[2088] WININET.dll!InternetOpenW 757CC596 5 Bytes JMP 006D99C4 .text C:\Program Files\ICQ7.7\ICQ.exe[2092] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Program Files\ICQ7.7\ICQ.exe[2092] kernel32.dll!LoadLibraryExW 7597927C 6 Bytes JMP 5F070F5A .text C:\Program Files\ICQ7.7\ICQ.exe[2092] kernel32.dll!ReadFile 7598F0D3 6 Bytes JMP 5F190F5A .text C:\Program Files\ICQ7.7\ICQ.exe[2092] kernel32.dll!GetFileSize 75997368 6 Bytes JMP 5F1C0F5A .text C:\Program Files\ICQ7.7\ICQ.exe[2092] kernel32.dll!CloseHandle 7599B0AD 6 Bytes JMP 5F160F5A .text C:\Program Files\ICQ7.7\ICQ.exe[2092] kernel32.dll!CreateFileW 7599B0EB 6 Bytes JMP 5F130F5A .text C:\Program Files\ICQ7.7\ICQ.exe[2092] USER32.dll!SetParent 758BA2AA 3 Bytes [FF, 25, 1E] .text C:\Program Files\ICQ7.7\ICQ.exe[2092] USER32.dll!SetParent + 4 758BA2AE 2 Bytes [20, 5F] .text C:\Program Files\ICQ7.7\ICQ.exe[2092] USER32.dll!CreateWindowExW 758C1305 6 Bytes JMP 5F0A0F5A .text C:\Program Files\ICQ7.7\ICQ.exe[2092] USER32.dll!DispatchMessageW 758D021C 6 Bytes JMP 5F040F5A .text C:\Program Files\ICQ7.7\ICQ.exe[2092] USER32.dll!PeekMessageW 758D045A 6 Bytes JMP 5F100F5A .text C:\Program Files\ICQ7.7\ICQ.exe[2092] ole32.dll!CoCreateInstance 75A89F3E 6 Bytes JMP 5F0D0F5A .text C:\Windows\plfseti.exe[3356] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Windows\System32\igfxtray.exe[3380] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Windows\System32\hkcmd.exe[3388] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Windows\System32\igfxpers.exe[3396] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3408] ntdll.dll!NtClearEvent + F 770A4183 6 Bytes JMP 003C0313 .text ... .text C:\Program Files\Internet Explorer\iexplore.exe[4224] kernel32.dll!CreateThread 7599CB2E 5 Bytes JMP 717D75CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] ADVAPI32.dll!RegOpenKeyExW 75E77BA1 5 Bytes JMP 02BD121E C:\Users\Test\AppData\Roaming\BAcroIEHelpe169.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!SetWindowsHookExW 758B87AD 5 Bytes JMP 718125AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!CallNextHookEx 758B8E3B 5 Bytes JMP 71837FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!UnhookWindowsHookEx 758B98DB 5 Bytes JMP 7185ECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!EnableWindow 758BCD8B 5 Bytes JMP 71819EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DefWindowProcA 758BDB88 7 Bytes JMP 717D97F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!CreateWindowExA 758BDC2A 5 Bytes JMP 717E362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!CreateWindowExW 758C1305 5 Bytes JMP 718403B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DefWindowProcW 758D03B4 7 Bytes JMP 71838042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DialogBoxParamW 758E10B0 5 Bytes JMP 7177187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DialogBoxIndirectParamW 758E2EF5 5 Bytes JMP 71968D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DialogBoxParamA 758F8152 5 Bytes JMP 71968D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!DialogBoxIndirectParamA 758F847D 5 Bytes JMP 71968DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!MessageBoxIndirectA 7590D4D9 5 Bytes JMP 71968CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!MessageBoxIndirectW 7590D5D3 5 Bytes JMP 71968C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!MessageBoxExA 7590D639 5 Bytes JMP 71968BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] USER32.dll!MessageBoxExW 7590D65D 5 Bytes JMP 71968B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] ole32.dll!OleLoadFromStream 75A51E80 5 Bytes JMP 7196955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4224] WININET.dll!InternetOpenA 757AD5E8 5 Bytes JMP 01BA99B2 .text C:\Program Files\Internet Explorer\iexplore.exe[4224] WININET.dll!InternetCrackUrlA 757B027E 5 Bytes JMP 01BA961A .text C:\Program Files\Internet Explorer\iexplore.exe[4224] WININET.dll!InternetConnectA 757C567E 5 Bytes JMP 01BA9718 .text C:\Program Files\Internet Explorer\iexplore.exe[4224] WININET.dll!InternetOpenW 757CC596 5 Bytes JMP 01BA99C4 .text C:\Program Files\Internet Explorer\iexplore.exe[4448] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] .text C:\Program Files\Internet Explorer\iexplore.exe[4448] kernel32.dll!CreateThread 7599CB2E 5 Bytes JMP 717D75CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] ADVAPI32.dll!RegOpenKeyExW 75E77BA1 5 Bytes JMP 0300121E C:\Users\Test\AppData\Roaming\BAcroIEHelpe169.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!SetWindowsHookExW 758B87AD 5 Bytes JMP 718125AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!CallNextHookEx 758B8E3B 5 Bytes JMP 71837FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!UnhookWindowsHookEx 758B98DB 5 Bytes JMP 7185ECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!EnableWindow 758BCD8B 5 Bytes JMP 71819EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!DefWindowProcA 758BDB88 7 Bytes JMP 717D97F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!CreateWindowExA 758BDC2A 5 Bytes JMP 717E362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!CreateWindowExW 758C1305 5 Bytes JMP 718403B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!DefWindowProcW 758D03B4 7 Bytes JMP 71838042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!DialogBoxParamW 758E10B0 5 Bytes JMP 7177187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!DialogBoxIndirectParamW 758E2EF5 5 Bytes JMP 71968D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!DialogBoxParamA 758F8152 5 Bytes JMP 71968D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!DialogBoxIndirectParamA 758F847D 5 Bytes JMP 71968DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!MessageBoxIndirectA 7590D4D9 5 Bytes JMP 71968CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!MessageBoxIndirectW 7590D5D3 5 Bytes JMP 71968C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!MessageBoxExA 7590D639 5 Bytes JMP 71968BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] USER32.dll!MessageBoxExW 7590D65D 5 Bytes JMP 71968B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] ole32.dll!OleLoadFromStream 75A51E80 5 Bytes JMP 7196955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4448] WININET.dll!InternetOpenA 757AD5E8 5 Bytes JMP 003899B2 .text C:\Program Files\Internet Explorer\iexplore.exe[4448] WININET.dll!InternetCrackUrlA 757B027E 5 Bytes JMP 0038961A .text C:\Program Files\Internet Explorer\iexplore.exe[4448] WININET.dll!InternetConnectA 757C567E 5 Bytes JMP 00389718 .text C:\Program Files\Internet Explorer\iexplore.exe[4448] WININET.dll!InternetOpenW 757CC596 5 Bytes JMP 003899C4 .text C:\Windows\system32\wuauclt.exe[5788] ntdll.dll!NtClearEvent + F 770A4183 1 Byte [00] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings@alive 0x30 0x6C 0xC0 0x8F ... ---- EOF - GMER 1.0.15 ---- RKIT/Agent.deov |
18.07.2012, 21:12 | #2 |
/// Malware-holic | Trojaner TR/Agent.aotx.1 hi
__________________avira fundmeldungen posten. dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user. wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts. • Starte bitte die OTL.exe • Kopiere nun das Folgende in die Textbox. Code:
ATTFilter :OTL O4 - HKCU..\Run: [Userinit] C:\Users\Test\AppData\Roaming\appconf32.exe () [2012.07.16 17:42:01 | 000,167,104 | ---- | M] () -- C:\Users\Test\AppData\Roaming\AcroIEHelpe169.dll [2012.07.16 17:42:01 | 000,006,400 | ---- | M] () -- C:\Users\Test\AppData\Roaming\BAcroIEHelpe169.dll [2012.06.17 12:36:53 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\xmldm [2012.06.16 14:12:18 | 000,000,000 | ---D | M] -- C:\Users\Test\AppData\Roaming\kock :Files :Commands [purity] [EMPTYFLASH] [emptytemp] [Reboot] • Schliesse bitte nun alle Programme. • Klicke nun bitte auf den Fix Button. • OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen. • Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren. starte in den normalen modus. falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden Hinweis: Die Datei bitte wie in der Anleitung zum UpChannel angegeben auch da hochladen. Bitte NICHT die ZIP-Datei hier als Anhang in den Thread posten! Drücke bitte die + E Taste.
__________________ |
19.07.2012, 08:44 | #3 |
| Trojaner TR/Agent.aotx.1 Hallo Markus,
__________________ich konnte (anscheinend) die Schädlinge per Antimalware und Avira beseitigen. Jedenfalls treten keine Meldungen mehr auf. Der Laptop ist auch schon zurück an den Besitzer gegangen, er wird dort nur zum "Daddeln" für die Kids benutzt. Sollten noch Probleme auftreten, melde ich mich nochmal. Vielen Dank für die bisherige Unterstützung! |
20.07.2012, 19:37 | #4 |
/// Malware-holic | Trojaner TR/Agent.aotx.1 solche geräte können trotzdem für straftaten, wie ddos angriffe bzw spam versand genutzt werden, wenn man dann pech hatt, werden sie zur beweissicherung eingezogen oder der internet zugang ist nur noch eingeschrenkt möglich
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
Themen zu Trojaner TR/Agent.aotx.1 |
.dll, adobe, antivir, autorun, avira, avira searchfree toolbar, bho, defender, error, explorer, firefox, format, google, home, install.exe, intranet, launch, logfile, ntdll.dll, plug-in, popup, realtek, registry, rundll, scan, searchscopes, security, senden, software, sweetim, trojaner, vista |