Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Ebenfalls IE-Popups, Trojanermeldungen

Ebenfalls IE-Popups, Trojanermeldungen


Log-Analyse und Auswertung: Ebenfalls IE-Popups, Trojanermeldungen

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 01.08.2008, 10:23   #1
FloMK
 
Ebenfalls IE-Popups, Trojanermeldungen - Standard

Ebenfalls IE-Popups, Trojanermeldungen


So, jetzt ist schon wieder was passiert, anscheinend hab ich mir auch etwas eingefangen, IE-Popups kamen, dann mit diversen Virentools etc. zu bereinigen versucht aber nicht erfolgreich gewesen, deswegen jetzt meine verzweifelte Bitte um Hilfe. der Einfachheit halber poste ich mal das HiJackLogfile, ich hoffe ich habe alles relevante rauseditiert, und warte dann geduldig:

Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:07, on 01.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\Symantec AntiVirus\DefWatch.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programme\Symantec AntiVirus\Rtvscan.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Winamp\winamp.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://192.168.1.1/start.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\Yh6fs5Vp.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Programme\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AE1ED32-8349-486E-9E45-DA1829B9348C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AE1ED32-8349-486E-9E45-DA1829B9348C}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AE1ED32-8349-486E-9E45-DA1829B9348C}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programme\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programme\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programme\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9153 bytes

Alt 01.08.2008, 11:01   #2
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Ebenfalls IE-Popups, Trojanermeldungen - Icon32

Ebenfalls IE-Popups, Trojanermeldungen


Hallo

Zitat:
IE-Popups kamen, dann mit diversen Virentools etc. zu bereinigen versucht
Was heißt mit diversen Virentools? Kannst Du vllt mal beim Namen nennen?
Mach bitte einen Durchlauf jew. mit Malwarebytes AntiMalware sowie

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir das Tool hier herunter auf den Desktop -> KLICK
Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
  • Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
    Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.
  • Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.
__________________

__________________
Alt 01.08.2008, 15:00   #3
FloMK
 
Ebenfalls IE-Popups, Trojanermeldungen - Standard

Ebenfalls IE-Popups, Trojanermeldungen


Also, mit diversen Virentools waren Symantec Antivirus, Spybot und Adaware gemeint.

Hier nun Anti-Malware-Log, zum Combofix werde ich erst heut abend kommen:

Code:
ATTFilter
Malwarebytes' Anti-Malware 1.24
Datenbank Version: 1014
Windows 5.1.2600 Service Pack 2

15:57:27 01.08.2008
mbam-log-8-1-2008 (15-57-27).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|G:\|)
Durchsuchte Objekte: 103792
Laufzeit: 1 hour(s), 34 minute(s), 7 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 3
Infizierte Verzeichnisse: 0
Infizierte Dateien: 2

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
D:\install\Apple.Quicktime.Pro.v6.3.GERMAN.WinALL.Incl.Keymaker-CORE\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Flo\Lokale Einstellungen\Temp\CmdLineExt02.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Btw, vielen Dank schonmal für die schnelle Hilfe!
__________________
Alt 01.08.2008, 15:01   #4
Silent sharK
 
Ebenfalls IE-Popups, Trojanermeldungen - Standard

Ebenfalls IE-Popups, Trojanermeldungen


Zitat:
Apple.Quicktime.Pro.v6.3.GERMAN.WinALL.Incl.Keymaker-CORE\CORE10k.EXE
*hust* *hust*
__________________
mfg, Patrick


Technische Kompromittierung
=> Tatort Internet
Keine Windows-CD? Selbst brennen.

Alt 02.08.2008, 08:09   #5
FloMK
 
Ebenfalls IE-Popups, Trojanermeldungen - Standard

Ebenfalls IE-Popups, Trojanermeldungen


was soll ich sagen, ich war jung und hatte kein geld

hier das combofix-log:

Code:
ATTFilter
ComboFix 08-07-31.06 - Flo 2008-08-02  9:03:58.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.211 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Flo\Desktop\ComboFix.exe
.

(((((((((((((((((((((((   Dateien erstellt von 2008-07-02 bis 2008-08-02  ))))))))))))))))))))))))))))))
.

2008-08-02 08:57 . 2008-08-02 08:57	<DIR>	d--------	C:\Programme\CCleaner
2008-08-01 14:21 . 2008-08-01 14:21	<DIR>	d--------	C:\Programme\Malwarebytes' Anti-Malware
2008-08-01 14:21 . 2008-08-01 14:21	<DIR>	d--------	C:\Dokumente und Einstellungen\Flo\Anwendungsdaten\Malwarebytes
2008-08-01 14:21 . 2008-08-01 14:21	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-01 14:21 . 2008-07-30 20:07	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 14:21 . 2008-07-30 20:07	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-07-31 17:41 . 2008-07-31 17:41	<DIR>	d--------	C:\Programme\Trend Micro
2008-07-27 14:31 . 2008-07-27 14:33	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-07-24 20:11 . 2008-08-02 08:38	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-07-22 08:03 . 2008-07-22 08:03	<DIR>	dr-------	C:\Dokumente und Einstellungen\NetworkService\Favoriten
2008-07-22 08:03 . 2008-07-22 08:03	<DIR>	d--------	C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\ICQ Toolbar
2008-07-21 15:52 . 2008-07-21 15:52	0	--a------	C:\WINDOWS\system32\y4Y71Jv0.exe.a_a
2008-07-21 13:40 . 2008-07-21 13:40	29,760	--a------	C:\WINDOWS\system32\0A7U87bu.exe
2008-07-21 13:40 . 2008-07-21 13:40	0	--a------	C:\WINDOWS\system32\0A7U87bu.exe.a_a
2008-07-14 17:32 . 2008-07-14 17:32	<DIR>	d--------	C:\Programme\TeXnicCenter
2008-07-14 17:32 . 2006-05-28 16:39	44,544	--a------	C:\WINDOWS\system32\msxml4a.dll
2008-07-14 17:28 . 2008-07-14 17:28	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MiKTeX
2008-07-14 17:00 . 2008-07-14 22:12	<DIR>	d--------	C:\Programme\MiKTeX 2.7

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 06:46	---------	d-----w	C:\Dokumente und Einstellungen\Flo\Anwendungsdaten\Skype
2008-08-02 06:43	---------	d-----w	C:\Dokumente und Einstellungen\Flo\Anwendungsdaten\skypePM
2008-08-02 06:25	---------	d-----w	C:\Programme\Symantec AntiVirus
2008-07-24 07:08	---------	d-----w	C:\Programme\ICQToolbar
2008-07-16 18:51	---------	d-----w	C:\Programme\Java
2008-07-05 18:56	---------	d-----w	C:\Programme\Starcraft
2008-06-20 17:39	247,296	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 06:32	---------	d-----w	C:\Programme\SEQUENCER --- Ableton Live v7.0.1.WORKING-AiR
2008-06-14 17:57	273,024	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:14	1,293,312	----a-w	C:\WINDOWS\system32\quartz.dll
2008-03-05 19:02	32	----a-w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2001-11-23 10:08	712,704	----a-w	C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"updateMgr"="C:\Programme\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"ICQ"="C:\Programme\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ccApp"="C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2004-08-06 16:44 66680]
"WinampAgent"="C:\Programme\Winamp\winampa.exe" [2007-02-13 20:29 35328]
"Acrobat Assistant 7.0"="C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2007-12-28 21:23 185896]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
Adobe Acrobat - Schnellstart.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe [2007-04-19 18:58:34 25214]
Adobe Gamma Loader.lnk - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-23 21:39:25 110592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18825:TCP"= 18825:TCP:BitComet 18825 TCP
"18825:UDP"= 18825:UDP:BitComet 18825 UDP
"20059:TCP"= 20059:TCP:BitComet 20059 TCP
"20059:UDP"= 20059:UDP:BitComet 20059 UDP
"60000:TCP"= 60000:TCP:BitComet 60000 TCP
"60000:UDP"= 60000:UDP:BitComet 60000 UDP
"61000:TCP"= 61000:TCP:BitComet 61000 TCP
"61000:UDP"= 61000:UDP:BitComet 61000 UDP


*Newly Created Service* - HELPSVC
.
Inhalt des "geplante Tasks" Ordners

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Flo\Anwendungsdaten\Mozilla\Firefox\Profiles\rogaznx4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.mortal-kombat-sound.de/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 09:05:03
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-08-02  9:06:58
ComboFix-quarantined-files.txt  2008-08-02 07:06:48
ComboFix2.txt  2008-08-02 06:52:51
ComboFix3.txt  2008-08-02 06:35:43

Pre-Run: 1,991,581,696 Bytes frei
Post-Run: 1,983,758,336 Bytes frei

131	--- E O F ---	2008-07-10 07:49:14
nachdem ich alles gescannt hatte etc. hab ich mal den symantec wieder angemacht und prompt kam schon wieder ne Benachrichtigung, von der hab ich mal nen Screenshot gemacht uns angehängt, vielleicht hilfts ja was.....

Miniaturansicht angehängter Grafiken
Ebenfalls IE-Popups, Trojanermeldungen-virus-notification.jpg  
Geändert von FloMK (02.08.2008 um 08:20 Uhr) Grund: Ergänzung

Alt 02.08.2008, 13:33   #6
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Ebenfalls IE-Popups, Trojanermeldungen - Cool

Ebenfalls IE-Popups, Trojanermeldungen


Zitat:
Zitat von FloMK Beitrag anzeigen
was soll ich sagen, ich war jung und hatte kein geld
Und dafür bekommste gleich nette "Beigaben" in Form von Schädlingen.

Code:
ATTFilter
"18825:TCP"= 18825:TCP:BitComet 18825 TCP
Das gilt auch für Filesharingprogramme aller Art. Die selber sind es zwar nicht, die die Schädlinge ins Haus holen, allerdings solltest Du aufpassen was Du davon lädst. Dubiose Software/Warez/Crackz sind in den allermeisten Fällen verseucht.

Code:
ATTFilter
C:\WINDOWS\system32\0A7U87bu.exe
Bitte mal bei Virsutotal.com auswerten lassen und Ergebnisse posten.
Mach danach einen Duchlauf mit Silentrunners und poste das Logfile.

Falls sich noch weitere "krumme" Dateien im System befinden, können wir die evtl. so aufspüren:
Über ein filelisting mit diesem script:

- Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
- Doppelklick auf listing8.cmd auf dem Desktop
- nach kurzer Zeit erscheint eine listing.txt auf dem Desktop
Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.
__________________
--> Ebenfalls IE-Popups, Trojanermeldungen

Alt 02.08.2008, 14:18   #7
FloMK
 
Ebenfalls IE-Popups, Trojanermeldungen - Standard

Ebenfalls IE-Popups, Trojanermeldungen


Hier mal das Ergebnis von virustotal.com:

Code:
ATTFilter
Antivirus  	Version  	letzte aktualisierung  	Ergebnis
AhnLab-V3	2008.7.29.1	2008.08.01	-
AntiVir	7.8.1.15	2008.08.01	TR/Crypt.ULPM.Gen
Authentium	5.1.0.4	2008.08.01	W32/Heuristic-USU!Eldorado
Avast	4.8.1195.0	2008.08.02	Win32:Trojan-gen {Other}
AVG	8.0.0.156	2008.08.01	Downloader.Tiny.H
BitDefender	7.2	2008.08.02	GenPack:Trojan.Downloader.JKGD
CAT-QuickHeal	9.50	2008.08.02	Win32.Packed.NSAnti.r
ClamAV	0.93.1	2008.08.02	Trojan.Downloader-47709
DrWeb	4.44.0.09170	2008.08.02	Trojan.Inject.3608
eSafe	7.0.17.0	2008.07.29	Suspicious File
eTrust-Vet	31.6.6002	2008.08.02	Win32/Cheqtal!generic
Ewido	4.0	2008.08.02	-
F-Prot	4.4.4.56	2008.08.01	W32/Agent.BP.gen!Eldorado
F-Secure	7.60.13501.0	2008.08.02	Trojan-Downloader.Win32.Firu.jr
Fortinet	3.14.0.0	2008.08.02	W32/Firu.JR!tr.dldr
GData	2.0.7306.1023	2008.08.02	Trojan-Downloader.Win32.Firu.jr
Ikarus	T3.1.1.34.0	2008.08.02	Generic.Trojan-Downloader.JKGD
K7AntiVirus	7.10.402	2008.08.01	-
Kaspersky	7.0.0.125	2008.08.02	Trojan-Downloader.Win32.Firu.jr
McAfee	5352	2008.08.01	Downloader.gen.a
Microsoft	1.3704	2008.07.28	Trojan:Win32/Bohmini.A
NOD32v2	3318	2008.08.01	a variant of Win32/TrojanDownloader.Firu
Norman	5.80.02	2008.08.01	W32/Smalltroj.FLDD
Panda	9.0.0.4	2008.08.02	Suspicious file
PCTools	4.4.2.0	2008.08.02	-
Prevx1	V2	2008.08.02	Cloaked Malware
Rising	20.55.42.00	2008.08.02	Trojan.PSW.Win32.GameOL.otd
Sophos	4.31.0	2008.08.02	Mal/HckPk-A
Sunbelt	3.1.1537.1	2008.08.01	Trojan.Crypt.ULPM.Gen
Symantec	10	2008.08.02	-
TheHacker	6.2.96.391	2008.07.31	Trojan/Downloader.Firu.jr
TrendMicro	8.700.0.1004	2008.08.01	TROJ_FIRU.AG
VBA32	3.12.8.2	2008.08.02	Trojan-Downloader.Win32.Firu.ju
ViRobot	2008.8.1.1321	2008.08.01	-
VirusBuster	4.5.11.0	2008.08.01	-
Webwasher-Gateway	6.6.2	2008.08.02	Trojan.Crypt.ULPM.Gen
weitere Informationen
File size: 29760 bytes
MD5...: 7334e0356ad780c5a40301349ad0e19b
SHA1..: 9e11ee8d46f8238cfd97511c754ea4e652a89bdd
SHA256: c95bf340a3648b79d736787ca8932af3ddbb5dedc0bb6f747d120837d8e01d89
SHA512: 8a218b8bbafa6d0a0583e76bb7f5a3492933e9ced67cb4f844c597abe215a028
279503cf9d270b68605afeeb8164e736af2d22a4da56d5ab9b3442b178e27ed7
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40cc60
timedatestamp.....: 0x487b0a86 (Mon Jul 14 08:12:54 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x5000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6000 0x7000 0x6e00 7.99 108bb92d086d04ddd5dd5658b08016e0
.rsrc 0xd000 0x1000 0x200 2.64 d0ef1015fcb506884f2f66ae8d1954a3

( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: SetSecurityDescriptorDacl

( 0 exports )
Prevx info: h**p://info.prevx.com/aboutprogramtext.asp?PX5=163F671740F3974E7444009E94D8E4002D9FCFD8
ThreatExpert info: h**p://www.threatexpert.com/report.aspx?md5=7334e0356ad780c5a40301349ad0e19b
und das silentrunners logfile:

Code:
ATTFilter
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"StartCCC" = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [null data]
"updateMgr" = ""C:\Programme\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1" ["Adobe Systems Incorporated"]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"ICQ" = ""C:\Programme\ICQ6\ICQ.exe" silent" ["ICQ, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"Acrobat Assistant 7.0" = ""C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"vptray" = "C:\PROGRA~1\SYMANT~1\\vptray.exe" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
  -> {HKLM...CLSID} = "BitComet Helper"
                   \InProcServer32\(Default) = "C:\Programme\BitComet\tools\BitCometBHO_1.1.8.30.dll" ["BitComet"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
  -> {HKLM...CLSID} = "SimpleShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {HKLM...CLSID} = "VpshellEx Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                   \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {HKLM...CLSID} = "VpshellEx Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {HKLM...CLSID} = "VpshellEx Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSMHelp" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoResolveTrack" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoStartBanner" = (REG_DWORD) dword:0x00000001
{Remove "Click here to begin" from Start button}

"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoSMMyPictures" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove My Pictures icon from Start Menu}

"ForceStartMenuLogoff" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStartMenuPinnedList" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoSMConfigurePrograms" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Flo\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
  -> {HKLM...CLSID} = "WPDShextAutoplay"
                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
  -> {HKLM...CLSID} = "RealNetworks Scheduler"
                   \LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]


Startup items in "Flo" & "All Users" startup folders:
-----------------------------------------------------

C:\Dokumente und Einstellungen\Flo\Startmenü\Programme\Autostart
"Trillian" -> shortcut to: "C:\Programme\Trillian\trillian.exe" [file not found]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Acrobat - Schnellstart" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data]
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"At1" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At10" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At11" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At12" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At13" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At14" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At15" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At16" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At17" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At18" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At19" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At2" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At20" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At21" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At22" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At23" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At24" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At25" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At26" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At27" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At28" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At29" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At3" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At30" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At31" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At32" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At33" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At34" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At35" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At36" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At37" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At38" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At39" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At4" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At40" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At41" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At42" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At43" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At44" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At45" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At46" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At47" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At48" -> launches: "C:\WINDOWS\system32\y4Y71Jv0.exe" [file not found]
"At5" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At6" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At7" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At8" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]
"At9" -> launches: "C:\WINDOWS\system32\0A7U87bu.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Classes\CLSID\{E7A829CC-671F-4C3D-B590-8C0AEA72E6B2}\(Default) = "BitComet Button"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Programme\BitComet\tools\BitCometBHO_1.1.8.30.dll" ["BitComet"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{461CC20B-FB6E-4F16-8FE8-C29359DB100E}\
"ButtonText" = "BitComet Search"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]
Geändert von FloMK (02.08.2008 um 14:25 Uhr) Grund: um silentrunner logfile ergänzt

Alt 02.08.2008, 14:26   #8
FloMK
 
Ebenfalls IE-Popups, Trojanermeldungen - Standard

Ebenfalls IE-Popups, Trojanermeldungen


rest vom silentrunners logfile:

Code:
ATTFilter
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Programme\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Programme\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-08-02 15:20:39)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 165 seconds, including 18 seconds for message boxes)
hier das listing.txt:
http://www.file-upload.net/download-...FloMK.txt.html

Alt 02.08.2008, 14:41   #9
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Ebenfalls IE-Popups, Trojanermeldungen - Icon32

Ebenfalls IE-Popups, Trojanermeldungen


Ein paar dateien müssen noch weg:

Anleitung Avenger (by swandog46)

Lade dir das Tool Avenger und speichere es auf dem Desktop:
  • Doppelklick auf das Avenger-Symbol
  • Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"
Code:
ATTFilter
files to delete:
C:\WINDOWS\system32\0A7U87bu.exe
C:\WINDOWS\system32\y4Y71Jv0.exe.a_a
C:\WINDOWS\system32\0A7U87bu.exe.a_a
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
  • Schliesse nun alle Programme und Browser-Fenster
  • Um den Avenger zu starten klicke auf -> Execute
  • Dann bestätigen mit "Yes" das der Rechner neu startet
  • Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt
  • Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Danach sehen wir weiter.
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 02.08.2008, 14:52   #10
FloMK
 
Ebenfalls IE-Popups, Trojanermeldungen - Standard

Ebenfalls IE-Popups, Trojanermeldungen


Hier avenger.txt:

Code:
ATTFilter
Logfile of The Avenger Version 2.0, (c) by Swandog46
h**p://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\0A7U87bu.exe" deleted successfully.
File "C:\WINDOWS\system32\y4Y71Jv0.exe.a_a" deleted successfully.
File "C:\WINDOWS\system32\0A7U87bu.exe.a_a" deleted successfully.
File "C:\WINDOWS\Tasks\At16.job" deleted successfully.
File "C:\WINDOWS\Tasks\At40.job" deleted successfully.
File "C:\WINDOWS\Tasks\At15.job" deleted successfully.
File "C:\WINDOWS\Tasks\At39.job" deleted successfully.
File "C:\WINDOWS\Tasks\At14.job" deleted successfully.
File "C:\WINDOWS\Tasks\At38.job" deleted successfully.
File "C:\WINDOWS\Tasks\At13.job" deleted successfully.
File "C:\WINDOWS\Tasks\At37.job" deleted successfully.
File "C:\WINDOWS\Tasks\At12.job" deleted successfully.
File "C:\WINDOWS\Tasks\At36.job" deleted successfully.
File "C:\WINDOWS\Tasks\At11.job" deleted successfully.
File "C:\WINDOWS\Tasks\At35.job" deleted successfully.
File "C:\WINDOWS\Tasks\At10.job" deleted successfully.
File "C:\WINDOWS\Tasks\At34.job" deleted successfully.
File "C:\WINDOWS\Tasks\At9.job" deleted successfully.
File "C:\WINDOWS\Tasks\At33.job" deleted successfully.
File "C:\WINDOWS\Tasks\At24.job" deleted successfully.
File "C:\WINDOWS\Tasks\At48.job" deleted successfully.
File "C:\WINDOWS\Tasks\At21.job" deleted successfully.
File "C:\WINDOWS\Tasks\At45.job" deleted successfully.
File "C:\WINDOWS\Tasks\At17.job" deleted successfully.
File "C:\WINDOWS\Tasks\At41.job" deleted successfully.
File "C:\WINDOWS\Tasks\At18.job" deleted successfully.
File "C:\WINDOWS\Tasks\At42.job" deleted successfully.
File "C:\WINDOWS\Tasks\At23.job" deleted successfully.
File "C:\WINDOWS\Tasks\At47.job" deleted successfully.
File "C:\WINDOWS\Tasks\At22.job" deleted successfully.
File "C:\WINDOWS\Tasks\At46.job" deleted successfully.
File "C:\WINDOWS\Tasks\At20.job" deleted successfully.
File "C:\WINDOWS\Tasks\At44.job" deleted successfully.
File "C:\WINDOWS\Tasks\At19.job" deleted successfully.
File "C:\WINDOWS\Tasks\At43.job" deleted successfully.
File "C:\WINDOWS\Tasks\At2.job" deleted successfully.
File "C:\WINDOWS\Tasks\At26.job" deleted successfully.
File "C:\WINDOWS\Tasks\At1.job" deleted successfully.
File "C:\WINDOWS\Tasks\At25.job" deleted successfully.
File "C:\WINDOWS\Tasks\At32.job" deleted successfully.
File "C:\WINDOWS\Tasks\At30.job" deleted successfully.
File "C:\WINDOWS\Tasks\At31.job" deleted successfully.
File "C:\WINDOWS\Tasks\At29.job" deleted successfully.
File "C:\WINDOWS\Tasks\At28.job" deleted successfully.
File "C:\WINDOWS\Tasks\At27.job" deleted successfully.
File "C:\WINDOWS\Tasks\At8.job" deleted successfully.
File "C:\WINDOWS\Tasks\At7.job" deleted successfully.
File "C:\WINDOWS\Tasks\At6.job" deleted successfully.
File "C:\WINDOWS\Tasks\At5.job" deleted successfully.
File "C:\WINDOWS\Tasks\At3.job" deleted successfully.
File "C:\WINDOWS\Tasks\At4.job" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Alt 02.08.2008, 15:01   #11
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Ebenfalls IE-Popups, Trojanermeldungen - Frage

Ebenfalls IE-Popups, Trojanermeldungen


Ok, das Zeuch hat er erstmal gelöscht. Poste mal zum Vergleich neue Logfiles vom Filelisting und silentrunners.

Treten jetzt eigentlich die Popups und Meldungen weiterhin auf?
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 02.08.2008, 15:19   #12
FloMK
 
Ebenfalls IE-Popups, Trojanermeldungen - Standard

Ebenfalls IE-Popups, Trojanermeldungen


Also im Moment sind sie mir nicht mehr aufgefallen. Die Popups selber kamen in letzter Zeit auch nicht mehr, nur eben die Symantec-Alerts von denen ich mal einen als Screenshot angehängt hatte.

hier das neue Listing:


und hier das neue silentrunners-logfile:
Code:
ATTFilter
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"StartCCC" = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [null data]
"updateMgr" = ""C:\Programme\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1" ["Adobe Systems Incorporated"]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"ICQ" = ""C:\Programme\ICQ6\ICQ.exe" silent" ["ICQ, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"Acrobat Assistant 7.0" = ""C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"vptray" = "C:\PROGRA~1\SYMANT~1\\vptray.exe" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
  -> {HKLM...CLSID} = "BitComet Helper"
                   \InProcServer32\(Default) = "C:\Programme\BitComet\tools\BitCometBHO_1.1.8.30.dll" ["BitComet"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
  -> {HKLM...CLSID} = "SimpleShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {HKLM...CLSID} = "VpshellEx Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                   \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {HKLM...CLSID} = "VpshellEx Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {HKLM...CLSID} = "VpshellEx Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSMHelp" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoResolveTrack" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoStartBanner" = (REG_DWORD) dword:0x00000001
{Remove "Click here to begin" from Start button}

"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoSMMyPictures" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove My Pictures icon from Start Menu}

"ForceStartMenuLogoff" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStartMenuPinnedList" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoSMConfigurePrograms" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Flo\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
  -> {HKLM...CLSID} = "WPDShextAutoplay"
                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
  -> {HKLM...CLSID} = "RealNetworks Scheduler"
                   \LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]


Startup items in "Flo" & "All Users" startup folders:
-----------------------------------------------------

C:\Dokumente und Einstellungen\Flo\Startmenü\Programme\Autostart
"Trillian" -> shortcut to: "C:\Programme\Trillian\trillian.exe" [file not found]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Acrobat - Schnellstart" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data]
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Classes\CLSID\{E7A829CC-671F-4C3D-B590-8C0AEA72E6B2}\(Default) = "BitComet Button"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Programme\BitComet\tools\BitCometBHO_1.1.8.30.dll" ["BitComet"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{461CC20B-FB6E-4F16-8FE8-C29359DB100E}\
"ButtonText" = "BitComet Search"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Programme\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Programme\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-08-02 16:17:24)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 117 seconds.
---------- (total run time: 179 seconds)

Alt 04.08.2008, 14:34   #13
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Ebenfalls IE-Popups, Trojanermeldungen - Cool

Ebenfalls IE-Popups, Trojanermeldungen


Das sieht eigentlich soweit wieder i.O. aus, sofern mir nichts entgangen ist.
Funktioniert denn soweit alles wieder? Sind wieder neue Meldungen aufgetaucht?
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 05.08.2008, 15:31   #14
FloMK
 
Ebenfalls IE-Popups, Trojanermeldungen - Standard

Ebenfalls IE-Popups, Trojanermeldungen


Also die Symantec-Meldungen haben aufgehört (dafür schonmal thx!!), das einzige was mich noch irritiert ist dass es manchmal klickt als ob eine neue Seite aufgeht aber nichts passiert..... das kann allerdings auch meine paranoia sein

Antwort

Themen zu Ebenfalls IE-Popups, Trojanermeldungen
ad-aware, adobe, antivirus, bho, dateien, diverse, dll, drivers, excel, explorer, helper, hijackthis, hkus\s-1-5-18, hotkey, icq, internet, internet explorer, konvertieren, microsoft, pdf, pdf-datei, programme, rundll, skype.exe, software, solution, symantec, system, unknown file in winsock lsp, urlsearchhook, viren, windows, windows xp


« blauer desktop mit viren warnung | ntos.exe usw. brauche hilfe »


Ähnliche Themen: Ebenfalls IE-Popups, Trojanermeldungen


  1. Windows 7: Werbung und Popups im Firefox, unterstrichene Wörter mit PopUps bei Mouse-Over EXP/JAVA.Rafold.A.Gen
    Log-Analyse und Auswertung - 03.02.2014 (5)
  2. Aggressive Werbeeinblendungen und POPUPs, ebenfalls viele von gqs.donedrive.net
    Log-Analyse und Auswertung - 22.09.2013 (9)
  3. Ebenfalls (PopUps & ads im Browser von gqs.donedrive.net )
    Log-Analyse und Auswertung - 19.09.2013 (9)
  4. VBS:ExeTRDropper-gen [Trj] / 51 Trojanermeldungen in verschiedensten Datein (Win7)
    Plagegeister aller Art und deren Bekämpfung - 21.04.2011 (27)
  5. Diverse Problem: Postbank TAN-Abfrage, Rechner friert ein, Trojanermeldungen bei AntiVir
    Plagegeister aller Art und deren Bekämpfung - 18.03.2011 (32)
  6. PC läuft heiß, Trojanermeldungen, Mozilla stürzt ab, Werbefenster
    Log-Analyse und Auswertung - 12.07.2010 (1)
  7. Trojanermeldungen seit einigen Wochen
    Log-Analyse und Auswertung - 18.05.2010 (25)
  8. Kurz nach PC start schon 10 Trojanermeldungen, nicht löschbar.
    Plagegeister aller Art und deren Bekämpfung - 12.04.2010 (37)
  9. trojanermeldungen.. ist mein system sauber?
    Log-Analyse und Auswertung - 13.03.2010 (15)
  10. avira neu , 4 Trojanermeldungen
    Plagegeister aller Art und deren Bekämpfung - 06.12.2009 (18)
  11. Win32/Virut gefunden und in Quarantäne, seitdem ständig Trojanermeldungen
    Log-Analyse und Auswertung - 29.11.2009 (1)
  12. BCWipe - es hagelt Trojanermeldungen?!
    Plagegeister aller Art und deren Bekämpfung - 19.12.2008 (0)
  13. BCWipe - es hagelt Trojanermeldungen?!
    Mülltonne - 19.12.2008 (0)
  14. Trojanermeldungen
    Log-Analyse und Auswertung - 03.12.2008 (0)
  15. Antivir Trojanermeldungen
    Plagegeister aller Art und deren Bekämpfung - 20.11.2008 (1)
  16. Nach Entfernung von Trojaner immer noch Trojanermeldungen von McAfee
    Log-Analyse und Auswertung - 21.01.2007 (8)
  17. Verschiedene Trojanermeldungen von Antivir [Logfile etc.]
    Log-Analyse und Auswertung - 10.07.2006 (1)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Ebenfalls IE-Popups, Trojanermeldungen - So, jetzt ist schon wieder was passiert, anscheinend hab ich mir auch etwas eingefangen, IE-Popups kamen, dann mit diversen Virentools etc. zu bereinigen versucht aber nicht erfolgreich gewesen, deswegen jetzt - Ebenfalls IE-Popups, Trojanermeldungen...
Archiv
Du betrachtest: Ebenfalls IE-Popups, Trojanermeldungen auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130