|
Log-Analyse und Auswertung: Trojaner BefallWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
18.05.2008, 14:48 | #1 |
| Trojaner Befall Hi, habe seit 2 Tagen große Probleme mit meinem Rechner. es fing an, dass auf einmal pop ups kamen, welche man kaum mehr zubekommt. dann kam auf einmal ne meldung, dass der explorer nimmer funktioniert und auf einmal war die taskleiste weg und wurde neugestartet. zudem konnte ich mit dem firefox nicht mehr auf alle websites. hab meine programme durchlaufen lassen und er hat auch was gefunden, aber wurde beseitigt. hab heute nach nem update von antivir nochmal durchlaufen lassen und dann wurde ein befall in der /desktop/main.exe gefunden. hab hier mal der highjack log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:52:23 PM, on 5/18/2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16609) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\System32\rundll32.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Windows\System32\wpcumi.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\System32\rundll32.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\Windows\ehome\ehmsas.exe c:\program files\common files\installshield\updateservice\isuspm.exe C:\Windows\system32\wuauclt.exe C:\Program Files\ICQ6\ICQ.exe C:\program files\avira\antivir personaledition classic\avcenter.exe C:\Windows\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = eumex.ip R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [Prime95] C:\Users\Thorsten\Desktop\p95v256\prime95.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Thorsten\AppData\Local\Temp\awtqnKaA.dll,#1 O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Thorsten\AppData\Local\Temp\ssqOHaAQ.dll,c O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [903d2e69] rundll32.exe "C:\Users\Thorsten\AppData\Local\Temp\yfstrtnq.dll",b O4 - HKCU\..\Run: [BM930e1df5] Rundll32.exe "C:\Users\Thorsten\AppData\Local\Temp\icypoexa.dll",s O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-21-225791728-3466124871-4208583414-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'roenilein') O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: hp officejet 4100 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: Öffnen mit WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe O9 - Extra button: Gnuf Casino - {8FE9B27A-BDCD-4d27-A430-4DC0B58D01B0} - C:\Gnuf\Casino\casinogame.exe O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe O9 - Extra button: Gnuf Poker - {A99C8F70-4D5B-482c-8854-05BC0BB8B182} - C:\Gnuf\Poker\MPPoker.exe O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programs\PartyGaming\PartyCasino\RunApp.exe O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Programs\PartyGaming\PartyCasino\RunApp.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Host.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe -- End of file - 15021 bytes Hilfe wäre super, bin ein noob was sowas angeht. antivir und combofix log hab ich auch, falls das einer braucht |
18.05.2008, 15:01 | #2 |
Administrator > Competence Manager | Trojaner BefallHallo noeschi und Dateien Online überprüfen lassen:
Code:
ATTFilter
ComboFix
__________________ |
19.05.2008, 10:21 | #3 |
| Trojaner Befall Datei ssqOHaAQ.dll empfangen 2008.05.19 11:11:22 (CET)
__________________Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 7/32 (21.88%) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.5.16.0 2008.05.19 - AntiVir 7.8.0.19 2008.05.18 ADSPY/Virtumonde.ryu Authentium 5.1.0.4 2008.05.18 - Avast 4.8.1195.0 2008.05.18 - AVG 7.5.0.516 2008.05.18 - BitDefender 7.2 2008.05.19 - CAT-QuickHeal 9.50 2008.05.17 - ClamAV 0.92.1 2008.05.19 - DrWeb 4.44.0.09170 2008.05.19 - eSafe 7.0.15.0 2008.05.18 - eTrust-Vet 31.4.5796 2008.05.16 - Ewido 4.0 2008.05.18 - F-Prot 4.4.2.54 2008.05.16 - F-Secure 6.70.13260.0 2008.05.19 Vundo.gen179 Fortinet 3.14.0.0 2008.05.19 - GData 2.0.7306.1023 2008.05.19 - Ikarus T3.1.1.26.0 2008.05.19 Trojan.Win32.Vundo.H Kaspersky 7.0.0.125 2008.05.19 - McAfee 5297 2008.05.17 - Microsoft 1.3408 2008.05.13 - NOD32v2 3107 2008.05.18 - Norman 5.80.02 2008.05.16 Vundo.gen179 Panda 9.0.0.4 2008.05.18 - Prevx1 V2 2008.05.19 Cloaked Malware Rising 20.45.01.00 2008.05.19 - Sophos 4.29.0 2008.05.19 Troj/Virtum-Gen Sunbelt 3.0.1123.1 2008.05.17 - Symantec 10 2008.05.19 - TheHacker 6.2.92.313 2008.05.19 - VBA32 3.12.6.6 2008.05.18 - VirusBuster 4.3.26:9 2008.05.18 - Webwasher-Gateway 6.6.2 2008.05.19 Ad-Spyware.Virtumonde.ryu weitere Informationen File size: 370176 bytes MD5...: 7dd22f1e84becde43159034a06d2495d SHA1..: 8b90a5cce76e5db51cfe2b2c52a16c415c831dab SHA256: 89dd463d108aa4477eb31dc0dfbe526053cc6bab839acc133e3855fd7e947c3f SHA512: b76443ffa35eff7ccd4d2d7230c2a576496d2d7da3bb22fd14b4d589b3317672 946d45da1e88e0f45435d52f44a11fec4494d33411b2c9b59baf7d51f0b3c6d8 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1000105d timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x84e8 0x8600 7.23 bf5ea1fd5f777a486e6793266d904c16 .rdata 0xa000 0x35981 0x35a00 8.00 c20f1997fe765ee573c2603bad51507b .data 0x40000 0x5d556 0x1c200 7.99 6b874e54600dcfe3740c98e21a790b72 ( 2 imports ) > user32.dll: DrawCaption, DialogBoxParamA, DestroyMenu, DestroyCursor, DestroyCaret, DeleteMenu, CreateIconFromResourceEx, CreateIcon, CreateDesktopW, CreateDesktopA, CopyRect, CloseWindow, CharUpperBuffA, CharToOemA, CharPrevA, CharLowerA > kernel32.dll: EnumResourceTypesA, lstrlenA, lstrcmpA, lstrcatA, WriteFile, UnmapViewOfFile, TlsGetValue, SleepEx, RtlUnwind, ReadFile, OpenFile, LoadLibraryA, GetVersion, GetSystemTimeAsFileTime, GetSystemTime, GetPrivateProfileStringA, GetLastError, CloseHandle, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceNamesA, FlushFileBuffers, FreeResource, GetCommandLineA ( 0 exports ) Prevx info: 38580238.DLL - Prevx diese andere .dll datei gibts hier nicht, kann evtl sein, dass antivir die gestern noch in quarantäne gepackt hat Datei casinogame.exe empfangen 2008.05.19 11:19:54 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 1/32 (3.13%) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.5.16.0 2008.05.18 - AntiVir 7.8.0.19 2008.05.18 - Authentium 5.1.0.4 2008.05.18 - Avast 4.8.1195.0 2008.05.18 - AVG 7.5.0.516 2008.05.18 - BitDefender 7.2 2008.05.19 - CAT-QuickHeal 9.50 2008.05.17 - ClamAV 0.92.1 2008.05.19 - DrWeb 4.44.0.09170 2008.05.19 - eSafe 7.0.15.0 2008.05.18 - eTrust-Vet 31.4.5796 2008.05.16 - Ewido 4.0 2008.05.18 - F-Prot 4.4.2.54 2008.05.16 - F-Secure 6.70.13260.0 2008.05.18 - Fortinet 3.14.0.0 2008.05.19 - GData 2.0.7306.1023 2008.05.19 - Ikarus T3.1.1.26.0 2008.05.19 - Kaspersky 7.0.0.125 2008.05.19 - McAfee 5297 2008.05.17 - Microsoft 1.3408 2008.05.13 - NOD32v2 3107 2008.05.18 - Norman 5.80.02 2008.05.16 - Panda 9.0.0.4 2008.05.18 - Prevx1 V2 2008.05.19 Malicious Software Rising 20.45.01.00 2008.05.19 - Sophos 4.29.0 2008.05.19 - Sunbelt 3.0.1123.1 2008.05.17 - Symantec 10 2008.05.18 - TheHacker 6.2.92.313 2008.05.19 - VBA32 3.12.6.6 2008.05.18 - VirusBuster 4.3.26:9 2008.05.18 - Webwasher-Gateway 6.6.2 2008.05.19 - weitere Informationen File size: 11536 bytes MD5...: a5546371dd5632da954ac5f33db80c11 SHA1..: 55a5f58cd929407da4b96ae39d80b630d4f5f3a9 SHA256: eb0bf15c4439d0dd2b58230e67745ba2dd1f63d28a4df27fc39f22aa5b63bac1 SHA512: 954a96928f540b944dc7ac81f893a0f4558d028c433742ba1c6651cf7144024f 770de35a967861122930423bd57aa7f8d3c9d87ae6e2e9644f2d3004e19e542e PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401971 timedatestamp.....: 0x449168fe (Thu Jun 15 14:04:46 2006) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xaa5 0xc00 5.98 d812b55d7597ae0220c753bc905030bf .rdata 0x2000 0x3a0 0x400 4.40 4321dd0dab9c226c23fa9450f2a39440 .data 0x3000 0x10c 0x200 2.07 48bc20ba7586c9008bf6e0488961bd6e .rsrc 0x4000 0x1570 0x1600 4.83 26dde59f7c9256f2bb56c4396ee72453 ( 2 imports ) > KERNEL32.dll: SetErrorMode, GetProcAddress, LoadLibraryA, CreateFileA, ExitProcess, GetModuleHandleA, FreeLibrary, GetCommandLineA, lstrlenA, lstrcpynA, WaitForSingleObject, Sleep, GetPrivateProfileIntA, WritePrivateProfileStringA, HeapFree, GetProcessHeap, HeapAlloc, DeleteFileA, CloseHandle, GetPrivateProfileStringA, FindClose, FindFirstFileA, FindNextFileA, CopyFileA, GetCurrentProcessId, OpenProcess, CreateProcessA, GetModuleFileNameA > USER32.dll: wsprintfA ( 0 exports ) Prevx info: CASINOGAME.EXE - Prevx combofix log ComboFix 08-05-15.3 - Thorsten 05/19/2008 11:24:44.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.49.1031.18.505 [GMT 2:00] ausgeführt von:: C:\Users\Thorsten\Desktop\ComboFix.exe . ((((((((((((((((((((((( Dateien erstellt von 2008-04-19 bis 2008-05-19 )))))))))))))))))))))))))))))) . Keine neuen Dateien erstellt in diesem Zeitraum . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-19 08:56 --------- d-----w C:\Users\Thorsten\AppData\Roaming\Skype 2008-05-19 08:55 --------- d-----w C:\Users\Thorsten\AppData\Roaming\skypePM 2008-05-19 08:18 --------- d---a-w C:\ProgramData\TEMP 2008-05-19 08:18 --------- d-----w C:\Program Files\Poker Tracker V2 2008-05-19 01:38 --------- d-----w C:\Program Files\PokerStars 2008-05-18 18:11 --------- d-----w C:\Program Files\Full Tilt Poker 2008-05-18 12:23 --------- d-----w C:\ProgramData\Google Updater 2008-05-18 10:51 --------- d-----w C:\Program Files\Trend Micro 2008-05-17 12:40 --------- d-----w C:\ProgramData\Spybot - Search & Destroy 2008-05-17 12:16 --------- d-----w C:\ProgramData\Avira 2008-05-17 12:16 --------- d-----w C:\Program Files\Avira 2008-05-17 12:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-05-15 14:15 --------- d-----w C:\Users\Thorsten\AppData\Roaming\Azureus 2008-05-13 12:38 --------- d-----w C:\ProgramData\TechSmith 2008-05-13 12:38 --------- d-----w C:\Program Files\TechSmith 2008-05-01 15:05 --------- d-----w C:\Program Files\PokerEV 2008-04-27 23:07 --------- d-----w C:\Program Files\Celeb Poker 2008-04-21 09:22 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-21 09:22 --------- d-----w C:\Program Files\Canada Life 2008-04-17 20:03 --------- d-----w C:\Program Files\ICQ6 2008-04-17 16:36 --------- d-----w C:\Program Files\CamStudio 2008-04-10 17:37 --------- d-----w C:\Program Files\ICQToolbar 2008-04-08 21:28 32 ----a-w C:\Users\All Users\ezsid.dat 2008-04-08 21:28 32 ----a-w C:\ProgramData\ezsid.dat 2008-04-08 21:27 --------- d-----w C:\Program Files\Common Files\Skype 2008-04-08 14:11 --------- d-----w C:\Program Files\Google 2008-04-05 13:21 --------- d-----w C:\Program Files\Windows Mail 2008-03-29 14:55 --------- d-----w C:\Users\Thorsten\AppData\Roaming\TeamViewer 2008-03-29 14:15 --------- d-----w C:\Program Files\TeamViewer3 2008-03-19 23:57 --------- d-----w C:\Program Files\Xilisoft 2008-02-21 02:05 524,288 ----a-w C:\Windows\System32\DivXsm.exe 2008-02-21 02:05 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll 2008-02-21 02:05 200,704 ----a-w C:\Windows\System32\ssldivx.dll 2008-02-21 02:05 1,044,480 ----a-w C:\Windows\System32\libdivx.dll 2008-02-21 02:04 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll 2008-02-21 02:04 823,296 ----a-w C:\Windows\System32\divx_xx07.dll 2008-02-21 02:04 81,920 ----a-w C:\Windows\System32\dpl100.dll 2008-02-21 02:04 802,816 ----a-w C:\Windows\System32\divx_xx11.dll 2008-02-21 02:04 682,496 ----a-w C:\Windows\System32\DivX.dll 2008-02-21 02:04 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll 2008-02-21 02:04 57,344 ----a-w C:\Windows\System32\dpv11.dll 2008-02-21 02:04 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll 2008-02-21 02:04 344,064 ----a-w C:\Windows\System32\dpus11.dll 2008-02-21 02:04 294,912 ----a-w C:\Windows\System32\dpu11.dll 2008-02-21 02:04 294,912 ----a-w C:\Windows\System32\dpu10.dll 2008-02-21 02:04 196,608 ----a-w C:\Windows\System32\dtu100.dll 2008-02-21 02:03 156,992 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe 2008-02-21 02:03 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll 2008-01-17 16:01 142 ---ha-w C:\Users\Thorsten\hpothb07.dat 2007-08-31 09:29 174 --sha-w C:\Program Files\desktop.ini . ------- Sigcheck ------- . ((((((((((((((((((((((((((((( snapshot@Sun 05-18-2008_13.16.47.12 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-18 09:03:34 67,584 --s-a-w C:\Windows\bootstat.dat + 2008-05-19 06:04:51 67,584 --s-a-w C:\Windows\bootstat.dat - 2008-05-18 09:03:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2008-05-19 06:04:53 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2008-05-18 09:03:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2008-05-19 06:04:53 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2008-05-18 09:43:34 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat + 2008-05-19 06:32:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat - 2008-05-18 09:06:33 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat + 2008-05-19 06:08:13 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat - 2008-05-18 11:11:19 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-05-19 09:17:37 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-05-18 11:11:19 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-05-19 09:17:37 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2008-05-18 11:11:19 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-05-19 09:17:37 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2008-05-17 09:13:47 11,274 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-225791728-3466124871-4208583414-1000_UserData.bin + 2008-05-19 06:09:01 11,486 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-225791728-3466124871-4208583414-1000_UserData.bin - 2008-05-18 09:07:36 68,686 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-05-19 06:09:01 68,936 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-05-18 09:07:28 41,394 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-05-19 06:08:23 41,562 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/10/2008 12:24 PM 1232896] "ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/2005 05:30 PM 249856] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 02:35 PM 125440] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 10:37 AM 2321600] "Prime95"="C:\Users\Thorsten\Desktop\p95v256\prime95.exe" [ ] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 02:36 PM 201728] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM 2097488] "BM930e1df5"="C:\Users\Thorsten\AppData\Local\Temp\djhxypma.dll" [05/19/2008 08:08 AM 124928] "cmds"="C:\Users\Thorsten\AppData\Local\Temp\ssqOHaAQ.dll" [05/15/2008 04:20 PM 370176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [06/16/2007 07:12 PM 1006264] "NvSvc"="C:\Windows\system32\nvsvc.dll" [12/05/2006 11:21 AM 90191] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/05/2006 11:21 AM 7766016] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/05/2006 11:21 AM 81920] "RtHDVCpl"="RtHDVCpl.exe" [12/29/2006 12:11 PM 4317184 C:\Windows\RtHDVCpl.exe] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 10:59 PM 115816] "osCheck"="c:\Program Files\Norton Internet Security\osCheck.exe" [10/27/2006 02:18 AM 22696] "ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 05:30 PM 81920] "QuickFinder Scheduler"="C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [12/01/2005 01:45 AM 77892] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [11/16/2005 07:08 PM 106496] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 10:22 AM 517768] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM 282624] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM 39792] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/28/2007 09:14 AM 270648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM 132496] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/04/2007 10:46 AM 180269] "WPCUMI"="C:\Windows\system32\WpcUmi.exe" [11/02/2006 02:35 PM 176128] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM 262401] C:\Users\Thorsten\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [8/10/2007 8:57:47 PM 106496] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/8/2008 4:09:58 PM 124400] hp officejet 4100 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe [4/6/2003 1:17:50 AM 147456] hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 1:06:58 AM 28672] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "LogonHoursAction"= 2 (0x2) "DontDisplayLogonHoursWarnings"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{B09914B1-3ABE-4D57-83F3-3AE5ACA4313A}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{D0C75265-3C3B-48D1-99F7-345A8FC3F5FD}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{521A2A76-7BBD-4D8D-9ECE-E84FCC1F9DAA}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{BC2AF6DD-FF4E-49A8-A357-D50FBEC6002F}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{7CBCA140-78C4-44E7-9C6B-D1424A5A3CF0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes "{18B52217-2A0F-49C0-A096-F64BBF9A1730}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes "058daeda-31fa-4646-b98f-674de70005e4"= UDP:52525|RPort=52525:azu4 "995374c1-82a6-4338-a876-1e79aa354bb4"= TCP:52525|RPort=52525:azu5 "{98DA7DE1-FEB9-4617-9288-99BAF9D45529}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype "{B93C47C6-70E0-4D30-AE40-DE9807DA1F2A}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R0 videX32;videX32;C:\Windows\system32\DRIVERS\videX32.sys [10/17/2006 09:22 PM] R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\Windows\system32\DRIVERS\xfilt.sys [10/18/2006 06:39 PM] R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [08/11/2006 11:35 AM] R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070724.001\IDSvix86.sys [06/07/2007 10:24 AM] R2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [01/10/2007 11:45 AM] R2 pgsql-8.2;PostgreSQL Database Server 8.2;"C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe" runservice -N "pgsql-8.2" -D "C:\Program Files\PostgreSQL\8.2\data\" [] R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [01/28/2008 11:43 AM] R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service [] R2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler;C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [11/14/2006 05:07 PM] R3 AVMUNET;Eumex 300 IP;C:\Windows\system32\DRIVERS\avmunet.sys [03/02/2005 02:00 AM] R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\Windows\system32\DRIVERS\fetnd5bv.sys [12/20/2006 04:00 PM] R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [10/24/2006 03:40 PM] S0 AFS;AFS;C:\Windows\system32\drivers\AFS.sys [06/28/2007 09:52 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5a268ea-69ac-11dc-8bf8-0019db5378b9}] \shell\AutoRun\command - L:\preinst.exe *Newly Created Service* - COMHOST . Inhalt des "geplante Tasks" Ordners "2008-05-16 18:00:25 C:\Windows\Tasks\Norton Internet Security - Vollständige Systemprüfung ausführen - Thorsten.job" - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe "2008-05-18 14:34:16 C:\Windows\Tasks\User_Feed_Synchronization-{964A9683-7E2A-4CC8-83EB-2E9A939DB783}.job" - C:\Windows\system32\msfeedssync.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-19 11:29:39 Windows 6.0.6000 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostart Einträge... Scanne versteckte Dateien... ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\Windows\Explorer.exe -> C:\Users\Thorsten\AppData\Local\Temp\sljfpixg.dll -> C:\Users\Thorsten\AppData\Local\Temp\djhxypma.dll -> C:\Users\Thorsten\AppData\Local\Temp\ssqOHaAQ.dll . Zeit der Fertigstellung: 05/19/2008 11:31:48 ComboFix-quarantined-files.txt 2008-05-19 09:30:41 ComboFix2.txt 2008-05-18 11:18:13 Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden. Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden. 205 --- E O F --- 2008-04-05 13:20:06 Geändert von noeschi (19.05.2008 um 10:35 Uhr) |
20.05.2008, 00:39 | #4 |
| Trojaner Befall push, niemand der weiterhelfen kann? |
20.05.2008, 16:23 | #5 |
Administrator > Competence Manager | Trojaner Befall Scripten mit Combofix
Code:
ATTFilter Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BM930e1df5"=- "cmds"=- FILE:: C:\Users\Thorsten\AppData\Local\Temp\sljfpixg.dll C:\Users\Thorsten\AppData\Local\Temp\djhxypma.dll C:\Users\Thorsten\AppData\Local\Temp\ssqOHaAQ.dll
Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann Malwarebytes' Anti-Malware
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Stulti est se ipsum sapientem putare. |
23.05.2008, 14:39 | #6 |
| Trojaner Befall so, das combofix ist durchgelaufen, aber es hat am ende kein log erstellt hab das andere prog durchlaufen lassen und das hat noch was gefunden und das wurde entfernt was nun? |
23.05.2008, 14:46 | #7 |
Administrator > Competence Manager | Trojaner Befall Es ist schon alles ein paar Tage her, daher würde ich dir einen neuen Scan mit Combofix raten: Lade dir jedoch die combofix.exe ganz neu herunter! Hier nochmal die Anleitung: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Stulti est se ipsum sapientem putare. |
23.05.2008, 15:42 | #8 |
| Trojaner Befall ComboFix 08-05-15.3 - Thorsten 05/23/2008 16:34:40.4 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.49.1031.18.461 [GMT 2:00] ausgeführt von:: C:\Users\Thorsten\Desktop\ComboFix.exe . ((((((((((((((((((((((( Dateien erstellt von 2008-04-23 bis 2008-05-23 )))))))))))))))))))))))))))))) . Keine neuen Dateien erstellt in diesem Zeitraum . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-23 14:27 --------- d-----w C:\Program Files\CCleaner 2008-05-23 11:23 --------- d-----w C:\Users\Thorsten\AppData\Roaming\Malwarebytes 2008-05-23 11:22 --------- d-----w C:\ProgramData\Malwarebytes 2008-05-23 11:22 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-05-23 10:59 --------- d---a-w C:\ProgramData\TEMP 2008-05-23 10:59 --------- d-----w C:\Program Files\Poker Tracker V2 2008-05-23 09:16 --------- d-----w C:\Program Files\PokerStars 2008-05-23 08:52 --------- d-----w C:\ProgramData\Google Updater 2008-05-22 18:39 --------- d-----w C:\Program Files\PokerEV 2008-05-22 17:39 --------- d-----w C:\Program Files\AutoHotkey 2008-05-22 17:10 --------- d-----w C:\Users\Thorsten\AppData\Roaming\Skype 2008-05-22 14:09 --------- d-----w C:\Users\Thorsten\AppData\Roaming\skypePM 2008-05-21 20:54 --------- d-----w C:\Program Files\Full Tilt Poker 2008-05-21 16:40 --------- d-----w C:\ProgramData\Spybot - Search & Destroy 2008-05-18 10:51 --------- d-----w C:\Program Files\Trend Micro 2008-05-17 12:16 --------- d-----w C:\ProgramData\Avira 2008-05-17 12:16 --------- d-----w C:\Program Files\Avira 2008-05-17 12:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-05-15 14:15 --------- d-----w C:\Users\Thorsten\AppData\Roaming\Azureus 2008-05-13 12:38 --------- d-----w C:\ProgramData\TechSmith 2008-05-13 12:38 --------- d-----w C:\Program Files\TechSmith 2008-05-05 18:46 27,048 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys 2008-05-05 18:46 15,864 ----a-w C:\Windows\system32\drivers\mbam.sys 2008-04-27 23:07 --------- d-----w C:\Program Files\Celeb Poker 2008-04-21 09:22 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-21 09:22 --------- d-----w C:\Program Files\Canada Life 2008-04-17 20:03 --------- d-----w C:\Program Files\ICQ6 2008-04-17 16:36 --------- d-----w C:\Program Files\CamStudio 2008-04-10 17:37 --------- d-----w C:\Program Files\ICQToolbar 2008-04-08 21:28 32 ----a-w C:\Users\All Users\ezsid.dat 2008-04-08 21:28 32 ----a-w C:\ProgramData\ezsid.dat 2008-04-08 21:27 --------- d-----w C:\Program Files\Common Files\Skype 2008-04-08 14:11 --------- d-----w C:\Program Files\Google 2008-04-05 13:21 --------- d-----w C:\Program Files\Windows Mail 2008-03-29 14:55 --------- d-----w C:\Users\Thorsten\AppData\Roaming\TeamViewer 2008-03-29 14:15 --------- d-----w C:\Program Files\TeamViewer3 2008-01-17 16:01 142 ---ha-w C:\Users\Thorsten\hpothb07.dat 2007-08-31 09:29 174 --sha-w C:\Program Files\desktop.ini . ------- Sigcheck ------- . ((((((((((((((((((((((((((((( snapshot_Fri 05-23-2008_15.49.49.47 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-23 13:20:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-05-23 14:28:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-05-23 13:20:09 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-05-23 14:28:03 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2008-05-23 13:20:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-05-23 14:28:03 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/10/2008 12:24 PM 1232896] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [08/11/2005 05:30 PM 249856] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 02:35 PM 125440] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 10:37 AM 2321600] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM 2097488] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 02:36 PM 201728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [06/16/2007 07:12 PM 1006264] "NvSvc"="C:\Windows\system32\nvsvc.dll" [12/05/2006 11:21 AM 90191] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/05/2006 11:21 AM 7766016] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/05/2006 11:21 AM 81920] "RtHDVCpl"="RtHDVCpl.exe" [12/29/2006 12:11 PM 4317184 C:\Windows\RtHDVCpl.exe] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 10:59 PM 115816] "osCheck"="c:\Program Files\Norton Internet Security\osCheck.exe" [10/27/2006 02:18 AM 22696] "ISUSScheduler"="c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 05:30 PM 81920] "QuickFinder Scheduler"="C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [12/01/2005 01:45 AM 77892] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [11/16/2005 07:08 PM 106496] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 10:22 AM 517768] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM 282624] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM 39792] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/28/2007 09:14 AM 270648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM 132496] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/04/2007 10:46 AM 180269] "WPCUMI"="C:\Windows\system32\WpcUmi.exe" [11/02/2006 02:35 PM 176128] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM 262401] C:\Users\Thorsten\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [8/10/2007 8:57:47 PM 106496] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/8/2008 4:09:58 PM 124400] hp officejet 4100 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe [4/6/2003 1:17:50 AM 147456] hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/6/2003 1:06:58 AM 28672] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "LogonHoursAction"= 2 (0x2) "DontDisplayLogonHoursWarnings"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{B09914B1-3ABE-4D57-83F3-3AE5ACA4313A}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{D0C75265-3C3B-48D1-99F7-345A8FC3F5FD}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{521A2A76-7BBD-4D8D-9ECE-E84FCC1F9DAA}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{BC2AF6DD-FF4E-49A8-A357-D50FBEC6002F}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{7CBCA140-78C4-44E7-9C6B-D1424A5A3CF0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes "{18B52217-2A0F-49C0-A096-F64BBF9A1730}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes "058daeda-31fa-4646-b98f-674de70005e4"= UDP:52525|RPort=52525:azu4 "995374c1-82a6-4338-a876-1e79aa354bb4"= TCP:52525|RPort=52525:azu5 "{98DA7DE1-FEB9-4617-9288-99BAF9D45529}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype "{B93C47C6-70E0-4D30-AE40-DE9807DA1F2A}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R0 videX32;videX32;C:\Windows\system32\DRIVERS\videX32.sys [10/17/2006 09:22 PM] R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\Windows\system32\DRIVERS\xfilt.sys [10/18/2006 06:39 PM] R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [08/11/2006 11:35 AM] R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070724.001\IDSvix86.sys [06/07/2007 10:24 AM] R2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [01/10/2007 11:45 AM] R2 pgsql-8.2;PostgreSQL Database Server 8.2;"C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe" runservice -N "pgsql-8.2" -D "C:\Program Files\PostgreSQL\8.2\data\" [] R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [01/28/2008 11:43 AM] R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service [] R2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler;C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [11/14/2006 05:07 PM] R3 AVMUNET;Eumex 300 IP;C:\Windows\system32\DRIVERS\avmunet.sys [03/02/2005 02:00 AM] R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\Windows\system32\DRIVERS\fetnd5bv.sys [12/20/2006 04:00 PM] R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [10/24/2006 03:40 PM] S0 AFS;AFS;C:\Windows\system32\drivers\AFS.sys [06/28/2007 09:52 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5a268ea-69ac-11dc-8bf8-0019db5378b9}] \shell\AutoRun\command - L:\preinst.exe *Newly Created Service* - COMHOST . Inhalt des "geplante Tasks" Ordners "2008-05-16 18:00:25 C:\Windows\Tasks\Norton Internet Security - Vollständige Systemprüfung ausführen - Thorsten.job" - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe "2008-05-22 17:55:11 C:\Windows\Tasks\User_Feed_Synchronization-{964A9683-7E2A-4CC8-83EB-2E9A939DB783}.job" - C:\Windows\system32\msfeedssync.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-23 16:38:53 Windows 6.0.6000 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostart Einträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . Zeit der Fertigstellung: 05/23/2008 16:40:43 ComboFix-quarantined-files.txt 2008-05-23 14:39:57 ComboFix2.txt 2008-05-23 13:51:22 ComboFix3.txt 2008-05-19 09:31:51 ComboFix4.txt 2008-05-18 11:18:13 Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden. Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden. 171 --- E O F --- 2008-04-05 13:20:06 so, alles vorherige durchgeführt |
26.05.2008, 11:23 | #9 |
| Trojaner Befall push, kann hier nochmal jemand drüber schauen? |