Hallo Forum,

ich hatte mir den o.a. Trojaner eingefangen und mit Malwarebytes eleminiert. Danach noch - wie empfohlen - ein Scan mit einem Alternativprogramm, in diesem Fall HitmanPro. Leider gab es die Option zur kostenlosen Handhabung nicht mehr, zwar ging noch der einmalige Scan, aber der nächste Schritt nur mit Registrierung/Kauf.

Anbei jedoch der Logfile mit der Bitte um Prüfung. Die gefundenen Tracking-Cookies sind nicht mit aufgeführt, die habe ich mit einer anderen Software entfernt. Bei den als "verdächtig" eingestuften Dateien bin ich mir ziemlich unsicher und bitte um Beurteilung. Besten Dank!

Herzl. Gruß
hensy25

Malware _____________________________________________________________________

C:\Programme\AskTBar\bar\1.bin\ASKTBAR.DLL
Size . . . . . . . : 245.760 bytes
Age . . . . . . . : 1103.9 days (2009-07-29 11:21:51)
Entropy . . . . . : 6.3
SHA-256 . . . . . : 809BBFA3FB67C79F1901B159B754DD955C5DEFE28D5879F91972D269D706D55C
Product . . . . . : Ask Toolbar for Internet Explorer
Publisher . . . . : Ask.com
Description . . . : Ask Toolbar
Version . . . . . : 2.1.10.2
Copyright . . . . : Copyright © 2006
Gossip . . . . . . : AskTBar
> a-Squared . . . . : Adware.Win32.AskTBar!A2
Fuzzy . . . . . . : 109.0
Startup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\
HKU\S-1-5-21-2062314907-146418175-14044502-1105\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{FE063DB9-4EC0-403E-8DD8-394C54984B2C}
References
HKLM\SOFTWARE\Classes\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\
HKLM\SOFTWARE\Classes\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\
HKU\S-1-5-21-2062314907-146418175-14044502-1105\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\
HKU\S-1-5-21-2062314907-146418175-14044502-1105\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\


Suspicious files ____________________________________________________________

C:\WINDOWS\system32\Finger32.OCX
Size . . . . . . . : 47.536 bytes
Age . . . . . . . : 1101.9 days (2009-07-31 11:12:34)
Entropy . . . . . : 5.6
SHA-256 . . . . . : 409B220E79436FFA72E01EE097EB75B1EFF0A5CC6F1CB3FD6619BCE2A741260E
Product . . . . . : Finger
Publisher . . . . : Mabry Software, Inc.
Description . . . : Mabry Internet Finger Control
Version . . . . . : 5.00.007
Copyright . . . . : Copyright © 1996-1998 by Mabry Software, Inc.
RSA Key Size . . . : 512
Authenticode . . . : Self-signed
Fuzzy . . . . . . : 26.0
Program is code signed with a weak certificate. This is common to malware.
Program is code self-signed.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.

C:\WINDOWS\system32\MRAS32.OCX
Size . . . . . . . : 57.264 bytes
Age . . . . . . . : 1101.9 days (2009-07-31 11:12:37)
Entropy . . . . . : 5.7
SHA-256 . . . . . : 164DB131F505BE923C957FDF4AC2D075ADD7105652860EF01393BC0038E0A939
Product . . . . . : RAS
Publisher
Description . . . : Mabry RAS Control
Version . . . . . : 1.00.011
Copyright . . . . : Copyright © 1996-1999 by Mabry Software, Inc.
RSA Key Size . . . : 512
Authenticode . . . : Self-signed
Fuzzy . . . . . . : 27.0
Program is code signed with a weak certificate. This is common to malware.
Program is code self-signed.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Authors name is missing in version info. This is not common to most programs.

C:\WINDOWS\system32\Time32.OCX
Size . . . . . . . : 46.512 bytes
Age . . . . . . . : 1101.9 days (2009-07-31 11:12:45)
Entropy . . . . . : 5.6
SHA-256 . . . . . : 8F67F311A4C92E46D9413DD4C5AE2F4E02EA00D02A3CE721152EB483101BC0E2
Product . . . . . : TIME
Publisher . . . . : Mabry Software, Inc.
Description . . . : Mabry Internet Time Control
Version . . . . . : 5.00.006
Copyright . . . . : Copyright © 1996-1998 by Mabry Software, Inc.
RSA Key Size . . . : 512
Authenticode . . . : Self-signed
Fuzzy . . . . . . : 26.0
Program is code signed with a weak certificate. This is common to malware.
Program is code self-signed.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.

C:\WINDOWS\system32\TwistedPixel.ocx
Size . . . . . . . : 412.200 bytes
Age . . . . . . . : 1101.9 days (2009-07-31 11:12:45)
Entropy . . . . . : 6.8
SHA-256 . . . . . : 20C86F20C3010632DE780ED2148CA8E87D7FF21A6236747B76657C1BC3DC09B1
Product . . . . . : TwistedPixel Imaging Control for WIndows 95/NT
Publisher . . . . : Bananas Software Inc
Description . . . : TwistedPixel OLE Control Module
Version . . . . . : 0.0.0.0
Copyright . . . . : Copyright © 1996-1997, Bananas Software Inc
RSA Key Size . . . : 512
Authenticode . . . : Self-signed
Fuzzy . . . . . . : 29.0
Program is code signed with a weak certificate. This is common to malware.
Program is code self-signed.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.

C:\WINDOWS\system32\WhoIs32.OCX
Size . . . . . . . : 47.536 bytes
Age . . . . . . . : 1101.9 days (2009-07-31 11:12:47)
Entropy . . . . . : 5.5
SHA-256 . . . . . : DE53C78A40FEA419475D18681813C63E553D77B77C7CCB039255A233EE537EA8
Product . . . . . : WHOIS
Publisher . . . . : Mabry Software, Inc.
Description . . . : Mabry Internet WhoIs Control
Version . . . . . : 5.00.003
Copyright . . . . : Copyright © 1996-1998 by Mabry Software, Inc.
RSA Key Size . . . : 512
Authenticode . . . : Self-signed
Fuzzy . . . . . . : 26.0
Program is code signed with a weak certificate. This is common to malware.
Program is code self-signed.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.


Malware remnants ____________________________________________________________

C:\Dokumente und Einstellungen\HSiebel\Lokale Einstellungen\Anwendungsdaten\{b24b0897-f352-abba-bb31-5e9316fc9a28}\@ (ZeroAccess)
C:\Dokumente und Einstellungen\HSiebel\Lokale Einstellungen\Anwendungsdaten\{b24b0897-f352-abba-bb31-5e9316fc9a28}\L\ (ZeroAccess)
C:\Dokumente und Einstellungen\HSiebel\Lokale Einstellungen\Anwendungsdaten\{b24b0897-f352-abba-bb31-5e9316fc9a28}\U\ (ZeroAccess)
C:\WINDOWS\Installer\{b24b0897-f352-abba-bb31-5e9316fc9a28}\@ (ZeroAccess)
C:\WINDOWS\Installer\{b24b0897-f352-abba-bb31-5e9316fc9a28}\L\ (ZeroAccess)
C:\WINDOWS\Installer\{b24b0897-f352-abba-bb31-5e9316fc9a28}\U\ (ZeroAccess)
HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\ (Adware.MyWebSearch)

Ohne die Logs von Malwarebytes und Co wird das hier nichts.
Alles von Malwarebytes (und evtl. anderen Scannern) muss hier gepostet werden.

Bitte alles nach Möglichkeit hier in CODE-Tags posten.

Wird so gemacht:

[code] hier steht das Log [/code]

Und das ganze sieht dann so aus:

Code: Alles auswählenAufklappen

ATTFilter

 hier steht das Log