| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojan Keylogger Win 32 FungWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
31.10.2008, 22:04
| #16 |
 |  Trojan Keylogger Win 32 FungCode:
ATTFilter
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"wixpo" = ""C:\Dokumente und Einstellungen\Administratormupd1_2_645698.exe"" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"KAVPersonal50" = ""C:\Programme\Steganos AntiVirus 2006\kav.exe" /minimize" ["Steganos GmbH"]
"Smapp" = "C:\Programme\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]
"Bsx3" = "RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Malwarebytes' Anti-Malware" = "C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent" ["Malwarebytes Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{A85C4A1B-BD36-44E5-A70F-8EC347D9B24F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "CExtension Object"
\InProcServer32\(Default) = "C:\WINDOWS\bs3.dll" ["TODO: <Company name>"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{FAE0A3E0-3010-41BA-9DDC-A631394F047F}" = "SteganosShellExtension"
-> {HKLM...CLSID} = "SteganosShellExtension"
\InProcServer32\(Default) = "C:\Programme\Steganos Security Suite 2006\ShellExtension.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Steganos AntiVirus 2006\shellex.dll" ["Steganos GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Steganos AntiVirus 2006\shellex.dll" ["Steganos GmbH"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
SteganosShellExtension\(Default) = "{FAE0A3E0-3010-41BA-9DDC-A631394F047F}"
-> {HKLM...CLSID} = "SteganosShellExtension"
\InProcServer32\(Default) = "C:\Programme\Steganos Security Suite 2006\ShellExtension.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Justin Timberlake.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Justin Timberlake.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
HPUnloadAutoplay\
"Provider" = "HP Übertragung und Schnelldruck"
"InvokeProgID" = "HpqUnApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = "{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Programme\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"]
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
MPCPlayDVDMovieOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayDVDMovie"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\Command\(Default) = "C:\Programme\K-Lite Codec Pack\Media Player Classic\mplayerc.exe %1 /dvd" ["Gabest"]
MPCPlayVideoFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayVideoFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\Command\(Default) = "C:\Programme\K-Lite Codec Pack\Media Player Classic\mplayerc.exe %1" ["Gabest"]
NeroAutoPlay2AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_AudioToNeroDigital"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_AudioToNeroDigital\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /Dialog:SaveTracksND /Drive:%L" ["Ahead Software AG"]
NeroAutoPlay2CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]
NeroAutoPlay2CopyCD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]
NeroAutoPlay2DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]
NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Programme\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]
NeroAutoPlay2RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_RipCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_RipCD\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /Dialog:SaveTracks /Drive:%L" ["Ahead Software AG"]
WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{00000000-5736-4205-0009-0FF9B7C016DD}\(Default) = "Steganos Private Favoriten"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "c:\programme\steganos security suite 2006\sss2006iep.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6#2\ICQ.exe" ["ICQ, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
kavsvc, kavsvc, ""C:\Programme\Steganos AntiVirus 2006\kavsvc.exe"" ["Steganos GmbH"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Programme\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
T-DSL Manager, TDslMgrService, ""C:\Programme\T-DSL Manager\DslMgrSvc.exe"" ["T-Systems"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
---------- (launch time: 2008-10-31 22:00:28)
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 124 seconds, including 16 seconds for message boxes)
|
|
31.10.2008, 22:22
| #17 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Trojan Keylogger Win 32 Fung hast Du Combofix schon ausgeführt? Wenn nicht sehe ich noch ne Chance hierfür:
__________________Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code:
ATTFilter C:\Dokumente und Einstellungen\Administratormupd1_2_645698.exe
C:\WINDOWS\bs3.dll
__________________ |
|
31.10.2008, 22:40
| #18 |
| | Trojan Keylogger Win 32 Fung also ich hab jetzt das crombofix schon vor deinem letzten post ausgeführt gehabt...
__________________alles war gut, bis zum schluss.. Da kam die log datei un dann kam mei desktop aber nicht wieder... dann musste ich den pc neu starten.. un als ich ihn neu gestartet hatte kam die meldung trojan.keylogger.win32.fung wieder.. was is nu los?? |
|
31.10.2008, 22:42
| #19 |
| | Trojan Keylogger Win 32 FungCode:
ATTFilter ComboFix 08-10-30.13 - Administrator 2008-10-31 22:25:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.245 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Administrator\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
* Resident AV is active
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\mdm.exe
.
((((((((((((((((((((((( Dateien erstellt von 2008-09-28 bis 2008-10-31 ))))))))))))))))))))))))))))))
.
2008-10-31 22:15 . 2008-10-31 22:15 <DIR> d-------- C:\Programme\CCleaner
2008-10-31 20:55 . 2008-10-31 20:55 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-10-31 20:55 . 2008-10-31 20:55 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-10-31 20:55 . 2008-10-31 20:55 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Malwarebytes
2008-10-31 20:55 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-31 20:55 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-31 15:18 . 2008-10-31 15:18 100,352 --a------ C:\Dokumente und Einstellungen\Administratormupd1_2_645698.exe
2008-10-31 15:18 . 2008-10-31 20:37 44,032 --a------ C:\Dokumente und Einstellungen\mjkmsk.dll
2008-10-19 14:36 . 2008-10-19 14:36 <DIR> d-------- C:\Programme\Hewlett-Packard
2008-10-19 14:20 . 2008-10-19 15:07 113,618 --a------ C:\WINDOWS\hpoins07.dat
2008-10-19 14:20 . 2005-05-24 07:50 21,124 --------- C:\WINDOWS\hpomdl07.dat
2008-10-12 15:29 . 2004-08-03 23:57 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-10-12 15:29 . 2001-08-18 03:54 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-10-03 16:39 . 2008-10-03 16:53 <DIR> d-------- C:\Programme\ICQ6#2
2008-10-03 16:26 . 2008-10-03 16:38 <DIR> d-------- C:\Programme\ICQ617_39_20
2008-10-03 10:19 . 2008-10-03 12:01 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-09-28 13:46 . 2008-09-28 14:03 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\T-DSL SpeedManager
2008-09-28 13:46 . 2008-09-28 13:46 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\T-DSL SpeedManager
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 21:23 --------- d-----w C:\Programme\Mozilla Firefox 3 Beta 4
2008-10-31 14:19 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Apple Computer
2008-10-31 14:19 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Ahead
2008-10-19 13:36 --------- d-----w C:\Programme\HP
2008-10-05 08:09 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2008-10-03 15:34 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-10-03 15:28 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\ICQ
2008-10-03 15:24 --------- d-----w C:\Programme\T-Online
2008-10-03 15:24 --------- d-----w C:\Programme\Gemeinsame Dateien\Marmiko Shared
2008-10-03 11:10 --------- d-----w C:\Programme\Google
2008-10-03 11:05 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Bluetooth
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"wixpo"="C:\Dokumente und Einstellungen\Administratormupd1_2_645698.exe" [2008-10-31 100352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KAVPersonal50"="C:\Programme\Steganos AntiVirus 2006\kav.exe" [2005-11-23 139367]
"Smapp"="C:\Programme\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"Bsx3"="C:\WINDOWS\bs3.dll" [2003-08-19 139264]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"InfoCockpit"="C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE" [2007-01-16 176128]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SSS2006"="C:\Programme\Steganos Security Suite 2006\SSS2006.exe" [2006-06-08 5279744]
C:\Dokumente und Einstellungen\Default User\Startmen\Programme\Autostart\
T-DSL Manager.lnk - C:\Programme\T-DSL Manager\DslMgr.exe [2006-12-18 823296]
C:\Dokumente und Einstellungen\Aline\Startmen\Programme\Autostart\
T-DSL Manager.lnk - C:\Programme\T-DSL Manager\DslMgr.exe [2006-12-18 823296]
C:\Dokumente und Einstellungen\Default User\Startmen\Programme\Autostart\
T-DSL Manager.lnk - C:\Programme\T-DSL Manager\DslMgr.exe [2006-12-18 823296]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiHacker]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=
"C:\\Programme\\ICQ6#2\\ICQ.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Programme\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Programme\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 77312]
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-10-03 10995]
R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];C:\WINDOWS\system32\drivers\SLEE13.sys [2005-10-04 16:42 74240]
R3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis1\MTOnlPktAlyX.SYS [2006-10-09 17536]
R3 TDslMgrService;T-DSL Manager;C:\Programme\T-DSL Manager\DslMgrSvc.exe [2006-12-18 266240]
R3 TSMPacket;T-DSL Manager Service;C:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2006-12-01 13184]
S3 HotSpotFSvc;Hotspot Manager;C:\Programme\Gemeinsame Dateien\T-COM\HotspotMgr\HotSpotFSvc.exe [2006-12-12 212992]
S3 MIINPazX;MIINPazX NDIS Protocol Driver;C:\PROGRA~1\GEMEIN~1\MARMIK~1\MInfraIS\MIINPazX.SYS [2006-10-09 17152]
S3 SQTECH930B;SQ930 USB 2.0 Video Camera;C:\WINDOWS\system32\Drivers\Capt930b.sys [2006-03-20 345644]
*Newly Created Service* - MBAMSWISSARMY
*Newly Created Service* - MBR
*Newly Created Service* - PROCEXP90
.
.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\m9r0ltjf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.de
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Programme\iTunes\Plugins\npqtplugin.dll
FF -: plugin - C:\Programme\iTunes\Plugins\npqtplugin2.dll
FF -: plugin - C:\Programme\iTunes\Plugins\npqtplugin3.dll
FF -: plugin - C:\Programme\iTunes\Plugins\npqtplugin4.dll
FF -: plugin - C:\Programme\iTunes\Plugins\npqtplugin5.dll
FF -: plugin - C:\Programme\iTunes\Plugins\npqtplugin6.dll
FF -: plugin - C:\Programme\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Programme\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\PROGRAMME\Mozilla Firefox 3 Beta 4\plugins\npnul32.dll
FF -: plugin - C:\PROGRAMME\Mozilla Firefox 3 Beta 4\plugins\nppdf32.dll
FF -: plugin - C:\PROGRAMME\Mozilla Firefox 3 Beta 4\plugins\npqtplugin.dll
FF -: plugin - C:\PROGRAMME\Mozilla Firefox 3 Beta 4\plugins\npqtplugin2.dll
FF -: plugin - C:\PROGRAMME\Mozilla Firefox 3 Beta 4\plugins\npqtplugin3.dll
FF -: plugin - C:\PROGRAMME\Mozilla Firefox 3 Beta 4\plugins\npqtplugin4.dll
FF -: plugin - C:\PROGRAMME\Mozilla Firefox 3 Beta 4\plugins\npqtplugin5.dll
FF -: plugin - C:\PROGRAMME\Mozilla Firefox 3 Beta 4\plugins\npqtplugin6.dll
FF -: plugin - C:\PROGRAMME\Mozilla Firefox\plugins\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 22:27:34
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
Zeit der Fertigstellung: 2008-10-31 22:29:55
ComboFix-quarantined-files.txt 2008-10-31 21:29:48
Vor Suchlauf: 13 Verzeichnis(se), 35.319.177.216 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 35,502,637,056 Bytes frei
WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
152 --- E O F --- 2007-08-29 19:17:58
|
|
31.10.2008, 22:43
| #20 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan Keylogger Win 32 Fung Hat Combofix das Logfile erzeugt? Wenn ja posten Mach weiter mit dem Filelisting.
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
31.10.2008, 22:44
| #21 |
| | Trojan Keylogger Win 32 Fung Äh das problem ist doch schon gelöst?!! siehe mein posting!! Administratormupd1_2_645698.exe im taskmanager killen dann in application data/google die zugehörige (gleicher Name) löschen FERTIG!!! |
|
31.10.2008, 22:48
| #22 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan Keylogger Win 32 FungZitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
|
31.10.2008, 22:48
| #23 |
| | Trojan Keylogger Win 32 Fung http://www.file-upload.net/download-1221682/listing.txt.html |
|
31.10.2008, 22:49
| #24 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan Keylogger Win 32 Fung Werte bitte noch die Dateien bei Virustotal aus, dann können wir uns ans Entfernen ranmachen.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
31.10.2008, 22:49
| #25 |
| | Trojan Keylogger Win 32 Fung sind wir jetzt schon fertig???^^ wie siehts denn aus? |
|
31.10.2008, 22:49
| #26 | |
| | Trojan Keylogger Win 32 FungZitat:
Gruß http://www.removeonline.com/remove-trojan-keylogger-win32-fung-trojankeyloggerwin32fung-removal-instructions/ |
|
31.10.2008, 22:58
| #27 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan Keylogger Win 32 FungZitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
|
31.10.2008, 22:59
| #28 |
| | Trojan Keylogger Win 32 Fung @ root 24 was mach ich nun?? |
|
31.10.2008, 23:02
| #29 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Trojan Keylogger Win 32 FungZitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
|
31.10.2008, 23:03
| #30 |
| | Trojan Keylogger Win 32 Fung sry... bin bill durcheinanner gekomm.. was is seppdepp fürn typ?? |
|
| Themen zu Trojan Keylogger Win 32 Fung |
| .dll, beendet, computer, downloader, empfangen, firewall, gen, gen 2, generic, ide, image, infiziert, keylogger, link, nicht gefunden, pixel, problem, rechner, seite, svchost.exe, system, system32, trojan, variant, voll, win 32, windows, windows firewall |
Linear-Darstellung
