Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa)

Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa)


Log-Analyse und Auswertung: Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa)

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 07.10.2008, 20:20   #1
UTM
 
Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa) - Standard

Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa)


Hallo,

auch bei mir meldet sich nun mit einer nervigen Regelmäßigkeit angeblich die Windows-Firewall (allerdings auf Englisch, also schon suspekt bei meiner Deutschen Spracheinstellung) mit einem Windows Security Alert, dass jeweils verschiedene Programme Daten an das Internet senden wollen (z.B. sei dies Trojan-Spy.HTML.bankfraud.dq oder Trojan-Spy.Win32.keylogger.aa).
Nachdem ich mit Avira AntiVir Personal mein System gescannt hatte und auch 3 Funde gelöscht werden konnten, habe ich dann noch HiJackThis ausgeführt.

Hier ein Ausschnitt vom ersten logfile, der mich sehr irritiert hat:

Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:42, on 07.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
[...]
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\nsnafgho.exe
D:\Programme\Opera\opera.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Programme\totalcmd\TOTALCMD.EXE
C:\HiJackThis\HiJackThis.exe
[...]
Mich hat vor allem der Eintrag "C:\WINDOWS\system32\nsnafgho.exe" stutzig gemacht. Ich bin dann mit Hilfe von Pacmans-Startuplist meine Starteinträge in der msconfig durchgegangen und habe einige Haken für den Systemstart entfernt (u.a. auch von nsnafgho.exe).
Ein Virsencan der nansfgho.exe mittels Avira AntiVir brachte keinen Fund zutage. Also habe ich diese Datei bei VirusTotal hochgeladen und folgendes Ergebnis bekommen:

Code:
ATTFilter
Ergebnis: 12/35 (34.29%)

Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2008.10.3.2	2008.10.07	-
AntiVir	7.8.1.34	2008.10.07	-
Authentium	5.1.0.4	2008.10.07	-
Avast	4.8.1248.0	2008.10.07	Win32:PureMorph
AVG	8.0.0.161	2008.10.07	-
BitDefender	7.2	2008.10.07	-
CAT-QuickHeal	9.50	2008.10.07	Win32.Trojan.Obfuscated.gx.3
ClamAV	0.93.1	2008.10.07	-
DrWeb	4.44.0.09170	2008.10.07	-
eSafe	7.0.17.0	2008.10.07	-
eTrust-Vet	31.6.6133	2008.10.07	-
Ewido	4.0	2008.10.07	-
F-Prot	4.4.4.56	2008.10.06	-
F-Secure	8.0.14332.0	2008.10.07	Trojan.Win32.Obfuscated.gx
Fortinet	3.113.0.0	2008.10.07	W32/PolySmall.BP!tr
GData	19	2008.10.07	Win32:PureMorph 
Ikarus	T3.1.1.34.0	2008.10.07	Virus.Trojan.Win32.Obfuscated.gx
K7AntiVirus	7.10.487	2008.10.07	-
Kaspersky	7.0.0.125	2008.10.07	Trojan.Win32.Obfuscated.gx
McAfee	5399	2008.10.07	FakeAlert-BD
Microsoft	1.4005	2008.10.07	Trojan:Win32/Busky.EI
NOD32	3501	2008.10.07	a variant of Win32/TrojanDownloader.FakeAlert.IQ
Norman	5.80.02	2008.10.06	-
Panda	9.0.0.4	2008.10.07	-
PCTools	4.4.2.0	2008.10.07	-
Rising	20.65.12.00	2008.10.07	-
SecureWeb-Gateway	6.7.6	2008.10.07	-
Sophos	4.34.0	2008.10.07	Mal/EncPk-DG
Sunbelt	3.1.1708.1	2008.10.07	-
Symantec	10	2008.10.07	-
TheHacker	6.3.1.0.102	2008.10.07	-
TrendMicro	8.700.0.1004	2008.10.07	TROJ_OBFUSCA.BWA
VBA32	3.12.8.6	2008.10.07	-
ViRobot	2008.10.7.1410	2008.10.07	-
VirusBuster	4.5.11.0	2008.10.07	-

weitere Informationen
File size: 98304 bytes
MD5...: 4b005013e28cbbdb45764c79abddbc65
SHA1..: 114231b503121a8c9e4cff30b2b58502c97992a1
SHA256: 62c161e25e47c1724527b2fd39c283bb13043eaa289187349550226621bbab1f
SHA512: 78e3d393a458f781238dbd6e88facd68b26e1408b6cafc68876dcdc003adc9d7
e489f7a966b23eb8a6e906e2ed715381e9ffc0a626bfb7598931db2b1177cf9a
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40c762
timedatestamp.....: 0x48eadf3e (Tue Oct 07 04:02:06 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.bxzv 0x1000 0x14056 0x15000 6.72 5bec36eff58137db9d406f332a92829d
.xpzhy 0x16000 0x33a 0x1000 1.51 1135a05c76d720760b39ce6bc667f5c5
.vqbvi 0x17000 0x5a58 0x1000 0.64 f90ff9c97acd35a8b7667d0b76ef0e88
Also habe ich die Datei gelöscht. Nun sieht das log von HiJackThis so aus:

Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:20:08, on 07.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Acer\Acer Arcade\PCMService.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
D:\Programme\Kalenderchen\Kalenderchen.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
D:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Programme\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
d:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\DOKUME~1\***\LOKALE~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\nsnafgho.exe
D:\Programme\Opera\opera.exe
C:\WINDOWS\system32\cidaemon.exe
D:\Programme\totalcmd\TOTALCMD.EXE
C:\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\system32\ToolBand.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ScanSoft OmniPage 15.0-reminder] "D:\Programme\ScanSoft\OmniPage15.0\Ereg\ereg.exe" -r "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft\OmniPage15.0\Ereg\ereg.ini"
O4 - HKLM\..\Run: [DMS-Kalenderchen] D:\Programme\Kalenderchen\Kalenderchen.exe /autorun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [b1S5ihXD6U] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\zmjyfohi\tifgtcto.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - d:\spiele\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - d:\spiele\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188241667203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188241650687
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h**p://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FC46D9B-FD71-43C3-9543-3666A759C2CD}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB9A02C7-5A28-40E2-A4D6-68874AF79B28}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O21 - SSODL: smartwin - {70AECCFE-9DEC-FA07-0DF8-070D5E0248C7} - C:\Programme\ghrwdk\smartwin.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - d:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 11457 bytes
Danach habe ich noch Malwarebytes Anti-Malware ausgeführt und mich an die Anleitung gehalten. Hier das dazugehörige logfile (ANMERKUG: da ich mit über 28000 Zeichen die erlaubte Grenze von 25000 überschreite, poste ich das log in einem zweiten Posting:
Code:
ATTFilter
Code siehe nächstes Posting
Bis jetzt (kurz nach dem Neustart) ist der Windows Security Alert noch nicht wieder aufgetaucht. Allerdings weiß ich nicht, was zu tun ist, um "das Ding" wirklich komplett loszuwerden - denn es könnte ja noch weitere Auswirkungen gehabt haben.

Über Hilfe zur (weiteren) Entfernung wäre ich wirklich sehr dankbar.

Grüße,
UTM

Alt 07.10.2008, 20:22   #2
UTM
 
Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa) - Standard

Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa)


Hier nun das logfile von Malwarebytes' Anti-Malware:

Code:
ATTFilter
Malwarebytes' Anti-Malware 1.28
Datenbank Version: 1240
Windows 5.1.2600 Service Pack 3

07.10.2008 20:25:20
mbam-log-2008-10-07 (20-25-20).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 208121
Laufzeit: 50 minute(s), 0 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 31
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 4
Infizierte Dateien: 66

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\hol5_vxiewer.full.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\Inet Delivery (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Programme\eMule\LinkCreator.exe (Rogue.Fake!emule.exe) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\Inet Delivery\inetdl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\Inet Delivery\intdel.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup020.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
__________________
Antwort

Themen zu Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa)
alert, antivir, avira, bho, bonjour, cdburnerxp, einstellungen, ellung, excel, hijack, hijackthis, hkus\s-1-5-18, internet, internet explorer, launch, log in, logfile, malwarebytes anti-malware, monitor, object, realtek, registry, rundll, security, senden, software, suspekt, system, windows, windows security, windows security alert, windows xp, windows xp sp3, windows-firewall, xp sp3


« Warning! Security error! Attention! Low performance! | Sicherheitsupdates funktionieren nicht »


Ähnliche Themen: Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa)


  1. Windows security Alert POPUP. Malwerfund: Trojan.Obfuscated auf externer Platte
    Log-Analyse und Auswertung - 30.08.2012 (7)
  2. Trojaner SVCHOST.Stealth.Keyloger / Live Security Platinium
    Plagegeister aller Art und deren Bekämpfung - 12.08.2012 (2)
  3. AntiVirus Software Alert / Windows Security Alert
    Plagegeister aller Art und deren Bekämpfung - 15.01.2011 (19)
  4. Windows Security Alert / AV Security Suite / Antivirus Software Alert
    Plagegeister aller Art und deren Bekämpfung - 08.01.2011 (1)
  5. Meldung Windows Security Alert / AV Security Suite / Antivirus Software Alert
    Plagegeister aller Art und deren Bekämpfung - 17.09.2010 (26)
  6. Windows Security Alert / AV Security Suite / Antivirus Software Alert / gefakter AV lähmt PC
    Plagegeister aller Art und deren Bekämpfung - 09.09.2010 (3)
  7. Malware / Virus / Trojaner - "Windows Security Alert / Security Suite"
    Plagegeister aller Art und deren Bekämpfung - 31.08.2010 (11)
  8. Windows Security Alert
    Plagegeister aller Art und deren Bekämpfung - 26.08.2010 (1)
  9. selbe problem mit Windows Security Alert - Antivirus Software Alert
    Plagegeister aller Art und deren Bekämpfung - 15.08.2010 (3)
  10. Windows Security Alert / AV Security Suite / Antivirus Software Alert
    Plagegeister aller Art und deren Bekämpfung - 26.07.2010 (21)
  11. Windows Security Alert / AV Security Suite / Antivirus Software Alert// Ohne Internet
    Plagegeister aller Art und deren Bekämpfung - 21.07.2010 (1)
  12. windows security alert
    Plagegeister aller Art und deren Bekämpfung - 25.05.2010 (9)
  13. WINDOWS SECURITY ALERT - weg?
    Plagegeister aller Art und deren Bekämpfung - 23.05.2010 (1)
  14. Windows Security Alert
    Log-Analyse und Auswertung - 29.03.2010 (26)
  15. system alert, windows security alert und fremde antiviren programme
    Plagegeister aller Art und deren Bekämpfung - 01.01.2010 (51)
  16. FEHLER! Security Tool Warning. Wurm Lsas.Blaster.Keyloger!!!
    Plagegeister aller Art und deren Bekämpfung - 26.10.2009 (1)
  17. Windows security alert
    Plagegeister aller Art und deren Bekämpfung - 23.04.2008 (2)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa) - Hallo, auch bei mir meldet sich nun mit einer nervigen Regelmäßigkeit angeblich die Windows-Firewall (allerdings auf Englisch, also schon suspekt bei meiner Deutschen Spracheinstellung) mit einem Windows Security Alert , - Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa)...
Archiv
Du betrachtest: Windows Security Alert - Obfuscated.gx (bankfraud.dq, keyloger.aa) auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55