| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Infektion durch Adware/InstallCore.E? Schlimm?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
02.06.2013, 22:40
| #1 |
 |  Infektion durch Adware/InstallCore.E? Schlimm? Hallo, vor einiger Zeit hatte ich mir Sorge gemacht, dass mein Laptop mit Adware/InstallCore.Gen bzw. Adware/InstallCore.E infiziert gewesen sein könnte. Nach umfassenden Scans unter Anleitung von Trojaner-Board war, war mein Laptop jedoch sauber (http://www.trojaner-board.de/132250-...lcore-gen.html). Drei Wochen später meldete mir Avira jedoch schon wieder eine Infektion durch Adware/InstallCore.E. Daher nun meine Frage, ob dies mit der vorherigen (möglichen) Infektion zusammenhängen könnte oder ob ich erneut scannen muss? Irgendwelche Auswitkungen einer potentiellen infektion konnte ich nicht feststellen. Avira Leider habe ich vorhin zuerst die Anweisungen beim Scan mit OTL nicht korrekt befolgt, sodass ich noch 2mal scannen musste. Jedoch hat OTL dann nur noch die OTL.txt erstellt, jedoch keine Extra.txt Code:
ATTFilter OTL logfile created on: 02.06.2013 21:14:18 - Run 3 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Jonas_2\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 2,96 Gb Total Physical Memory | 2,22 Gb Available Physical Memory | 74,86% Memory free 6,16 Gb Paging File | 5,45 Gb Available in Paging File | 88,51% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 433,53 Gb Total Space | 341,26 Gb Free Space | 78,72% Space Free | Partition Type: NTFS Drive D: | 32,23 Gb Total Space | 32,14 Gb Free Space | 99,73% Space Free | Partition Type: NTFS Computer Name: JONAS-PC | User Name: Jonas | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.06.02 20:12:56 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Jonas_2\Desktop\OTL.exe PRC - [2013.05.25 11:17:45 | 000,345,312 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2013.04.05 16:04:28 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2013.04.05 16:03:58 | 000,079,584 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2013.04.05 16:03:52 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2013.02.07 14:31:22 | 001,223,704 | ---- | M] (Secunia) -- C:\Programme\Secunia\PSI\psia.exe PRC - [2013.02.07 14:31:18 | 000,575,000 | ---- | M] (Secunia) -- C:\Programme\Secunia\PSI\psi_tray.exe PRC - [2012.08.13 12:08:08 | 010,376,704 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.exe PRC - [2012.08.13 12:08:08 | 010,368,512 | ---- | M] (OpenOffice.org) -- C:\Programme\OpenOffice.org 3\program\soffice.bin PRC - [2009.04.11 00:28:04 | 001,233,920 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Sidebar\sidebar.exe PRC - [2009.04.11 00:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.03.05 19:54:50 | 000,311,296 | ---- | M] () -- C:\Windows\System32\Rezip.exe PRC - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe PRC - [2008.01.21 04:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe ========== Modules (No Company Name) ========== MOD - [2013.01.28 14:08:56 | 000,087,952 | ---- | M] () -- C:\Programme\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2013.01.28 14:08:28 | 001,242,512 | ---- | M] () -- C:\Programme\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2012.08.10 17:51:32 | 000,985,088 | ---- | M] () -- C:\Programme\OpenOffice.org 3\program\libxml2.dll ========== Services (SafeList) ========== SRV - [2013.05.25 11:58:12 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2013.05.25 11:22:26 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2013.04.19 15:14:16 | 000,161,384 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Programme\Skype\Updater\Updater.exe -- (SkypeUpdate) SRV - [2013.04.05 16:04:28 | 000,086,752 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2013.04.05 16:03:52 | 000,110,816 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2013.02.07 14:31:22 | 001,223,704 | ---- | M] (Secunia) [Auto | Running] -- C:\Programme\Secunia\PSI\psia.exe -- (Secunia PSI Agent) SRV - [2013.02.07 14:31:20 | 000,660,504 | ---- | M] (Secunia) [Auto | Stopped] -- C:\Programme\Secunia\PSI\sua.exe -- (Secunia Update Agent) SRV - [2009.03.05 19:54:50 | 000,311,296 | ---- | M] () [Auto | Running] -- C:\Windows\System32\Rezip.exe -- (Rezip) SRV - [2008.01.21 04:25:33 | 000,896,512 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Programme\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc) SRV - [2008.01.21 04:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2013.04.05 16:04:35 | 000,135,136 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2013.04.05 16:04:35 | 000,084,744 | ---- | M] (Avira Operations GmbH & Co. KG) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2013.04.05 16:04:35 | 000,037,352 | ---- | M] (Avira Operations GmbH & Co. KG) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV - [2013.03.07 17:44:17 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2013.02.07 14:15:22 | 000,016,024 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\psi_mf_x86.sys -- (PSI) DRV - [2009.04.28 18:06:00 | 000,496,640 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8192se.sys -- (rtl8192se) DRV - [2006.11.30 16:18:18 | 000,027,416 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\x10ufx2.sys -- (XUIF) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\..\SearchScopes,DefaultScope = IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = hxxp://www.bing.com/search IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKCU\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013.05.25 11:58:13 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013.05.25 11:58:06 | 000,000,000 | ---D | M] [2013.03.07 17:20:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jonas\AppData\Roaming\mozilla\Extensions [2013.05.25 11:58:13 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\browser\extensions [2013.05.25 11:58:13 | 000,000,000 | ---D | M] (Default) -- C:\Programme\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2013.02.25 05:55:08 | 000,171,584 | ---- | M] (Tracker Software Products (Canada) Ltd.) -- C:\Program Files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - Startup: C:\Users\Jonas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe () O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{347D0FE8-3B45-4935-96C1-ACAF5321B4CA}: NameServer = 130.73.108.1 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2013.05.27 20:20:35 | 000,000,000 | R--D | C] -- C:\Program Files\Skype [2013.05.27 20:20:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype [2013.05.27 20:20:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype [2013.05.27 20:20:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype [2013.05.25 12:42:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes [2013.05.25 12:40:54 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2013.05.25 12:40:53 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2013.05.25 12:40:53 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1 [2013.05.25 11:58:05 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2013.05.25 11:21:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime [2013.05.25 11:21:09 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime [2013.05.20 13:21:55 | 000,000,000 | ---D | C] -- C:\Users\Jonas\AppData\Roaming\vlc ========== Files - Modified Within 30 Days ========== [2013.06.02 21:06:53 | 002,016,726 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2013.06.02 21:06:53 | 001,010,260 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2013.06.02 21:06:53 | 000,566,476 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2013.06.02 21:06:53 | 000,500,286 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2013.06.02 20:59:53 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2013.06.02 20:59:53 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2013.06.02 20:59:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013.06.02 20:24:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2013.06.02 20:10:59 | 000,000,000 | ---- | M] () -- C:\Users\Jonas\defogger_reenable [2013.05.27 20:20:35 | 000,001,880 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk [2013.05.25 12:42:02 | 000,001,664 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk [2013.05.25 12:34:00 | 000,297,976 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2013.05.20 13:22:00 | 000,000,680 | ---- | M] () -- C:\Users\Jonas\AppData\Local\d3d9caps.dat ========== Files Created - No Company Name ========== [2013.06.02 20:10:59 | 000,000,000 | ---- | C] () -- C:\Users\Jonas\defogger_reenable [2013.05.27 20:20:35 | 000,001,880 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk [2013.05.25 12:42:02 | 000,001,664 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk [2013.03.07 01:59:02 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2013.03.07 01:58:40 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin [2013.03.07 01:58:40 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin [2013.03.07 01:54:57 | 000,311,296 | ---- | C] () -- C:\Windows\System32\Rezip.exe [2013.03.07 01:46:41 | 000,000,680 | ---- | C] () -- C:\Users\Jonas\AppData\Local\d3d9caps.dat ========== ZeroAccess Check ========== [2006.11.02 14:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2012.06.08 19:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.04.11 00:28:20 | 000,614,912 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.04.11 00:28:26 | 000,347,648 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== [2013.03.07 20:06:15 | 000,000,000 | ---D | M] -- C:\Users\Jonas\AppData\Roaming\OpenOffice.org ========== Purity Check ========== < End of report > (ein mal hatte ich "Show all" an und einmal aus, denn ich war mir nicht ganz sicher, was von beidem "abgehackt" aus der Durchführungsanleitung nun bedeuten soll. Haken setzen ten oder nicht setzen? "gmer_2.1.19163.exe funktioniert nicht mehr. Das Programm wird auf Grund eines Problems nicht richtig ausgeführt. (...)" d.h. hier zu kann ich leider kein Log posten. Schon mal vielen Dank im Voraus für eure Hilfe! |
| Themen zu Infektion durch Adware/InstallCore.E? Schlimm? |
| adobe, antivir, application/pdf:, autorun, avg, avira, bonjour, browser, defender, explorer, firefox, flash player, format, frage, home, hängen, infiziert, logfile, mozilla, opera, programme, realtek, registry, schlimm?, secunia psi, software, tracker, vista |
Baum-Darstellung