![]() |
Log-Analyse und Auswertung: Trojaner: Bundespolizei - 100€ UkashWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
![]() |
![]() | #1 |
| ![]() Trojaner: Bundespolizei - 100€ Ukash Hallo liebes Trojaner-Board-Team, Heute erschien bei mir ohne Vorwarnung ein Bundestrojaner der meinen Bildschirm vollständig blockiert hat. Der Bildschirm stimmt fast vollständig mit dem aus dem Link überein. Zusätzlich gibt es die Reiter "Was ist Ukash" & "Wo kann ich Ukash kaufen". http://www.trojaner-board.de/116052-...-gesperrt.html Mein OS ist Win7 64-Bit. Nach Neustart im Abgesicherten Modus habe ich den defogger und den Quickscan von OTL durchlaufen lassen. Anbei die OTL.txt und EXTRAS.txt. Code:
ATTFilter OTL logfile created on: 10.08.2012 00:15:08 - Run 1 OTL by OldTimer - Version Folder = C:\Users\Marek\Desktop 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,91 Gb Total Physical Memory | 3,38 Gb Available Physical Memory | 86,44% Memory free 7,81 Gb Paging File | 7,30 Gb Available in Paging File | 93,37% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 97,56 Gb Total Space | 57,90 Gb Free Space | 59,35% Space Free | Partition Type: NTFS Drive D: | 833,85 Gb Total Space | 688,97 Gb Free Space | 82,62% Space Free | Partition Type: NTFS Computer Name: MAREK-LAPTOP | User Name: Marek | Logged in as Administrator. Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.08.10 00:09:31 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Marek\Desktop\OTL.exe ========== Modules (No Company Name) ========== ========== Win32 Services (SafeList) ========== SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2012.08.03 19:55:19 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.08.01 20:33:12 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service) SRV - [2012.07.21 16:55:31 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.05.15 12:48:00 | 001,262,400 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService) SRV - [2012.05.11 11:51:42 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2012.05.11 11:51:42 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.03 08:31:10 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2012.03.02 23:22:09 | 000,076,888 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA) SRV - [2012.01.03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2011.03.28 22:11:06 | 002,292,096 | ---- | M] (Microsoft Corp.) [Auto | Stopped] -- C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc) SRV - [2011.02.15 18:16:46 | 000,033,792 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\Hotkey\PowerBiosServer.exe -- (PowerBiosServer) SRV - [2011.02.01 07:24:42 | 002,656,280 | R--- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2011.02.01 07:24:40 | 000,326,168 | R--- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2011.01.05 14:41:38 | 001,515,792 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Programme\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) SRV - [2011.01.05 14:28:50 | 000,340,240 | ---- | M] () [On_Demand | Stopped] -- C:\Programme\Intel\WiFi\bin\PanDhcpDns.exe -- (MyWiFiDHCPDNS) SRV - [2011.01.05 14:26:56 | 000,836,880 | ---- | M] (Intel(R) Corporation) [Auto | Stopped] -- C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) SRV - [2010.11.03 13:01:34 | 000,983,104 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe -- (Bluetooth OBEX Service) SRV - [2010.11.03 13:01:20 | 001,298,496 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe -- (Bluetooth Media Service) SRV - [2010.11.03 12:53:28 | 000,897,088 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe -- (Bluetooth Device Monitor) SRV - [2010.03.18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2012.05.15 12:48:00 | 000,028,992 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\nvpciflt.sys -- (nvpciflt) DRV:64bit: - [2012.05.11 11:51:43 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb) DRV:64bit: - [2012.05.11 11:51:43 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt) DRV:64bit: - [2012.04.13 15:35:16 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV:64bit: - [2012.03.01 08:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011.09.16 17:08:07 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\avkmgr.sys -- (avkmgr) DRV:64bit: - [2011.08.09 02:32:02 | 012,289,472 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx) DRV:64bit: - [2011.06.23 05:26:28 | 000,174,680 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\jmcr.sys -- (JMCR) DRV:64bit: - [2011.06.01 10:29:22 | 000,403,016 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tixhci.sys -- (tixhci) DRV:64bit: - [2011.06.01 10:29:20 | 000,131,144 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tihub3.sys -- (tihub3) DRV:64bit: - [2011.03.11 08:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.03.11 08:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2011.01.04 12:29:46 | 008,507,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETwNs64.sys -- (NETwNs64) DRV:64bit: - [2010.11.21 05:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:64bit: - [2010.11.21 05:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010.11.21 05:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub) DRV:64bit: - [2010.11.21 05:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc) DRV:64bit: - [2010.11.21 05:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2010.11.21 05:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt) DRV:64bit: - [2010.11.21 05:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus) DRV:64bit: - [2010.11.21 05:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010.11.21 05:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010.11.10 11:07:28 | 000,123,920 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\JME.sys -- (JME) DRV:64bit: - [2010.11.04 06:07:06 | 000,058,128 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btmaux.sys -- (btmaux) DRV:64bit: - [2010.11.04 04:31:44 | 000,059,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\iBtFltCoex.sys -- (iBtFltCoex) DRV:64bit: - [2010.10.19 19:12:58 | 000,274,432 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btmhsf.sys -- (btmhsf) DRV:64bit: - [2010.10.19 10:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) DRV:64bit: - [2010.10.14 19:28:16 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud) DRV:64bit: - [2010.09.16 13:14:56 | 001,393,200 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) DRV:64bit: - [2009.04.08 15:28:46 | 000,068,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21) DRV - [2009.07.14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-DE IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D7 AA 4B DC 74 29 CD 01 [binary data] IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..network.proxy.http: "" FF - prefs.js..network.proxy.http_port: 3128 FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll () FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB) FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.116.0: C:\Program Files (x86)\Battlelog Web Plugins\1.116.0\npesnlaunch.dll (ESN Social Software AB) FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.118.0: C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll (ESN Social Software AB) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.21 16:55:31 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.04.13 01:09:58 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012.07.21 16:55:31 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012.04.13 01:09:58 | 000,000,000 | ---D | M] [2012.03.03 02:09:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Marek\AppData\Roaming\mozilla\Extensions [2012.08.08 14:46:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Marek\AppData\Roaming\mozilla\Firefox\Profiles\l2d7qlup.default\extensions [2012.08.03 18:41:58 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Marek\AppData\Roaming\mozilla\Firefox\Profiles\l2d7qlup.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [2012.03.18 14:51:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2012.05.19 17:16:16 | 005,438,448 | ---- | M] () (No name found) -- C:\USERS\MAREK\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\L2D7QLUP.DEFAULT\EXTENSIONS\GREASEFIRE@SKRUL.COM.XPI [2012.05.05 14:03:45 | 000,004,404 | ---- | M] () (No name found) -- C:\USERS\MAREK\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\L2D7QLUP.DEFAULT\EXTENSIONS\YOUTUBEUNBLOCKER@UNBLOCKER.YT.XPI [2012.07.21 16:55:31 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll [2012.03.06 02:51:25 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll [2011.12.09 19:23:32 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll [2012.02.16 13:02:53 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.02.16 12:48:01 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml [2012.02.16 13:02:53 | 000,001,153 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2012.02.16 13:02:53 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2012.02.16 13:02:53 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2012.02.16 13:02:53 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2009.06.10 23:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O4:64bit: - HKLM..\Run: [BTMTrayAgent] C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll (Intel Corporation) O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation) O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [PSQLLauncher] C:\Program Files\Protector Suite\launcher.exe (UPEK Inc.) O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [WinampAgent] C:\Program Files (x86)\Winamp\winampa.exe (Nullsoft, Inc.) O4 - HKCU..\Run: [Spotify Web Helper] C:\Users\Marek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe () O4 - HKCU..\Run: [vgoqmryvllbucgw] C:\ProgramData\vgoqmryv.exe () O4 - Startup: C:\Users\Marek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O9 - Extra Button: ICQ7.7 - {77F665FD-3F60-4B0A-AE14-EC124B7A7FCE} - C:\Program Files (x86)\ICQ7.7\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7.7 - {77F665FD-3F60-4B0A-AE14-EC124B7A7FCE} - C:\Program Files (x86)\ICQ7.7\ICQ.exe (ICQ, LLC.) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Programme\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6ABD2CAA-95BE-408A-9235-1F239800277C}: DhcpNameServer = O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E8DAE3E8-8B53-4E19-B149-37AC946DC81E}: DhcpNameServer = O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) O20:64bit: - AppInit_DLLs: (C:\Windows\system32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation) O20 - AppInit_DLLs: (C:\Windows\SysWOW64\nvinit.dll) - C:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O20:64bit: - Winlogon\Notify\psfus: DllName - (C:\Program Files\Protector Suite\psqlpwd.dll) - C:\Programme\Protector Suite\psqlpwd.dll (UPEK Inc.) O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{bc980dc3-8568-11e1-8ccd-0090f5c658d3}\Shell - "" = AutoRun O33 - MountPoints2\{bc980dc3-8568-11e1-8ccd-0090f5c658d3}\Shell\AutoRun\command - "" = F:\Razor1911_Installer.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2012.08.10 00:09:29 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Marek\Desktop\OTL.exe [2012.08.09 23:20:38 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{CDF926D8-452F-4B7D-B1AF-BC92CEEC68E0} [2012.08.09 23:06:38 | 000,000,000 | ---D | C] -- C:\ProgramData\kdoqemavlsshped [2012.08.09 11:14:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira [2012.08.09 10:29:27 | 000,000,000 | ---D | C] -- C:\Users\Marek\Desktop\Bachelor [2012.08.07 19:36:22 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{E0E7AFB8-5165-4F3A-B397-1E4963B7A5F0} [2012.08.07 19:36:09 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{1FA134D8-D150-4ACF-8F1F-B8955DBA7E67} [2012.08.04 13:14:24 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{13CE70D8-A6A0-4903-8927-DB10A381FC32} [2012.08.04 13:14:11 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{50961F5D-14D9-45FC-B044-53258388F81F} [2012.08.03 22:00:14 | 000,000,000 | ---D | C] -- C:\Program Files\Fiji.app [2012.08.03 21:02:42 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\Spotify [2012.08.03 21:02:06 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Roaming\Spotify [2012.08.02 17:54:20 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{55473A05-F62F-4AB8-971D-82B52BBBF4F4} [2012.08.02 00:06:48 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{99EB1557-9275-414F-8D47-B2485EC2D4B8} [2012.08.02 00:06:36 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{F781ECAA-F783-445C-8D2A-94663CBEC61A} [2012.07.22 02:46:12 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft [2012.07.22 02:44:17 | 000,000,000 | RH-D | C] -- C:\Users\Marek\AppData\Roaming\SecuROM [2012.07.22 02:41:19 | 000,000,000 | ---D | C] -- C:\Users\Marek\Documents\Square Enix [2012.07.22 02:41:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Games for Windows - LIVE [2012.07.22 02:40:37 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\xlive [2012.07.22 02:40:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Games for Windows - LIVE [2012.07.21 17:54:51 | 000,000,000 | ---D | C] -- C:\NVIDIA [2012.07.20 21:19:50 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\Microsoft Games [2012.07.20 20:41:30 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{BB9468F0-F9B7-46F4-8DA2-7787BC0AEFE0} [2012.07.20 20:41:17 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{AB81AF56-9D9B-4D5B-8519-680CF79EBFB3} [2012.07.15 22:25:05 | 000,000,000 | ---D | C] -- C:\Users\Marek\Documents\Hard Reset Extended [2012.07.14 17:49:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft XNA [2012.07.14 16:50:24 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{2FA38458-2B65-4ACB-85DD-CF0667690558} [2012.07.14 16:50:12 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{37A733A3-BD15-4DBC-8AD2-7D970D93F8D2} [2012.07.11 21:28:07 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{D92AB2F4-AA42-4B82-A341-C1D179FE3DF9} [2012.07.11 21:27:54 | 000,000,000 | ---D | C] -- C:\Users\Marek\AppData\Local\{E585DAF6-A6C3-48A0-A290-5FDB72E6F6A7} ========== Files - Modified Within 30 Days ========== [2012.08.10 00:09:31 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Marek\Desktop\OTL.exe [2012.08.10 00:06:01 | 000,000,168 | ---- | M] () -- C:\Users\Marek\defogger_reenable [2012.08.10 00:04:17 | 000,050,477 | ---- | M] () -- C:\Users\Marek\Desktop\Defogger.exe [2012.08.09 23:51:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012.08.09 23:51:27 | 3147,251,712 | -HS- | M] () -- C:\hiberfil.sys [2012.08.09 23:22:11 | 000,021,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2012.08.09 23:22:11 | 000,021,248 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2012.08.09 23:20:50 | 000,001,104 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012.08.09 23:06:39 | 000,000,051 | ---- | M] () -- C:\ProgramData\lzynlvsqblzuyrr [2012.08.09 23:06:33 | 000,061,440 | ---- | M] () -- C:\ProgramData\vgoqmryv.exe [2012.08.09 23:06:33 | 000,061,440 | ---- | M] () -- C:\Users\Marek\0.7031157712791132.exe [2012.08.09 22:55:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2012.08.09 22:14:00 | 000,001,108 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012.08.03 22:05:53 | 000,000,979 | ---- | M] () -- C:\Users\Marek\Desktop\fiji-win64 - Verknüpfung.lnk [2012.08.03 21:02:41 | 000,001,809 | ---- | M] () -- C:\Users\Marek\Desktop\Spotify.lnk [2012.07.25 21:42:44 | 000,000,208 | ---- | M] () -- C:\Users\Marek\Desktop\Metro 2033.url [2012.07.23 22:31:17 | 001,612,484 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2012.07.23 22:31:17 | 000,696,870 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2012.07.23 22:31:17 | 000,652,148 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2012.07.23 22:31:17 | 000,148,134 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2012.07.23 22:31:17 | 000,121,080 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2012.07.15 20:16:56 | 000,000,208 | ---- | M] () -- C:\Users\Marek\Desktop\Batman Arkham Asylum GOTY Edition.url [2012.07.15 18:42:20 | 000,000,206 | ---- | M] () -- C:\Users\Marek\Desktop\Dota 2.url [2012.07.14 17:44:05 | 000,000,209 | ---- | M] () -- C:\Users\Marek\Desktop\Terraria.url [2012.07.14 16:43:01 | 000,000,208 | ---- | M] () -- C:\Users\Marek\Desktop\Hard Reset.url [2012.07.11 03:21:25 | 000,292,872 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT ========== Files Created - No Company Name ========== [2012.08.10 00:06:01 | 000,000,168 | ---- | C] () -- C:\Users\Marek\defogger_reenable [2012.08.10 00:04:15 | 000,050,477 | ---- | C] () -- C:\Users\Marek\Desktop\Defogger.exe [2012.08.09 23:06:39 | 000,061,440 | ---- | C] () -- C:\ProgramData\vgoqmryv.exe [2012.08.09 23:06:34 | 000,000,051 | ---- | C] () -- C:\ProgramData\lzynlvsqblzuyrr [2012.08.09 23:06:32 | 000,061,440 | ---- | C] () -- C:\Users\Marek\0.7031157712791132.exe [2012.08.03 22:05:53 | 000,000,979 | ---- | C] () -- C:\Users\Marek\Desktop\fiji-win64 - Verknüpfung.lnk [2012.08.03 21:02:41 | 000,001,809 | ---- | C] () -- C:\Users\Marek\Desktop\Spotify.lnk [2012.08.03 21:02:41 | 000,001,795 | ---- | C] () -- C:\Users\Marek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk [2012.07.25 21:42:44 | 000,000,208 | ---- | C] () -- C:\Users\Marek\Desktop\Metro 2033.url [2012.07.15 20:16:00 | 000,000,208 | ---- | C] () -- C:\Users\Marek\Desktop\Batman Arkham Asylum GOTY Edition.url [2012.07.15 18:42:20 | 000,000,206 | ---- | C] () -- C:\Users\Marek\Desktop\Dota 2.url [2012.07.14 17:44:05 | 000,000,209 | ---- | C] () -- C:\Users\Marek\Desktop\Terraria.url [2012.07.14 16:43:00 | 000,000,208 | ---- | C] () -- C:\Users\Marek\Desktop\Hard Reset.url [2012.03.22 03:36:58 | 002,434,856 | ---- | C] () -- C:\Windows\SysWow64\pbsvc_bc2.exe [2012.03.03 01:17:03 | 000,008,239 | ---- | C] () -- C:\Users\Marek\AppData\Local\backup.vtp [2012.03.03 01:08:17 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll [2012.03.03 01:08:16 | 013,903,872 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll [2012.03.03 01:08:16 | 000,963,116 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin [2012.03.03 01:08:16 | 000,216,000 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin [2012.03.03 01:08:16 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin [2012.03.02 20:08:32 | 000,283,304 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe [2012.03.02 20:08:30 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe [2012.02.14 19:39:50 | 001,589,650 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI ========== LOP Check ========== [2012.04.13 15:40:13 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\DAEMON Tools Lite [2012.08.09 23:13:20 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\ICQ [2012.03.03 02:17:35 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\LolClient [2012.05.26 01:02:32 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\LolClient2 [2012.03.20 03:50:15 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\Nicalis [2012.03.06 01:31:30 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\OpenOffice.org [2012.03.02 19:23:37 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\Origin [2012.03.03 01:16:58 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\Protector Suite [2012.05.02 02:02:04 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\runic games [2012.08.08 16:24:40 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\Spotify [2012.07.12 23:11:07 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\TS3Client [2012.03.14 15:15:29 | 000,000,000 | ---D | M] -- C:\Users\Marek\AppData\Roaming\Windows Live Writer [2012.05.27 12:42:37 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 5120 bytes -> C:\Users\Public\Documents\desktop.ini:gs5sys @Alternate Data Stream - 3584 bytes -> C:\ProgramData:gs5sys @Alternate Data Stream - 1536 bytes -> C:\Users\Marek\Documents\desktop.ini:gs5sys @Alternate Data Stream - 1536 bytes -> C:\Users\Marek\Desktop\desktop.ini:gs5sys < End of report > Grüße OCLoad |
![]() | #2 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner: Bundespolizei - 100€ Ukash hi
__________________dieses script sowie evtl. folgende scripts sind nur für den jeweiligen user. wenn ihr probleme habt, eröffnet eigene topics und wartet auf, für euch angepasste scripts. • Starte bitte die OTL.exe • Kopiere nun das Folgende in die Textbox. Code:
ATTFilter :OTL O4 - HKCU..\Run: [vgoqmryvllbucgw] C:\ProgramData\vgoqmryv.exe () [2012.08.09 23:06:39 | 000,000,051 | ---- | M] () -- C:\ProgramData\lzynlvsqblzuyrr [2012.08.09 23:06:33 | 000,061,440 | ---- | M] () -- C:\ProgramData\vgoqmryv.exe [2012.08.09 23:06:33 | 000,061,440 | ---- | M] () -- C:\Users\Marek\0.7031157712791132.exe :Files C:\ProgramData\vgoqmryv.exe :Commands [Reboot] • Schliesse bitte nun alle Programme. • Klicke nun bitte auf den Fix Button. • OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen. • Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren. starte in den normalen modus. falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden Hinweis: Die Datei bitte wie in der Anleitung zum UpChannel angegeben auch da hochladen. Bitte NICHT die ZIP-Datei hier als Anhang in den Thread posten! Drücke bitte die ![]()
![]() für eine weitere analyse benötige ich mal folgendes. c:\Users\name\AppData\LocalLow\Sun\Java\Deployment\cache dort rechtsklick auf den ordner cache, diesen mit winrar oder einem anderen programm packen, und im upload channel hochladen bitte Trojaner-Board Upload Channel wenn dies erledigt ist, bittemelden.
__________________ |
![]() | #3 | |
| ![]() Trojaner: Bundespolizei - 100€ Ukash Hallo markusg,
__________________Danke für die schnelle Antwort, um die Uhrzeit habe ich damit nicht mehr gerechnet, weswegen ich jetzt erst antworte. Eine neue Textdatei nach dem Fix-Durchlauf und Neustart durch OTL habe ich nicht gefunden. Zitat:
Der Rechner startet jetzt übrigens auch ohne abgesicherten Modus. Grüße OCLoad |
![]() | #4 | |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner: Bundespolizei - 100€ Ukash hi na so sollte das ja auch sein :-) textdatei finde ich dann schon im upload, passt also :-) danke fürs hochladen Combofix darf ausschließlich ausgeführt werden, wenn dies von einem Team Mitglied angewiesen wurde!Downloade dir bitte Combofix von einem dieser Downloadspiegel Link 1 Link 2 WICHTIG - Speichere Combofix auf deinem Desktop
Wenn Combofix fertig ist, wird es eine Logfile erstellen. Bitte poste die C:\Combofix.txt in deiner nächsten Antwort. Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten Zitat:
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
![]() | #5 |
| ![]() Trojaner: Bundespolizei - 100€ Ukash Hallo nochmal Hier ist die log.txt Code:
ATTFilter ComboFix 12-08-09.01 - Marek 10.08.2012 19:30:55.1.4 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.49.1031.18.4002.2198 [GMT 2:00] ausgeführt von:: c:\users\Marek\Downloads\ComboFix.exe AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C} SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\Roaming . . ((((((((((((((((((((((( Dateien erstellt von 2012-07-10 bis 2012-08-10 )))))))))))))))))))))))))))))) . . 2012-08-10 17:34 . 2012-08-10 17:34 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-08-10 17:34 . 2012-08-10 17:34 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-10 17:12 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1BEAF0FC-F7CA-4583-B296-A76C0A245EBF}\mpengine.dll 2012-08-10 17:04 . 2012-08-10 17:12 -------- d-----w- C:\_OTL 2012-08-09 21:06 . 2012-08-09 21:06 -------- d-----w- c:\programdata\kdoqemavlsshped 2012-08-03 20:00 . 2012-08-03 20:05 -------- d-----w- c:\program files\Fiji.app 2012-08-03 19:02 . 2012-08-08 14:19 -------- d-----w- c:\users\Marek\AppData\Local\Spotify 2012-08-03 19:02 . 2012-08-08 14:24 -------- d-----w- c:\users\Marek\AppData\Roaming\Spotify 2012-07-22 00:44 . 2012-07-22 00:44 -------- d--h--r- c:\users\Marek\AppData\Roaming\SecuROM 2012-07-22 00:40 . 2012-07-22 00:41 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE 2012-07-22 00:40 . 2012-07-22 00:40 -------- d-----w- c:\windows\SysWow64\xlive 2012-07-21 15:54 . 2012-07-21 15:54 -------- d-----w- C:\NVIDIA 2012-07-20 19:19 . 2012-07-20 19:22 -------- d-----w- c:\users\Marek\AppData\Local\Microsoft Games 2012-07-14 15:49 . 2012-07-14 15:49 -------- d-----w- c:\program files (x86)\Microsoft XNA . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-03 17:55 . 2012-04-11 10:42 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-08-03 17:55 . 2012-03-02 18:35 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-11 01:01 . 2012-02-14 18:12 59701280 ----a-w- c:\windows\system32\MRT.exe 2012-06-12 03:08 . 2012-07-11 01:04 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-06-09 05:43 . 2012-07-10 23:08 14172672 ----a-w- c:\windows\system32\shell32.dll 2012-06-06 06:06 . 2012-07-10 23:08 2004480 ----a-w- c:\windows\system32\msxml6.dll 2012-06-06 06:06 . 2012-07-10 23:08 1881600 ----a-w- c:\windows\system32\msxml3.dll 2012-06-06 06:02 . 2012-07-10 23:08 1133568 ----a-w- c:\windows\system32\cdosys.dll 2012-06-06 05:05 . 2012-07-10 23:08 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll 2012-06-06 05:05 . 2012-07-10 23:08 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll 2012-06-06 05:03 . 2012-07-10 23:08 805376 ----a-w- c:\windows\SysWow64\cdosys.dll 2012-06-02 22:19 . 2012-06-22 17:06 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-22 17:07 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:19 . 2012-06-22 17:07 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-22 17:07 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-22 17:06 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:15 . 2012-06-22 17:07 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:15 . 2012-06-22 17:06 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 13:19 . 2012-06-22 17:06 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 13:15 . 2012-06-22 17:06 36864 ----a-w- c:\windows\system32\wuapp.exe 2012-06-02 12:49 . 2012-07-11 01:00 17807360 ----a-w- c:\windows\system32\mshtml.dll 2012-06-02 12:17 . 2012-07-11 01:00 10924032 ----a-w- c:\windows\system32\ieframe.dll 2012-06-02 12:12 . 2012-07-11 01:00 2311680 ----a-w- c:\windows\system32\jscript9.dll 2012-06-02 12:05 . 2012-07-11 01:00 1346048 ----a-w- c:\windows\system32\urlmon.dll 2012-06-02 12:05 . 2012-07-11 01:00 1392128 ----a-w- c:\windows\system32\wininet.dll 2012-06-02 12:04 . 2012-07-11 01:00 1494528 ----a-w- c:\windows\system32\inetcpl.cpl 2012-06-02 12:04 . 2012-07-11 01:00 237056 ----a-w- c:\windows\system32\url.dll 2012-06-02 12:03 . 2012-07-11 01:00 85504 ----a-w- c:\windows\system32\jsproxy.dll 2012-06-02 12:01 . 2012-07-11 01:00 173056 ----a-w- c:\windows\system32\ieUnatt.exe 2012-06-02 12:00 . 2012-07-11 01:00 818688 ----a-w- c:\windows\system32\jscript.dll 2012-06-02 11:59 . 2012-07-11 01:00 2144768 ----a-w- c:\windows\system32\iertutil.dll 2012-06-02 11:57 . 2012-07-11 01:00 96768 ----a-w- c:\windows\system32\mshtmled.dll 2012-06-02 11:57 . 2012-07-11 01:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-06-02 11:54 . 2012-07-11 01:00 248320 ----a-w- c:\windows\system32\ieui.dll 2012-06-02 08:33 . 2012-07-11 01:00 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll 2012-06-02 08:25 . 2012-07-11 01:00 1129472 ----a-w- c:\windows\SysWow64\wininet.dll 2012-06-02 08:25 . 2012-07-11 01:00 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl 2012-06-02 08:20 . 2012-07-11 01:00 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe 2012-06-02 08:16 . 2012-07-11 01:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2012-06-02 05:50 . 2012-07-10 23:08 458704 ----a-w- c:\windows\system32\drivers\cng.sys 2012-06-02 05:48 . 2012-07-10 23:08 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-06-02 05:48 . 2012-07-10 23:08 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2012-06-02 05:45 . 2012-07-10 23:08 340992 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 05:44 . 2012-07-10 23:08 307200 ----a-w- c:\windows\system32\ncrypt.dll 2012-06-02 04:40 . 2012-07-10 23:08 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2012-06-02 04:40 . 2012-07-10 23:08 225280 ----a-w- c:\windows\SysWow64\schannel.dll 2012-06-02 04:39 . 2012-07-10 23:08 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll 2012-06-02 04:34 . 2012-07-10 23:08 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2012-05-31 10:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe 2012-05-17 13:17 . 2012-03-02 20:46 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr 2012-05-17 13:17 . 2012-03-02 18:08 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.exe 2012-05-17 13:16 . 2012-03-02 18:08 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0 2012-05-15 10:48 . 2012-03-02 23:23 949056 ----a-w- c:\windows\system32\nvumdshimx.dll 2012-05-15 10:48 . 2012-03-02 23:23 68928 ----a-w- c:\windows\system32\OpenCL.dll 2012-05-15 10:48 . 2012-03-02 23:23 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll 2012-05-15 10:48 . 2012-03-02 23:23 2741568 ----a-w- c:\windows\system32\nvapi64.dll 2012-05-15 10:48 . 2012-03-02 23:23 246592 ----a-w- c:\windows\system32\nvinitx.dll 2012-05-15 10:48 . 2012-03-02 23:23 202048 ----a-w- c:\windows\SysWow64\nvinit.dll 2012-05-15 10:48 . 2012-03-02 23:23 1738048 ----a-w- c:\windows\system32\nvdispco64.dll 2012-05-15 10:48 . 2012-03-02 23:23 1468224 ----a-w- c:\windows\system32\nvgenco64.dll 2012-05-15 09:29 . 2012-03-02 23:24 889664 ----a-w- c:\windows\system32\nvvsvc.exe 2012-05-15 09:29 . 2012-03-02 23:24 858944 ----a-w- c:\windows\system32\nv3dappshext.dll 2012-05-15 09:29 . 2012-03-02 23:24 63296 ----a-w- c:\windows\system32\nvshext.dll 2012-05-15 09:29 . 2012-03-02 23:24 55616 ----a-w- c:\windows\system32\nv3dappshextr.dll 2012-05-15 09:29 . 2012-03-02 23:24 2561856 ----a-w- c:\windows\system32\nvsvcr.dll 2012-05-15 09:29 . 2012-03-02 23:24 118080 ----a-w- c:\windows\system32\nvmctray.dll 2012-05-15 09:29 . 2012-03-02 23:24 2621723 ----a-w- c:\windows\system32\nvcoproc.bin 2012-05-15 09:29 . 2012-03-02 23:24 3149632 ----a-w- c:\windows\system32\nvsvc64.dll 2012-05-15 09:28 . 2012-03-02 23:24 6151488 ----a-w- c:\windows\system32\nvcpl.dll . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Spotify Web Helper"="c:\users\Marek\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-03 1193176] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664] "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2011-12-09 74752] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] . c:\users\Marek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Hotkey.lnk - c:\program files (x86)\Hotkey\Hotkey.exe [2011-9-6 3080192] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\Protector Suite\psqlpwd.dll Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2010-11-03 897088] R2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2010-11-03 983104] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 gupdate;Google Update-Dienst (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 116648] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-05-03 158856] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056] R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2010-11-03 1298496] R3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2010-11-04 58128] R3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2010-10-19 274432] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 GPU-Z;GPU-Z;c:\users\Marek\AppData\Local\Temp\GPU-Z.sys [x] R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 116648] R3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2010-11-04 59904] R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2011-06-23 174680] R3 JME;JMicron Ethernet Adapter NDIS6.0 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys [2010-11-10 123920] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-21 113120] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-01-05 340240] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992] R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 88960] R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2012-05-15 28992] S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-09-16 27760] S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-04-13 283200] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928] S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-05-11 86224] S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400] S2 PowerBiosServer;PowerBiosServer;c:\program files (x86)\Hotkey\PowerBiosServer.exe [2011-02-15 33792] S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-01 2656280] S3 IntcDAud;Intel(R) Display-Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440] S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344] S3 NETwNs64;___ Intel(R) Wireless WiFi Link der Serie 5000 Adaptertreiber für Windows 7 64-Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [2011-01-04 8507392] S3 tihub3;TI USB3 Hub Service;c:\windows\system32\DRIVERS\tihub3.sys [2011-06-01 131144] S3 tixhci;TI XHCI Service;c:\windows\system32\DRIVERS\tixhci.sys [2011-06-01 403016] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] . . Inhalt des "geplante Tasks" Ordners . 2012-08-09 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 17:55] . 2012-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 20:57] . 2012-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 20:57] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2010-04-27 14:48 5947656 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2010-04-27 14:48 5947656 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-08-11 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-08-11 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-08-11 416024] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-26 11775592] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-01-05 1933584] "PSQLLauncher"="c:\program files\Protector Suite\launcher.exe" [2010-04-27 84744] "BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshell.dll" [2010-11-03 10228224] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x1 "AppInit_DLLs"=c:\windows\System32\nvinitx.dll . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: {{77F665FD-3F60-4B0A-AE14-EC124B7A7FCE} - c:\program files (x86)\ICQ7.7\ICQ.exe TCP: DhcpNameServer = FF - ProfilePath - c:\users\Marek\AppData\Roaming\Mozilla\Firefox\Profiles\l2d7qlup.default\ FF - prefs.js: network.proxy.http - FF - prefs.js: network.proxy.http_port - 3128 FF - prefs.js: network.proxy.type - 0 . - - - - Entfernte verwaiste Registrierungseinträge - - - - . HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe AddRemove-BattlEye A2 Free - d:\spiele\Bohemia Interactive\ArmA 2 FreeBattlEye\UnInstallBE.exe AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_bc2.exe . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_USERS\S-1-5-21-4216357410-1394829192-3331041246-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice] @Denied: (2) (LocalSystem) "Progid"="WindowsLiveMail.Email.1" . [HKEY_USERS\S-1-5-21-4216357410-1394829192-3331041246-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice] @Denied: (2) (LocalSystem) "Progid"="WindowsLiveMail.VCard.1" . [HKEY_USERS\S-1-5-21-4216357410-1394829192-3331041246-1000\Software\SecuROM\License information*] "datasecu"=hex:a6,f7,dd,ca,8c,da,6f,b0,9e,cb,2e,a3,09,96,5f,b3,31,1e,1f,0d,9b, 1d,1d,b4,07,48,42,e4,6b,79,ea,c4,c7,23,4e,52,67,01,2d,24,51,e9,23,e5,c0,f5,\ "rkeysecu"=hex:c1,67,da,7f,05,c5,7a,ab,99,f9,4b,31,5c,f8,bd,d2 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Zeit der Fertigstellung: 2012-08-10 19:36:05 ComboFix-quarantined-files.txt 2012-08-10 17:36 . Vor Suchlauf: 10 Verzeichnis(se), 62.203.334.656 Bytes frei Nach Suchlauf: 13 Verzeichnis(se), Bytes frei . - - End Of File - - E76441B0ADF15D93DB625408651F2AAE MfG OCLoad |
![]() | #6 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner: Bundespolizei - 100€ Ukash hi malwarebytes: Downloade Dir bitte Malwarebytes
__________________ --> Trojaner: Bundespolizei - 100€ Ukash |
![]() | #7 |
| ![]() Trojaner: Bundespolizei - 100€ Ukash Hallo nochmal, hier der malwarebyte log Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Datenbank Version: v2012.08.10.08 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Marek :: MAREK-LAPTOP [Administrator] 10.08.2012 21:29:03 mbam-log-2012-08-10 (21-29-03).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 451929 Laufzeit: 51 Minute(n), 18 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 2 C:\_OTL\MovedFiles\08102012_190453\C_ProgramData\vgoqmryv.exe (Trojan.Winlock.P) -> Erfolgreich gelöscht und in Quarantäne gestellt. C:\_OTL\MovedFiles\08102012_190453\C_Users\Marek\0.7031157712791132.exe (Trojan.Winlock.P) -> Erfolgreich gelöscht und in Quarantäne gestellt. (Ende) |
![]() | #8 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner: Bundespolizei - 100€ Ukash sorry für die wartezeit lade den CCleaner standard: CCleaner Download - CCleaner 3.21.1767 falls der CCleaner bereits instaliert, überspringen. instalieren, öffnen, extras, liste der instalierten programme, als txt speichern. öffnen. hinter, jedes von dir benötigte programm, schreibe notwendig. hinter, jedes, von dir nicht benötigte, unnötig. hinter, dir unbekannte, unbekannt. liste posten.
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
![]() | #9 |
| ![]() Trojaner: Bundespolizei - 100€ Ukash Hallo markusg Habe gedacht die Virenbekämpfung wäre abgeschlossen und habe deswegen diesen Thread länger nicht überprüft. Hier ist die Liste Code:
ATTFilter Adobe Flash Player 11 ActiveX Adobe Systems Incorporated 18.08.2012 6,00MB 11.3.300.271 notwendig Adobe Flash Player 11 Plugin Adobe Systems Incorporated 20.08.2012 6,00MB 11.3.300.271 notwendig Adobe Reader X (10.1.4) - Deutsch Adobe Systems Incorporated 18.08.2012 122MB 10.1.4 notwendig ArmA 2 Free Uninstall 07.07.2012 notwendig Avira Free Antivirus Avira 09.08.2012 109MB notwendig Batman: Arkham Asylum GOTY Edition Rocksteady Studios Ltd. 15.07.2012 notwendig Battlefield 3™ Electronic Arts 02.03.2012 notwendig Battlefield: Bad Company™ 2 Electronic Arts 22.03.2012 8,34GB notwendig Battlelog Web Plugins EA Digital Illusions CE AB 28.03.2012 1.118.0 notwendig BattlEye (A2Free) Uninstall 08.07.2012 notwendig CCleaner Piriform 24.07.2012 3.21 notwendig Counter-Strike Valve 10.04.2012 notwendig Counter-Strike: Source Valve 25.04.2012 notwendig DAEMON Tools Lite DT Soft Ltd 13.04.2012 unnötig Day of Defeat: Source Valve 21.04.2012 notwendig Dota 2 15.07.2012 notwendig Dungeons of Dredmor 25.04.2012 notwendig ESN Sonar ESN Social Software AB 13.03.2012 0.70.4 unbekannt Fraps 02.03.2012 notwendig Frozen Synapse 22.04.2012 notwendig Google Earth Plug-in Google 20.04.2012 48,7MB notwendig Hard Reset 14.07.2012 notwendig Hotkey 3.3044 NoteBook 03.03.2012 7,16MB 3.3044 notwendig ICQ7.7 ICQ 02.03.2012 7.7 notwendig Intel(R) Management Engine Components Intel Corporation 01.02.2011 notwendig Intel(R) Processor Graphics Intel Corporation 22.08.2012 notwendig Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology Intel Corporation 03.03.2012 87,9MB notwendig Intel(R) PROSet/Wireless WiFi-Software Intel Corporation 03.03.2012 137MB 14.0.2000 notwendig Jamestown 05.03.2012 notwendig Java(TM) 6 Update 31 Oracle 06.03.2012 95,1MB 6.0.310 notwendig JDownloader 0.9 AppWork GmbH 05.03.2012 0.9 notwendig JMicron Ethernet Adapter NDIS Driver JMicron Technology Corp. 09.08.2012 notwendig JMicron Flash Media Controller Driver JMicron Technology Corp. 03.03.2012 notwendig Killing Floor Tripwire Interactive 03.03.2012 notwendig League of Legends Riot Games 03.03.2012 1.02.0000 notwendig Left 4 Dead 2 Valve 03.03.2012 notwendig Magicka Arrowhead Game Studios AB 05.03.2012 notwendig Malwarebytes Anti-Malware Version Malwarebytes Corporation 10.08.2012 18,7MB unnötig Metro 2033 THQ 25.07.2012 notwendig Microsoft .NET Framework 4 Client Profile Microsoft Corporation 14.02.2012 38,8MB 4.0.30319 unbekannt Microsoft .NET Framework 4 Client Profile DEU Language Pack Microsoft Corporation 14.02.2012 2,93MB 4.0.30319 unbekannt Microsoft .NET Framework 4 Extended Microsoft Corporation 14.02.2012 51,9MB 4.0.30319 unbekannt Microsoft .NET Framework 4 Extended DEU Language Pack Microsoft Corporation 14.02.2012 10,6MB 4.0.30319 unbekannt Microsoft Games for Windows - LIVE Microsoft Corporation 22.07.2012 9,31MB notwendig Microsoft Games for Windows - LIVE Redistributable Microsoft Corporation 22.07.2012 33,5MB notwendig Microsoft Office Enterprise 2007 Microsoft Corporation 23.08.2012 12.0.6612.1000 notwendig Microsoft Silverlight Microsoft Corporation 15.05.2012 100MB 5.1.10411.0 unbekannt Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 22.03.2012 300KB 8.0.59193 unbekannt Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 Microsoft Corporation 05.03.2012 1,70MB 9.0.21022 unbekannt Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Corporation 03.03.2012 788KB 9.0.30729 unbekannt Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Corporation 07.03.2012 788KB 9.0.30729.6161 unbekannt Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Corporation 05.03.2012 1,69MB 9.0.21022 unbekannt Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 Microsoft Corporation 02.05.2012 1,46MB 9.0.30411 unbekannt Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 02.03.2012 596KB 9.0.30729 unbekannt Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Corporation 06.03.2012 596KB 9.0.30729.4148 unbekannt Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 07.03.2012 600KB 9.0.30729.6161 unbekannt Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Microsoft Corporation 07.03.2012 13,8MB 10.0.40219 unbekannt Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Corporation 07.03.2012 16,5MB 10.0.40219 unbekannt Microsoft XNA Framework Redistributable 4.0 Microsoft Corporation 14.07.2012 8,03MB 4.0.20823.0 unbekannt Mozilla Firefox 14.0.1 (x86 de) Mozilla 21.07.2012 36,9MB 14.0.1 notwendig Mozilla Maintenance Service Mozilla 21.07.2012 309KB 14.0.1 unbekannt NightSky 20.03.2012 notwendig NVIDIA Grafiktreiber 301.42 NVIDIA Corporation 22.08.2012 301.42 notwendig NVIDIA PhysX-Systemsoftware 9.12.0213 NVIDIA Corporation 21.07.2012 9.12.0213 notwendig NVIDIA Update 1.8.15 NVIDIA Corporation 22.08.2012 1.8.15 notwendig OpenAL 13.03.2012 unbekannt OpenOffice.org 3.3 OpenOffice.org 06.03.2012 414MB 3.3.9567 notwendig Origin Electronic Arts, Inc. 02.03.2012 notwendig Portal 2 Valve 13.05.2012 notwendig Protector Suite 2009 UPEK Inc. 03.03.2012 121MB notwendig PunkBuster Services Even Balance, Inc. 22.03.2012 0.988 notwendig Realtek High Definition Audio Driver Realtek Semiconductor Corp. 03.03.2012 notwendig Samorost 2 Amanita Design 22.04.2012 notwendig Shank Electronic Arts 31.03.2012 notwendig Skype™ 5.9 Skype Technologies S.A. 19.05.2012 19,3MB 5.9.115 notwendig SpaceChem 20.03.2012 notwendig SpeedFan (remove only) 02.03.2012 notwendig Spotify Spotify AB 03.08.2012 notwendig Spybot - Search & Destroy Safer Networking Limited 10.08.2012 1.6.2 notwendig Steam Valve Corporation 02.03.2012 35,4MB notwendig Synaptics Pointing Device Driver Synaptics Incorporated 03.03.2012 46,4MB notwendig System Requirements Lab for Intel (64-bit) Husdawg, LLC 22.08.2012 935KB unnötig Team Fortress 2 Valve 06.03.2012 notwendig TeamSpeak 3 Client TeamSpeak Systems GmbH 02.08.2012 notwendig Terraria 14.07.2012 notwendig The Binding Of Isaac 02.03.2012 notwendig TI USB 3.0 Host Controller Driver Ihr Firmenname 03.03.2012 1,03MB notwendig Torchlight Runic Games, Inc. 22.04.2012 notwendig Trine Frozenbyte 22.04.2012 notwendig VLC media player 2.0.0 VideoLAN 03.03.2012 2.0.0 notwendig Warcraft III Blizzard Entertainment 08.07.2012 notwendig Winamp Nullsoft, Inc 03.03.2012 5.623 notwendig Winamp Erkennungs-Plug-in Nullsoft, Inc 03.03.2012 75,0KB notwendig Windows Live Essentials Microsoft Corporation 22.04.2012 15.4.3555.0308 notwendig WinRAR 4.11 (64-Bit) win.rar GmbH 17.03.2012 4.11.0 notwendig Zeno Clash ACE Team 31.03.2012 notwendig Ist hier näher erläutert: http://www.trojaner-board.de/106867-...tml#post895689 MfG OCLoad |
![]() | #10 |
/// Malware-holic ![]() ![]() ![]() ![]() ![]() ![]() | ![]() Trojaner: Bundespolizei - 100€ Ukash deinstaliere: Adobe Flash Player alle Adobe - Adobe Flash Player installieren neueste version laden adobe reader: Adobe - Adobe Reader herunterladen - Alle Versionen haken bei mcafee security scan raus nehmen bitte auch mal den adobe reader wie folgt konfigurieren: adobe reader öffnen, bearbeiten, voreinstellungen. allgemein: nur zertifizierte zusatz module verwenden, anhaken. internet: hier sollte alles deaktiviert werden, es ist sehr unsicher pdfs automatisch zu öffnen, zu downloaden etc. es ist immer besser diese direkt abzuspeichern da man nur so die kontrolle hat was auf dem pc vor geht. bei javascript den haken bei java script verwenden raus nehmen bei updater, automatisch instalieren wählen. übernehmen /ok deinstaliere: DAEMON Tools ESN Java Download der kostenlosen Java-Software downloade java jre instalieren deinstaliere: Spybot : kann man beruhigt drauf verzichten, hilft eh nicht weiter. öffne CCleaner analysierne starten öffne otl bereinigen pc startet neu testen wie er läuft. de und reinstaliere mal deinen graka treiber.
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
![]() |
Themen zu Trojaner: Bundespolizei - 100€ Ukash |
adobe, antivir, autorun, avira, bho, bildschirm, blockiert, desktop.ini, explorer, firefox, flash player, format, google earth, helper, langs, launch, logfile, monitor, mozilla, neustart, nvidia, nvidia update, nvpciflt.sys, object, opera, plug-in, realtek, registry, software, spotify web helper, trojaner, windows |