| |
| |||||||
Log-Analyse und Auswertung: Bundespolizei Trojaner Österreich!Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
19.07.2012, 17:54
| #1 |
| |  Bundespolizei Trojaner Österreich! Hallo! Ja leider hats mich jetzt auch erwischt mit deisem Trojaner. Komme zum glück noch in die abgesicherten modis rein. lasse auch grad OTL und Malewarebytes drüberlaufen. hier mal das OTL ergebniss. würde mich total über hilfe freuen! danke euch viel mals! mfg |
|
19.07.2012, 18:23
| #2 |
| /// Helfer-Team  | Bundespolizei Trojaner Österreich! Fixen mit OTL Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).
Code:
ATTFilter :OTL
MOD - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
SRV - (WOTUpdater) -- C:\Users\Armin\AppData\LocalLow\WOT\IE\WOTUpdater.exe ()
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?AF=109989&tt=090212_ctrl&babsrc=HP_ss&mntrId=2816e73d0000000000001ae4003b288d
IE - HKCU\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}: "URL" = http://start.facemoods.com/?a=ddrnw&s={searchTerms}&f=4
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=109989&tt=090212_ctrl&babsrc=SP_ss&mntrId=2816e73d0000000000001ae4003b288d
IE - HKCU\..\SearchScopes\{9E987FB4-0C48-427D-B8C8-3DF43B073AB5}: "URL" = http://start.funmoods.com/results.php?f=4&a=ddrnw&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.at/"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?AF=109989&tt=090212_ctrl&babsrc=adbartrp&mntrId=2816e73d0000000000001ae4003b288d&q="
FF - prefs.js..network.proxy.type: 4
O4 - HKCU..\Run: [Akamai NetSession Interface] C:\Users\Armin\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O4 - HKCU..\Run: [RocketDock] C:\Program Files (x86)\RocketDock\RocketDock.exe ()
O4 - HKCU..\Run: [SMBHelper] C:\Users\Armin\AppData\Local\Microsoft\Windows\4281\SMBHelper.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.)
O32 - HKLM CDRom: AutoRun - 1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.138 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7A9699D3-685F-4F46-980C-857A86CB72BB}: DhcpNameServer = 10.0.0.138 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D5B19080-1139-4C2F-95A6-52D49398290D}: DhcpNameServer = 213.162.69.169 213.162.69.170
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F5D0CA0C-6ACC-4B37-BC85-BA216E5F461C}: DhcpNameServer = 213.162.69.169 213.162.69.170
[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[2 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
@Alternate Data Stream - 154 bytes -> C:\ProgramData\Temp:CB0AACC9
l
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[emptyflash]
Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden. Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!
__________________ |
|
19.07.2012, 18:55
| #3 |
| | Bundespolizei Trojaner Österreich! WOOOOW!!
__________________Danke viel mals, also bis jetzt is nichts mehr gekommen! Aber habe ich den virus jetzt noch immer am rechner? kann ich da was machen um ihn ganz weg zu bekommen? danke viel mals! mfg |
|
19.07.2012, 20:16
| #4 | |
| /// Helfer-Team | Bundespolizei Trojaner Österreich! Bitte poste das Log!!! Zitat:
danach: Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten. |
|
19.07.2012, 20:24
| #5 |
| | Bundespolizei Trojaner Österreich! sory! All processes killed ========== OTL ========== Service WOTUpdater stopped successfully! Service WOTUpdater deleted successfully! C:\Users\Armin\AppData\LocalLow\WOT\IE\WOTUpdater.exe moved successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. 64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully! HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully! Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D7562AE-8EF6-416d-A838-AB665251703A}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9E987FB4-0C48-427D-B8C8-3DF43B073AB5}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E987FB4-0C48-427D-B8C8-3DF43B073AB5}\ not found. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully! Prefs.js: "Search the web (Babylon)" removed from browser.search.defaultenginename Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1 Prefs.js: "Google" removed from browser.search.selectedEngine Prefs.js: "hxxp://www.google.at/" removed from browser.startup.homepage Prefs.js: "hxxp://search.babylon.com/?AF=109989&tt=090212_ctrl&babsrc=adbartrp&mntrId=2816e73d0000000000001ae4003b288d&q=" removed from keyword.URL Prefs.js: 4 removed from network.proxy.type Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Akamai NetSession Interface deleted successfully. C:\Users\Armin\AppData\Local\Akamai\netsession_win.exe moved successfully. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\RocketDock deleted successfully. C:\Program Files (x86)\RocketDock\RocketDock.exe moved successfully. Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\SMBHelper deleted successfully. C:\Users\Armin\AppData\Local\Microsoft\Windows\4281\SMBHelper.exe moved successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully. Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000} C:\Windows\Downloaded Program Files\swflash64.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully! HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully! HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7A9699D3-685F-4F46-980C-857A86CB72BB}\\DhcpNameServer| /E : value set successfully! HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D5B19080-1139-4C2F-95A6-52D49398290D}\\DhcpNameServer| /E : value set successfully! HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F5D0CA0C-6ACC-4B37-BC85-BA216E5F461C}\\DhcpNameServer| /E : value set successfully! C:\Windows\SysNative\AESTAC64.tmp deleted successfully. C:\Windows\SysNative\AESTAR64.tmp deleted successfully. C:\Windows\SysNative\stapo64.tmp deleted successfully. C:\Windows\SysWow64\themeui.dll.tmp deleted successfully. C:\Windows\SysWow64\uxtheme.dll.tmp deleted successfully. ADS C:\ProgramData\Temp:CB0AACC9 deleted successfully. ========== FILES ========== < ipconfig /flushdns /c > Windows-IP-Konfiguration Der DNS-Aufl”sungscache wurde geleert. C:\Users\Armin\Desktop\cmd.bat deleted successfully. C:\Users\Armin\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Armin ->Temp folder emptied: 1431210 bytes ->Temporary Internet Files folder emptied: 29835320 bytes ->Java cache emptied: 36999 bytes ->FireFox cache emptied: 71666761 bytes ->Apple Safari cache emptied: 2634752 bytes ->Flash cache emptied: 30797 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Gast ->Temp folder emptied: 51078 bytes ->Temporary Internet Files folder emptied: 19721854 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 86424 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 72354 bytes RecycleBin emptied: 28285641 bytes Total Files Cleaned = 147,00 mb [EMPTYFLASH] User: All Users User: Armin ->Flash cache emptied: 0 bytes User: Default User: Default User User: Gast User: Public Total Flash Files Cleaned = 0,00 mb OTL by OldTimer - Version 3.2.54.0 log created on 07192012_194256 Files\Folders moved on Reboot... C:\Users\Armin\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. PendingFileRenameOperations files... File C:\Users\Armin\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found! Registry entries deleted on Reboot... |
|
19.07.2012, 20:54
| #6 |
| /// Helfer-Team | Bundespolizei Trojaner Österreich!
__________________ --> Bundespolizei Trojaner Österreich! |
|
19.07.2012, 21:03
| #7 |
| | Bundespolizei Trojaner Österreich! wie jetzt?! alles wieder beim alten oder was?^^ |
|
19.07.2012, 21:07
| #8 |
| /// Helfer-Team | Bundespolizei Trojaner Österreich! nein, wo ist das Malwarebytes Log? |
|
19.07.2012, 21:26
| #9 |
| | Bundespolizei Trojaner Österreich! Malwarebytes Anti-Malware 1.62.0.1300 Malwarebytes : Free Anti-Malware download Datenbank Version: v2012.07.19.10 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 8.0.7601.17514 Armin :: ARMIN-PC [Administrator] Schutz: Aktiviert 19.07.2012 22:21:13 mbam-log-2012-07-19 (22-25-50).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 210399 Laufzeit: 4 Minute(n), 19 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 1 HKLM\SOFTWARE\Google\chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki (PUP.Funmoods) -> Keine Aktion durchgeführt. Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) |
|
19.07.2012, 22:35
| #10 |
| /// Helfer-Team | Bundespolizei Trojaner Österreich! Downloade Dir bitte AdwCleaner auf deinen Desktop.
|
|
20.07.2012, 12:53
| #11 |
| | Bundespolizei Trojaner Österreich! there u go! # AdwCleaner v1.703 - Logfile created 07/20/2012 at 13:52:34 # Updated 20/07/2012 by Xplode # Operating system : Windows 7 Ultimate Service Pack 1 (64 bits) # User : Armin - ARMIN-PC # Running from : C:\Users\Armin\Downloads\adwcleaner.exe # Option [Search] ***** [Services] ***** ***** [Files / Folders] ***** Folder Found : C:\Users\Armin\AppData\Local\Babylon Folder Found : C:\Users\Armin\AppData\LocalLow\BabylonToolbar Folder Found : C:\Users\Armin\AppData\Roaming\Babylon Folder Found : C:\Users\Armin\AppData\Roaming\Mozilla\Firefox\Profiles\ypjxc26o.default\extensions\ffxtlbr@funmoods.com Folder Found : C:\ProgramData\Babylon File Found : C:\Users\Armin\AppData\Roaming\Mozilla\Firefox\Profiles\ypjxc26o.default\searchplugins\funmoods.xml File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\fcmdSrch.xml ***** [Registry] ***** Key Found : HKCU\Software\Softonic Key Found : HKLM\SOFTWARE\Babylon Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL Key Found : HKLM\SOFTWARE\DT Soft Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki [x64] Key Found : HKCU\Software\Softonic [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL ***** [Registre - GUID] ***** Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} Key Found : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0} Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C} Key Found : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Found : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1} Key Found : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0} Key Found : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC} [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0} [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C} [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0} [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2} [x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B} [x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC} [x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B} [x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC} ***** [Internet Browsers] ***** -\\ Internet Explorer v8.0.7601.17514 [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?AF=109989&tt=090212_ctrl&babsrc=NT_ss&mntrId=2816e73d0000000000001ae4003b288d -\\ Mozilla Firefox v14.0.1 (de) Profile name : default File : C:\Users\Armin\AppData\Roaming\Mozilla\Firefox\Profiles\ypjxc26o.default\prefs.js Found : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com"); Found : user_pref("extensions.BabylonToolbar_i.aflt", "babsst"); Found : user_pref("extensions.BabylonToolbar_i.babExt", ""); Found : user_pref("extensions.BabylonToolbar_i.babTrack", "tt=090212_ctrl"); Found : user_pref("extensions.BabylonToolbar_i.hardId", "2816e73d0000000000001ae4003b288d"); Found : user_pref("extensions.BabylonToolbar_i.id", "2816e73d0000000000001ae4003b288d"); Found : user_pref("extensions.BabylonToolbar_i.instlDay", "15384"); Found : user_pref("extensions.BabylonToolbar_i.instlRef", "sst"); Found : user_pref("extensions.BabylonToolbar_i.newTab", true); Found : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?AF=109989&tt=090212_c[...] Found : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar"); Found : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon"); Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none"); Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss"); Found : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9"); Found : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17"); Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1720:38:59"); Found : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17"); Found : user_pref("extensions.facemoods._xpiupdate", true); Found : user_pref("extensions.facemoods.aflt", "_#wbst"); Found : user_pref("extensions.facemoods.fcmdVrsn", "1.2.7.5.3"); Found : user_pref("extensions.facemoods.id", "_#101004ec667a40b78175967e6e0a266f"); Found : user_pref("extensions.facemoods.instlDay", "_#15228"); Found : user_pref("extensions.facemoods.prtnrId", "_#facemoods.com"); Found : user_pref("extensions.facemoods.sid", "_#101004ec667a40b78175967e6e0a266f"); Found : user_pref("extensions.facemoods.uninst", true); Found : user_pref("extensions.facemoods.update", "_#v1.4.0"); Found : user_pref("extensions.facemoods.vrsn", "_#1.4.17.5"); Found : user_pref("extensions.funmoods_i.aflt", "ddrnw"); Found : user_pref("extensions.funmoods_i.dfltLng", ""); Found : user_pref("extensions.funmoods_i.dfltSrch", true); Found : user_pref("extensions.funmoods_i.dnsErr", true); Found : user_pref("extensions.funmoods_i.excTlbr", false); Found : user_pref("extensions.funmoods_i.hmpg", true); Found : user_pref("extensions.funmoods_i.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=ddrnw"); Found : user_pref("extensions.funmoods_i.id", "2816e73d0000000000001ae4003b288d"); Found : user_pref("extensions.funmoods_i.instlDay", "15376"); Found : user_pref("extensions.funmoods_i.instlRef", ""); Found : user_pref("extensions.funmoods_i.newTab", true); Found : user_pref("extensions.funmoods_i.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=ddrnw"); Found : user_pref("extensions.funmoods_i.prdct", "funmoods"); Found : user_pref("extensions.funmoods_i.prtnrId", "funmoods"); Found : user_pref("extensions.funmoods_i.smplGrp", "none"); Found : user_pref("extensions.funmoods_i.srchPrvdr", "Search"); Found : user_pref("extensions.funmoods_i.tlbrId", "base"); Found : user_pref("extensions.funmoods_i.tlbrSrchUrl", "hxxp://start.funmoods.com/results.php?f=3&a=ddrnw&q=[...] Found : user_pref("extensions.funmoods_i.vrsn", "1.5.11.16"); Found : user_pref("extensions.funmoods_i.vrsnTs", "1.5.11.1611:17:36"); Found : user_pref("extensions.funmoods_i.vrsni", "1.5.11.16"); ************************* AdwCleaner[R1].txt - [7410 octets] - [20/07/2012 13:52:34] ########## EOF - C:\AdwCleaner[R1].txt - [7538 octets] ########## |
|
20.07.2012, 20:34
| #12 |
| /// Helfer-Team | Bundespolizei Trojaner Österreich! Sehr gut! 
danach: Malware-Scan mit Emsisoft Anti-Malware Lade die Gratisversion von => Emsisoft Anti-Malware herunter und installiere das Programm. Lade über Jetzt Updaten die aktuellen Signaturen herunter. Wähle den Freeware-Modus aus. Wähle Detail Scan und starte über den Button Scan die Überprüfung des Computers. Am Ende des Scans nichts loeschen lassen!. Mit Klick auf Bericht speichern das Logfile auf dem Desktop speichern und hier in den Thread posten. Anleitung: http://www.trojaner-board.de/103809-...i-malware.html |
|
20.07.2012, 20:52
| #13 |
| | Bundespolizei Trojaner Österreich! der neue adwcleaner log # AdwCleaner v1.703 - Logfile created 07/20/2012 at 21:46:46 # Updated 20/07/2012 by Xplode # Operating system : Windows 7 Ultimate Service Pack 1 (64 bits) # User : Armin - ARMIN-PC # Running from : C:\Users\Armin\Desktop\adwcleaner.exe # Option [Delete] ***** [Services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Users\Armin\AppData\Local\Babylon Folder Deleted : C:\Users\Armin\AppData\LocalLow\BabylonToolbar Folder Deleted : C:\Users\Armin\AppData\Roaming\Babylon Folder Deleted : C:\Users\Armin\AppData\Roaming\Mozilla\Firefox\Profiles\ypjxc26o.default\extensions\ffxtlbr@funmoods.com Folder Deleted : C:\ProgramData\Babylon File Deleted : C:\Users\Armin\AppData\Roaming\Mozilla\Firefox\Profiles\ypjxc26o.default\searchplugins\funmoods.xml File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\fcmdSrch.xml ***** [Registry] ***** Key Deleted : HKCU\Software\Softonic Key Deleted : HKLM\SOFTWARE\Babylon Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL Key Deleted : HKLM\SOFTWARE\DT Soft Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki ***** [Registre - GUID] ***** Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC} [x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} [x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0} [x64] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2} ***** [Internet Browsers] ***** -\\ Internet Explorer v8.0.7601.17514 Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?AF=109989&tt=090212_ctrl&babsrc=NT_ss&mntrId=2816e73d0000000000001ae4003b288d --> hxxp://www.google.com -\\ Mozilla Firefox v14.0.1 (de) Profile name : default File : C:\Users\Armin\AppData\Roaming\Mozilla\Firefox\Profiles\ypjxc26o.default\prefs.js C:\Users\Armin\AppData\Roaming\Mozilla\Firefox\Profiles\ypjxc26o.default\user.js ... Deleted ! Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com"); Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst"); Deleted : user_pref("extensions.BabylonToolbar_i.babExt", ""); Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "tt=090212_ctrl"); Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "2816e73d0000000000001ae4003b288d"); Deleted : user_pref("extensions.BabylonToolbar_i.id", "2816e73d0000000000001ae4003b288d"); Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15384"); Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst"); Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true); Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?AF=109989&tt=090212_c[...] Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar"); Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon"); Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none"); Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss"); Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9"); Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17"); Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1720:38:59"); Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17"); Deleted : user_pref("extensions.facemoods._xpiupdate", true); Deleted : user_pref("extensions.facemoods.aflt", "_#wbst"); Deleted : user_pref("extensions.facemoods.fcmdVrsn", "1.2.7.5.3"); Deleted : user_pref("extensions.facemoods.id", "_#101004ec667a40b78175967e6e0a266f"); Deleted : user_pref("extensions.facemoods.instlDay", "_#15228"); Deleted : user_pref("extensions.facemoods.prtnrId", "_#facemoods.com"); Deleted : user_pref("extensions.facemoods.sid", "_#101004ec667a40b78175967e6e0a266f"); Deleted : user_pref("extensions.facemoods.uninst", true); Deleted : user_pref("extensions.facemoods.update", "_#v1.4.0"); Deleted : user_pref("extensions.facemoods.vrsn", "_#1.4.17.5"); Deleted : user_pref("extensions.funmoods_i.aflt", "ddrnw"); Deleted : user_pref("extensions.funmoods_i.dfltLng", ""); Deleted : user_pref("extensions.funmoods_i.dfltSrch", true); Deleted : user_pref("extensions.funmoods_i.dnsErr", true); Deleted : user_pref("extensions.funmoods_i.excTlbr", false); Deleted : user_pref("extensions.funmoods_i.hmpg", true); Deleted : user_pref("extensions.funmoods_i.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=ddrnw"); Deleted : user_pref("extensions.funmoods_i.id", "2816e73d0000000000001ae4003b288d"); Deleted : user_pref("extensions.funmoods_i.instlDay", "15376"); Deleted : user_pref("extensions.funmoods_i.instlRef", ""); Deleted : user_pref("extensions.funmoods_i.newTab", true); Deleted : user_pref("extensions.funmoods_i.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=ddrnw"); Deleted : user_pref("extensions.funmoods_i.prdct", "funmoods"); Deleted : user_pref("extensions.funmoods_i.prtnrId", "funmoods"); Deleted : user_pref("extensions.funmoods_i.smplGrp", "none"); Deleted : user_pref("extensions.funmoods_i.srchPrvdr", "Search"); Deleted : user_pref("extensions.funmoods_i.tlbrId", "base"); Deleted : user_pref("extensions.funmoods_i.tlbrSrchUrl", "hxxp://start.funmoods.com/results.php?f=3&a=ddrnw&q=[...] Deleted : user_pref("extensions.funmoods_i.vrsn", "1.5.11.16"); Deleted : user_pref("extensions.funmoods_i.vrsnTs", "1.5.11.1611:17:36"); Deleted : user_pref("extensions.funmoods_i.vrsni", "1.5.11.16"); ************************* AdwCleaner[R1].txt - [7513 octets] - [20/07/2012 13:52:34] AdwCleaner[S1].txt - [6827 octets] - [20/07/2012 21:46:46] ########## EOF - C:\AdwCleaner[S1].txt - [6955 octets] ########## |
|
20.07.2012, 21:26
| #14 |
| /// Helfer-Team | Bundespolizei Trojaner Österreich! Gut, bitte noch den den zweiten Scan: http://www.trojaner-board.de/119897-...tml#post870278 |
|
20.07.2012, 21:53
| #15 |
| | Bundespolizei Trojaner Österreich! Alles klar läuft gerade! aber wird etwas länger dauern, bin schon seit einer stunde bei 52% hier der letzte scan! Emsisoft Anti-Malware - Version 6.6 Letztes Update: 20.07.2012 22:01:05 Scan Einstellungen: Scan Methode: Detail Scan Objekte: Rootkits, Speicher, Traces, C:\, D:\, E:\ Archiv Scan: An ADS Scan: An Scan Beginn: 20.07.2012 22:01:33 C:\Users\Armin\Documents\Windows Loader\Windows Loader.exe gefunden: Riskware.Patch.Windows!E2 C:\Program Files (x86)\Trojan Remover\Trojan.Remover.v6.8.2.2600-patch.exe gefunden: Trojan.Crypt!E2 C:\Program Files (x86)\DAEMON Tools Pro\MSIMG32.dll gefunden: HackTool.Win32.Keygen.AMN!E1 C:\HP\Bin\EndProcess.exe gefunden: Riskware.Win32.KillApp!E1 Gescannt 919075 Gefunden 4 Scan Ende: 21.07.2012 02:16:17 Scan Zeit: 4:14:44 |
|
| Themen zu Bundespolizei Trojaner Österreich! |
| abgesicherte, abgesicherten, bundespolizei, bundespolizei trojaner, erwischt, freue, malewarebytes, total, troja, trojaner, Österreich |
Linear-Darstellung
