| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: merkwürdige Systemstart-Elemente, Bluescreens und mehrWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
04.09.2012, 17:27
| #1 |
| |  merkwürdige Systemstart-Elemente, Bluescreens und mehr Hi, ich habe hier einen HP-Laptop vor mir, der sich - wie mir scheint - einen fiesen Trojaner eingefangen hat. Zum einen gibt es merkwürdige Systemstart-Programme in der MSConfig, zum anderen beeindruckende Fehlermeldungen und immer wieder Bluescreens. Es ist nicht mein eigener PC, daher weiß ich nicht genau womit es anfing, das erste Problem, welches ich sah war diese Fehlermeldung : "Prozedureinsprungpunkt "PK11_UnwrapSymKey" in nss3.dll nicht gefunden ." Daraufhin kam ein Bluescreen. Zu dem Zeitpunkt war ich mit Firefox aktiv. Ich sah mir die MSconfig an und fand einige merkwürdige Einträge : Zum einen : Einen Eintrag ohne Einträge bei "Systemstartelement" und Befehl, nur Pfad (der übliche : HKLM\Software\Windows\CurrentVersion\Run) Außerdem : dumprep 0 -k (Befehl : %systemroot%\system32\dumprep 0 -k ; Pfad wie oben nur ohne HKLM) ...der Rest macht einen gewöhnlichen Eindruck. Wie auch immer, ich ließ defogger laufen - keine Fehlermeldung. Daraufhin OTL, hier das Ergebnis : OTL Logfile: Code:
ATTFilter OTL logfile created on: 04.09.2012 17:40:09 - Run 1 OTL by OldTimer - Version 3.2.60.0 Folder = C:\Dokumente und Einstellungen\HP\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 990,48 Mb Total Physical Memory | 687,47 Mb Available Physical Memory | 69,41% Memory free 2,33 Gb Paging File | 2,02 Gb Available in Paging File | 86,72% Paging File free Paging file location(s): C:\pagefile.sys 1488 2976 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme Drive C: | 55,88 Gb Total Space | 36,65 Gb Free Space | 65,59% Space Free | Partition Type: NTFS Computer Name: HP-9A1F965626B4 | User Name: HP | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.09.04 15:03:02 | 000,050,477 | ---- | M] () -- C:\Dokumente und Einstellungen\HP\Desktop\Defogger.exe PRC - [2012.09.04 14:26:20 | 000,599,040 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\HP\Desktop\OTL.exe PRC - [2012.08.09 14:45:31 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2012.06.06 21:33:42 | 001,564,872 | ---- | M] (Ask) -- C:\Programme\Ask.com\Updater\Updater.exe PRC - [2012.05.08 13:40:27 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.05.08 13:40:26 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2012.05.08 13:40:26 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2012.03.06 23:55:12 | 000,195,256 | ---- | M] () -- C:\Dokumente und Einstellungen\HP\Anwendungsdaten\DRPSu\DrvUpdater.exe PRC - [2012.01.18 14:02:04 | 000,254,696 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe PRC - [2008.04.14 14:00:00 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007.01.30 00:22:28 | 000,638,976 | ---- | M] (Motorola Inc.) -- C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe ========== Modules (No Company Name) ========== MOD - [2012.09.04 15:03:02 | 000,050,477 | ---- | M] () -- C:\Dokumente und Einstellungen\HP\Desktop\Defogger.exe MOD - [2012.07.27 22:51:38 | 000,301,056 | ---- | M] () -- C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.DEU MOD - [2012.05.08 13:40:27 | 000,398,288 | ---- | M] () -- C:\Programme\Avira\AntiVir Desktop\sqlite3.dll MOD - [2012.03.06 23:55:12 | 000,195,256 | ---- | M] () -- C:\Dokumente und Einstellungen\HP\Anwendungsdaten\DRPSu\DrvUpdater.exe MOD - [2011.03.02 12:40:51 | 000,140,288 | ---- | M] () -- C:\Programme\WinRAR\RarExt.dll ========== Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ) SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt) SRV - [2012.09.02 20:46:08 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012.08.15 10:49:34 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012.05.08 13:40:27 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012.05.08 13:40:26 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP) DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump) DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc) DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt) DRV - File not found [Kernel | System | Stopped] -- -- (Changer) DRV - [2012.05.08 13:40:27 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb) DRV - [2012.05.08 13:40:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt) DRV - [2011.09.16 16:08:07 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr) DRV - [2010.02.11 09:38:10 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2009.10.08 16:55:33 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.03.25 15:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp) DRV - [2008.04.13 23:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) DRV - [2007.01.30 00:26:24 | 000,984,832 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial) DRV - [2006.11.01 09:55:48 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX) DRV - [2006.08.24 00:10:56 | 000,280,192 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camchal.sys -- (CAMCHALA) DRV - [2006.08.24 00:10:56 | 000,034,048 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camcaud.sys -- (CAMCAUD) DRV - [2006.07.02 04:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=crm&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=YYYYYYYYDE&apn_uid=40B198C8-545F-409C-9C34-600453C4C5C9&apn_sauid=091026CB-2804-4246-B397-3769BE2F37EA IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "Ask.com" FF - prefs.js..browser.search.defaultenginename: "Ask.com" FF - prefs.js..browser.search.order.1: "Ask.com" FF - prefs.js..browser.search.selectedEngine: "LEO Eng-Deu" FF - prefs.js..keyword.URL: "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=100000027&locale=de_DE&apn_uid=40B198C8-545F-409C-9C34-600453C4C5C9&apn_ptnrs=U3&apn_sauid=091026CB-2804-4246-B397-3769BE2F37EA&apn_dtid=YYYYYYYYDE&&q=" FF - prefs.js..network.proxy.type: 0 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Programme\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Programme\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Programme\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Programme\Mozilla Firefox\components [2012.09.02 20:46:10 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2012.04.14 14:07:27 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\HP\Anwendungsdaten\Mozilla\Extensions [2012.07.07 15:07:04 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\HP\Anwendungsdaten\Mozilla\Firefox\Profiles\zdjejwgx.default\extensions [2012.07.07 05:14:16 | 000,002,408 | ---- | M] () -- C:\Dokumente und Einstellungen\HP\Anwendungsdaten\Mozilla\Firefox\Profiles\zdjejwgx.default\searchplugins\askcom.xml [2012.06.30 20:58:37 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions [2012.06.30 20:25:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012.06.30 20:24:59 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAMME\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2012.09.02 20:46:10 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Programme\mozilla firefox\components\browsercomps.dll [2012.06.15 00:46:57 | 000,001,392 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml [2012.09.02 20:46:01 | 000,002,465 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\bing.xml [2012.06.15 00:46:57 | 000,001,153 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\eBay-de.xml [2012.06.15 00:46:57 | 000,006,805 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml [2012.06.15 00:46:57 | 000,001,178 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml [2012.06.15 00:46:56 | 000,001,105 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2008.04.14 14:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [ApnUpdater] C:\Programme\Ask.com\Updater\Updater.exe (Ask) O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [SMSERIAL] C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.) O4 - HKCU..\Run: [DrvUpdater] C:\Dokumente und Einstellungen\HP\Anwendungsdaten\DRPSu\DrvUpdater.exe () O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33) O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab (Java Plug-in 1.6.0_33) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{648548C2-0F09-4437-842F-005C66909F7E}: DhcpNameServer = 192.168.2.1 O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home O24 - Desktop WallPaper: C:\Dokumente und Einstellungen\HP\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Dokumente und Einstellungen\HP\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2012.04.14 12:21:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\##wd#Download#Treiber#driver pack_11.1\Shell - "" = AutoRun O33 - MountPoints2\##wd#Download#Treiber#driver pack_11.1\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\##wd#Download#Treiber#driver pack_11.1\Shell\AutoRun\command - "" = Z:\setup.exe O33 - MountPoints2\##wd#Download#Treiber#DriverPack_12.3\Shell - "" = AutoRun O33 - MountPoints2\##wd#Download#Treiber#DriverPack_12.3\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\##wd#Download#Treiber#DriverPack_12.3\Shell\AutoRun\command - "" = Z:\DriverPackSolution.exe O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012.09.04 17:38:58 | 000,599,040 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\HP\Desktop\OTL.exe [2012.09.02 20:55:33 | 000,307,200 | ---- | C] (Netscape Communications Corporation) -- C:\WINDOWS\System\nss3.dll [2012.09.02 20:55:28 | 000,307,200 | ---- | C] (Netscape Communications Corporation) -- C:\WINDOWS\System32\nss3.dll [2012.09.02 20:55:06 | 000,307,200 | ---- | C] (Netscape Communications Corporation) -- C:\WINDOWS\nss3.dll [2012.08.14 22:19:50 | 000,000,000 | -HSD | C] -- C:\Config.Msi [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012.09.04 17:46:00 | 000,000,220 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job [2012.09.04 17:41:46 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012.09.04 17:39:35 | 000,000,000 | ---- | M] () -- C:\Dokumente und Einstellungen\HP\defogger_reenable [2012.09.04 17:23:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012.09.04 15:49:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job [2012.09.04 15:05:20 | 000,302,592 | ---- | M] () -- C:\Dokumente und Einstellungen\HP\Desktop\c54p7l52.exe [2012.09.04 15:03:02 | 000,050,477 | ---- | M] () -- C:\Dokumente und Einstellungen\HP\Desktop\Defogger.exe [2012.09.04 14:26:20 | 000,599,040 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\HP\Desktop\OTL.exe [2012.08.16 10:57:33 | 000,090,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012.08.16 10:33:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2012.09.04 17:39:35 | 000,000,000 | ---- | C] () -- C:\Dokumente und Einstellungen\HP\defogger_reenable [2012.09.04 17:38:58 | 000,302,592 | ---- | C] () -- C:\Dokumente und Einstellungen\HP\Desktop\c54p7l52.exe [2012.09.04 17:38:58 | 000,050,477 | ---- | C] () -- C:\Dokumente und Einstellungen\HP\Desktop\Defogger.exe [2012.05.21 18:25:24 | 000,004,608 | ---- | C] () -- C:\Dokumente und Einstellungen\HP\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012.04.30 20:55:56 | 000,000,724 | ---- | C] () -- C:\WINDOWS\cmatch.ini [2012.04.19 23:33:24 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2012.04.14 13:11:24 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012.04.14 13:08:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2012.04.14 13:07:11 | 000,090,296 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012.04.14 12:35:25 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll [2012.04.14 12:35:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin [2012.04.14 12:34:16 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat [2012.04.14 12:34:16 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat [2012.04.14 12:34:16 | 000,189,051 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat [2012.04.14 12:24:09 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2012.04.14 12:18:19 | 000,021,740 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat ========== LOP Check ========== [2012.06.30 20:25:40 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ask [2012.09.04 17:46:00 | 000,000,220 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job ========== Purity Check ========== < End of report > die Extras.txt : OTL Logfile: Code:
ATTFilter OTL Extras logfile created on: 04.09.2012 17:40:09 - Run 1
OTL by OldTimer - Version 3.2.60.0 Folder = C:\Dokumente und Einstellungen\HP\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
990,48 Mb Total Physical Memory | 687,47 Mb Available Physical Memory | 69,41% Memory free
2,33 Gb Paging File | 2,02 Gb Available in Paging File | 86,72% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 55,88 Gb Total Space | 36,65 Gb Free Space | 65,59% Space Free | Partition Type: NTFS
Computer Name: HP-9A1F965626B4 | User Name: HP | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Programme\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 33
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{608EC4A1-8750-11D5-BDB6-0050BA6A42D1}" = UMAX Astra 4500
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira Free Antivirus
"Conexant PCI Audio" = Conexant AC-Link Audio
"Mozilla Firefox 14.0.1 (x86 de)" = Mozilla Firefox 14.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"VLC media player" = VLC media player 2.0.1
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR 4.00 (32-Bit)
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{79A765E1-C399-405B-85AF-466F52E918B0}" = Ask Toolbar Updater
"DRPSu Updater" = DriverPack Solution Updater
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 31.08.2012 05:18:04 | Computer Name = HP-9A1F965626B4 | Source = Avira Antivirus | ID = 4104
Description = Die Virendefinitionsdatei konnte nicht gefunden werden! Fehlercode:
0x3
Error - 31.08.2012 15:46:02 | Computer Name = HP-9A1F965626B4 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung updatetask.exe, Version 0.0.0.0, fehlgeschlagenes
Modul wintrust.dll, Version 5.131.2600.6198, Fehleradresse 0x00007518.
Error - 01.09.2012 18:07:53 | Computer Name = HP-9A1F965626B4 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung firefox.exe, Version 14.0.1.4577, fehlgeschlagenes
Modul msvcr100.dll, Version 10.0.30319.1, Fehleradresse 0x0008ae6e.
Error - 01.09.2012 18:08:02 | Computer Name = HP-9A1F965626B4 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung firefox.exe, Version 14.0.1.4577, fehlgeschlagenes
Modul msvcr100.dll, Version 10.0.30319.1, Fehleradresse 0x0008ae6e.
Error - 01.09.2012 18:08:07 | Computer Name = HP-9A1F965626B4 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung firefox.exe, Version 14.0.1.4577, fehlgeschlagenes
Modul msvcr100.dll, Version 10.0.30319.1, Fehleradresse 0x0008ae6e.
Error - 01.09.2012 18:08:28 | Computer Name = HP-9A1F965626B4 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung firefox.exe, Version 14.0.1.4577, fehlgeschlagenes
Modul msvcr100.dll, Version 10.0.30319.1, Fehleradresse 0x0008ae6e.
Error - 01.09.2012 18:09:16 | Computer Name = HP-9A1F965626B4 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung , Version 0.0.0.0, fehlgeschlagenes Modul
apphelp.dll, Version 5.1.2600.5512, Fehleradresse 0x00001f11.
Error - 02.09.2012 14:48:15 | Computer Name = HP-9A1F965626B4 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung firefox.exe, Version 15.0.0.4619, fehlgeschlagenes
Modul msvcr100.dll, Version 10.0.30319.1, Fehleradresse 0x0008ae6e.
Error - 02.09.2012 14:48:41 | Computer Name = HP-9A1F965626B4 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung firefox.exe, Version 15.0.0.4619, fehlgeschlagenes
Modul msvcr100.dll, Version 10.0.30319.1, Fehleradresse 0x0008ae6e.
Error - 03.09.2012 14:50:14 | Computer Name = HP-9A1F965626B4 | Source = Application Error | ID = 1000
Description = Fehlgeschlagene Anwendung plugin-container.exe, Version 15.0.0.4619,
fehlgeschlagenes Modul mozalloc.dll, Version 15.0.0.4619, Fehleradresse 0x00001993.
[ System Events ]
Error - 31.08.2012 05:18:04 | Computer Name = HP-9A1F965626B4 | Source = Service Control Manager | ID = 7024
Description = Der Dienst "Avira Echtzeit Scanner" wurde mit folgendem dienstspezifischem
Fehler beendet: 306 (0x132).
Error - 01.09.2012 14:04:35 | Computer Name = HP-9A1F965626B4 | Source = System Error | ID = 1003
Description = Fehlercode 0000004e, 1. Parameter 00000099, 2. Parameter 0002fcab,
3. Parameter 00000003, 4. Parameter 00000000.
Error - 01.09.2012 14:06:29 | Computer Name = HP-9A1F965626B4 | Source = System Error | ID = 1003
Description = Fehlercode 0000004e, 1. Parameter 00000099, 2. Parameter 00000000,
3. Parameter 00000000, 4. Parameter 00000000.
Error - 01.09.2012 18:09:17 | Computer Name = HP-9A1F965626B4 | Source = Ntfs | ID = 262199
Description = Die Dateisystemstruktur auf dem Datenträger ist beschädigt und unbrauchbar.
Führen
Sie chkdsk auf Volume "C:" aus.
Error - 01.09.2012 18:12:33 | Computer Name = HP-9A1F965626B4 | Source = System Error | ID = 1003
Description = Fehlercode c000007b, 1. Parameter e2794cf0, 2. Parameter 00000000,
3. Parameter 00000000, 4. Parameter 00000000.
Error - 02.09.2012 05:51:54 | Computer Name = HP-9A1F965626B4 | Source = System Error | ID = 1003
Description = Fehlercode 1000000a, 1. Parameter 0000001c, 2. Parameter 00000002,
3. Parameter 00000001, 4. Parameter 80521a61.
Error - 03.09.2012 08:47:49 | Computer Name = HP-9A1F965626B4 | Source = System Error | ID = 1003
Description = Fehlercode 1000000a, 1. Parameter 00000000, 2. Parameter 00000002,
3. Parameter 00000000, 4. Parameter 8051232d.
Error - 03.09.2012 11:45:23 | Computer Name = HP-9A1F965626B4 | Source = System Error | ID = 1003
Description = Fehlercode 1000008e, 1. Parameter c0000005, 2. Parameter bf022e88,
3. Parameter f186cf54, 4. Parameter 00000000.
Error - 04.09.2012 08:00:47 | Computer Name = HP-9A1F965626B4 | Source = System Error | ID = 1003
Description = Fehlercode 1000000a, 1. Parameter 0000001c, 2. Parameter 00000002,
3. Parameter 00000001, 4. Parameter 80521a61.
Error - 04.09.2012 11:24:08 | Computer Name = HP-9A1F965626B4 | Source = System Error | ID = 1003
Description = Fehlercode 1000008e, 1. Parameter c0000005, 2. Parameter 805d52e8,
3. Parameter f1a0dbec, 4. Parameter 00000000.
< End of report >
...und hier ist noch Gmer : GMER Logfile: Code:
ATTFilter GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-09-04 17:59:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IC25N060ATMR04-0 rev.MO3OAD5A
Running: c54p7l52.exe; Driver: C:\DOKUME~1\HP\LOKALE~1\Temp\kwpyrfow.sys
---- System - GMER 1.0.15 ----
SSDT F7C05FBC ZwClose
SSDT F7C05F76 ZwCreateKey
SSDT F7C05FC6 ZwCreateSection
SSDT F7C05F6C ZwCreateThread
SSDT F7C05F7B ZwDeleteKey
SSDT F7C05F85 ZwDeleteValueKey
SSDT F7C05FB7 ZwDuplicateObject
SSDT F7C05F8A ZwLoadKey
SSDT F7C05F58 ZwOpenProcess
SSDT F7C05F5D ZwOpenThread
SSDT F7C05FDF ZwQueryValueKey
SSDT F7C05F94 ZwReplaceKey
SSDT F7C05FD0 ZwRequestWaitReplyPort
SSDT F7C05F8F ZwRestoreKey
SSDT F7C05FCB ZwSetContextThread
SSDT F7C05FD5 ZwSetSecurityObject
SSDT F7C05F80 ZwSetValueKey
SSDT F7C05FDA ZwSystemDebugControl
SSDT F7C05F67 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6DFF000, 0x1C5D38, 0xE8000020]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Es wäre schön wenn mir jemand helfen könnte, denn ich weiß nicht womit ich es zu tun habe. Als ich diesen Thread fand (http://www.trojaner-board.de/86823-m...tostart-2.html) , dachte ich schon ich hätte die Antwort und den Mebroot/Sinowal/Tarpig entdeckt - aber sicher bin ich mir nicht. Achso, was mich auf den Sinowal brachte , waren vor allem ein paar Einträge in der Registry, die denen in oben verlinktem Thread sehr ähnlich sind : Name*****Typ*****Wert : ProfileImagePath*****Reg_Expand_SZ*****%SystemDrive%\Dokumente und Einstellungen\LocalService ...und ähnliche in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19 bzw. \S-1-5-18 und \S-1-5-20 und S-1-5-20-[ewige Zahlenkette] Geändert von Marv_86 (04.09.2012 um 17:45 Uhr) |
| Themen zu merkwürdige Systemstart-Elemente, Bluescreens und mehr |
| adobe, antivir, avg, avira, bho, einstellungen, error, fehlercode 0, fehlercode 1, fehlercode 10, fiese, firefox, flash player, format, helper, home, homepage, logfile, mozilla, nss3.dll, plug-in, problem, realtek, registry, rundll, scan, security, sinowal, software, system error, systemstart, trojaner, windows, wintrust.dll |
Baum-Darstellung