|
Plagegeister aller Art und deren Bekämpfung: TR/Dropper genWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
03.06.2009, 08:36 | #1 |
| TR/Dropper gen AntiVir meldete mir heute morgen als erstes damit eine Datei, die ich selten benutze; das letzte mal vor Monaten: TQ Savegame Tool v.3.52 -> Quarantäne. Dann suchte ich danach und fand einiges beunruhigendes bis hin zu "unbedingt System neu aufsetzen". Hier fand ich einen noch offenen thread dazu und habe noch unter Adrenalin schon mal ComboFix laufen lassen: Code:
ATTFilter ComboFix 09-06-01.03 - Thomas 03.06.2009 8:50.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1031.18.1023.398 [GMT 2:00] Running from: c:\dokumente und einstellungen\Thomas\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\install.exe . ((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 ))))))))))))))))))))))))))))))) . 2009-06-01 06:35 . 2009-06-01 06:38 -------- d-----w- c:\dokumente und einstellungen\Thomas\Anwendungsdaten\ChessBase 2009-05-13 12:07 . 2009-05-13 12:07 -------- d-----w- c:\dokumente und einstellungen\Thomas\.netbeans-derby 2009-05-08 16:56 . 2009-02-25 13:15 593920 ------w- c:\windows\system32\ati2sgag.exe 2009-05-08 13:38 . 2009-05-08 13:38 -------- d-----w- C:\ATI 2009-05-08 11:50 . 2009-05-11 14:39 -------- d-----w- c:\dokumente und einstellungen\Thomas\Lokale Einstellungen\Anwendungsdaten\GaHero 2009-05-07 23:14 . 2009-05-07 23:14 -------- d-----w- c:\programme\JoWood . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-03 06:49 . 2009-03-26 16:40 -------- d-----w- c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Free Download Manager 2009-06-03 06:08 . 2008-07-26 16:47 -------- d-----w- c:\programme\TQ Savegame Tool v.3.52 2009-06-03 05:43 . 2007-05-01 17:04 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-06-03 05:42 . 2007-05-01 17:04 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic 2009-06-02 20:35 . 2009-03-14 18:27 1 ----a-w- c:\dokumente und einstellungen\Thomas\Anwendungsdaten\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2009-05-19 07:35 . 2007-05-10 17:09 -------- d-----w- c:\programme\Morrowind Enchanted Editor 2009-05-10 20:54 . 2003-09-14 12:35 83800 ----a-w- c:\windows\system32\perfc007.dat 2009-05-10 20:54 . 2003-09-14 12:35 454916 ----a-w- c:\windows\system32\perfh007.dat 2009-05-08 16:55 . 2003-09-14 14:32 -------- d--h--w- c:\programme\InstallShield Installation Information 2009-05-02 06:27 . 2009-05-02 06:24 -------- d-----w- c:\programme\NetBeans 6.5.1 2009-05-02 06:23 . 2009-05-02 06:23 -------- d-----w- c:\programme\Sun 2009-05-02 06:22 . 2009-05-02 06:23 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-02 06:22 . 2009-05-02 06:19 -------- d-----w- c:\programme\Java 2009-04-30 13:55 . 2008-08-28 16:11 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP 2009-04-28 19:35 . 2009-04-28 19:35 -------- d-----w- c:\programme\I-Mod Productions 2009-04-15 12:58 . 2007-12-12 18:36 -------- d-----w- c:\programme\X Plugin Manager 2009-04-11 13:19 . 2007-06-10 10:08 -------- d-----w- c:\programme\Windows Grep 2009-04-09 22:01 . 2007-05-01 14:38 26944 ----a-w- c:\dokumente und einstellungen\Thomas\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT 2009-03-16 12:18 . 2009-04-16 06:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll 2009-03-16 12:18 . 2009-04-16 06:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll 2009-03-16 12:18 . 2009-04-16 06:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll 2009-03-16 12:18 . 2009-04-16 06:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll 2009-03-12 16:59 . 2009-03-12 16:51 65 ----a-w- c:\windows\system32\bd7320.dat 2009-03-12 16:47 . 2009-03-12 16:47 10134 ----a-r- c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Microsoft\Installer\{2BC2781A-F7F6-452E-95EB-018A522F1B2C}\ARPPRODUCTICON.exe 2009-03-09 13:27 . 2009-04-16 06:18 453456 ----a-w- c:\windows\system32\d3dx10_41.dll 2009-03-09 13:27 . 2009-04-16 06:18 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll 2009-03-09 13:27 . 2009-04-16 06:18 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll 2009-03-06 14:19 . 2003-09-14 12:35 286720 ----a-w- c:\windows\system32\pdh.dll 2006-05-03 09:06 . 2007-06-13 17:22 163328 --sh--r- c:\windows\system32\flvDX.dll 2007-02-21 10:47 . 2007-06-13 17:22 31232 --sh--r- c:\windows\system32\msfDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "AnVir Task Manager Free"="c:\programme\AnVir Task Manager Free\AnVir.exe" [2008-11-13 1544416] "Free Download Manager"="c:\programme\Free Download Manager\fdm.exe" [2009-01-31 3399727] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2007-06-29 185896] "SSBkgdUpdate"="c:\programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "PaperPort PTD"="c:\programme\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984] "IndexSearch"="c:\programme\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368] "PPort11reminder"="c:\programme\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992] "BrMfcWnd"="c:\programme\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-05 741376] "ControlCenter3"="c:\programme\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] "SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-05-02 148888] "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-07 23552] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\dokumente und einstellungen\Thomas\Startmen\Programme\Autostart\ ImpulseNow.lnk - c:\programme\Stardock\Impulse\Now\ImpulseNow.exe [2009-4-10 323584] OpenOffice.org 3.0.lnk - c:\programme\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 11:41 294912 ----a-w- c:\programme\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk] path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk backup=c:\windows\pss\Adobe Reader - Schnellstart.lnkCommon Startup [HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^USB Tastatur Kontrollfeld.lnk] path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\USB Tastatur Kontrollfeld.lnk backup=c:\windows\pss\USB Tastatur Kontrollfeld.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WANMiniportService"=2 (0x2) "ose"=3 (0x3) "LogWatch"=2 (0x2) "InCDsrv"=2 (0x2) "idsvc"=3 (0x3) "gusvc"=3 (0x3) "CTAudSvcService"=2 (0x2) "Creative Audio Engine Licensing Service"=3 (0x3) "CA_LIC_SRVR"=3 (0x3) "CA_LIC_CLNT"=3 (0x3) "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "a2free"=2 (0x2) "a2AntiMalware"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\SPIELE\\Space Empires IV Gold\\Se4.exe"= "d:\\SPIELE\\civ4\\Civilization4.exe"= "d:\\SPIELE\\civ4\\Warlords\\Civ4Warlords.exe"= "d:\\SPIELE\\civ4\\Beyond the Sword\\Civ4BeyondSword.exe"= "d:\\SPIELE\\GP4\\GP4.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\SPIELE\\Privateer\\bin\\soundserver.exe"= "c:\\Programme\\Free Download Manager\\fdm.exe"= R1 atitray;atitray;c:\programme\Ray Adams\ATI Tray Tools\atitray.sys [01.06.2008 00:41 17952] R1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\sasdifsv.sys [10.10.2006 13:53 5632] R1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [27.02.2007 12:39 32256] R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [05.08.2008 22:09 93544] R2 ACEDRV06;ACEDRV06;c:\windows\system32\drivers\ACEDRV06.sys [08.12.2007 14:45 99840] R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [15.01.2009 18:52 2368] R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [08.10.2008 02:21 171032] R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [08.10.2008 02:21 1324056] R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [08.10.2008 02:21 72728] R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;c:\windows\system32\drivers\PhTVTune.sys [12.06.2003 08:47 24704] R3 PRISM_A00;PRISM 802.11g Driver;c:\windows\system32\drivers\PRISMA00.sys [10.09.2003 13:22 362688] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\programme\Gemeinsame Dateien\Creative Labs Shared\Service\CTAELicensing.exe [25.12.2008 11:07 79360] S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [08.10.2008 02:21 171032] S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [08.10.2008 02:21 1324056] S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [08.10.2008 02:21 72728] S3 cusbohcn;cusbohcn;\??\c:\dokume~1\Thomas\LOKALE~1\Temp\cusbohcn.sys --> c:\dokume~1\Thomas\LOKALE~1\Temp\cusbohcn.sys [?] S3 SASENUM;SASENUM;c:\programme\SUPERAntiSpyware\SASENUM.SYS [16.02.2006 17:51 4096] S4 CA_LIC_CLNT;CA-Lizenz-Client;c:\programme\CA\SharedComponents\CA_LIC\lic98rmt.exe [20.09.2002 16:27 77824] S4 CA_LIC_SRVR;CA-Lizenzserver;c:\programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe [20.09.2002 16:41 77824] S4 LogWatch;Ereignisprotokoll-Überwachung;c:\programme\CA\SharedComponents\CA_LIC\LogWatNT.exe [20.09.2002 16:29 53248] . - - - - ORPHANS REMOVED - - - - SafeBoot-procexp90.Sys . ------- Supplementary Scan ------- . uStart Page = hxxp://www.aldi.com/ IE: Alles mit FDM herunterladen - file://c:\programme\Free Download Manager\dlall.htm IE: Auswahl mit FDM herunterladen - file://c:\programme\Free Download Manager\dlselected.htm IE: Datei mit FDM herunterladen - file://c:\programme\Free Download Manager\dllink.htm IE: Videos mit FDM herunterladen - file://c:\programme\Free Download Manager\dlfvideo.htm TCP: {C28582C3-FD0C-4CAC-ADCB-B300F10A1E1D} = 89.246.64.8 62.220.18.8 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Mozilla\Firefox\Profiles\jklvca32.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.forumophilia.com/forum20.html FF - component: c:\programme\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll FF - plugin: c:\programme\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-03 08:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTxfiHlp = CTXFIHLP.EXE? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3118728441-2249847619-4003075874-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-3118728441-2249847619-4003075874-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:3b,5e,7c,d6,2d,12,be,63,a3,ce,fe,45,dc,ac,60,c0,d1,bf,c4,bb,15,f9,7c, d5,1a,6d,4e,73,b8,21,10,3f,6a,fc,e1,22,12,93,62,75,8b,ec,48,22,67,4f,fe,26,\ "??"=hex:41,e0,42,8c,cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{094B2BCB-5F41-A489-844CA2903E1BF922}\{1B79708C-954D-DA8B-5F143B07D51E051A}\{8065E7BA-FA41-5074-25B3B36277F50BBE}*] "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,81,89,80, 7a,70,cb,dc,67,26,72,9b,6f,34,24,7c,1a,68,37,c3,85,42,b9,d6,a8,55,39,c0,7b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0FE9758D-999D-5364-A982D9FF5B788FED}\{C0BD10EF-72B8-B20F-55BDE04C7FD39C0B}\{292331AE-173A-E499-B30D8FE5870ABBF2}*] "2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93, 38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{156E5059-1974-1C21-234A49AFACAB4059}\{B90FCDFF-5527-F999-5BDD8AB8903FEB58}\{85FE2661-9FF6-1F38-3936C76FCE54F605}*] "G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c, a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1D0D1DBE-D81F-D306-5437E45696154CEE}\{BB3F4491-C2FA-99A3-3FB31108844B020A}\{37E50F9E-362C-792E-57F19660836F5A8C}*] "QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8, 65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{238B46B1-DB3F-FF9F-817885D113BABB65}\{C7A1A506-D491-606A-8FAD8C1E4DD81C50}\{5DBD0FCF-797E-7771-3B3D82FCE9F240F9}*] "LBML3FZBDBDV3BUIEQZJ1CU1HB1"=hex:01,00,01,00,00,00,00,00,46,4e,90,ef,91,22,f2, 65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{29D83109-D499-A3EF-54ABD4209B2D5F0C}\{354D4B2F-7299-D6B0-F9DE68C9556AEC8D}\{1096A586-413B-60D3-8347C002DC18071C}*] "2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93, 38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{66D2B6B0-0AC3-1D5E-AFE4FCFC2DBC1E0D}\{D0054572-6CDD-7E67-D144F5B82EF8A509}\{800AEEDD-FDE9-D9F6-54124DEBF6D799D2}*] "AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d, 44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 "2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93, 38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{75C78964-9FAD-014A-8CC7FBADED2C52DF}\{536ADE09-4683-F194-E6EBF180967FA049}\{3462E639-3971-056E-531C3527F72CD4AF}*] "AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d, 44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{793A0CD2-18B8-B505-D2705730ED7730B5}\{224F5FE7-6AB9-E5AA-092A0B3F1E7E0249}\{E87C09AA-1A97-D30E-8C0D3EFE96A56BA8}*] "QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8, 65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}*] "G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c, a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7FA7DB51-4296-4DCE-E915E900AF1A706F}\{6ECD6E35-CD02-B6E7-116E97829ECA1B77}\{2BCFFA55-7302-F76B-60625DCE35F7A6E2}*] "QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8, 65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866E5309-4DE4-EC1D-5303B5015403F078}\{E4D7DA31-B59C-2F42-84703E9617E7637D}\{F8D6A80B-EA06-4220-85CE61582D500BD8}*] "LBML3FZBDBDV3BUIEQZJ1CU1HB1"=hex:01,00,01,00,00,00,00,00,46,4e,90,ef,91,22,f2, 65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866F706E-C193-43C8-FDD122C0F4107633}\{7E887989-0BC7-4BA4-E1547690585F3D70}\{C2DAD515-3BA5-9C52-8BAAB403F8DF78F0}*] "LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a, a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}*] "LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a, a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A8A45CF7-6BE6-B2C1-72491EAB2E9A6B2B}\{B617CAED-A840-2A11-665EBDF0B9E06934}\{20694653-0A9D-BD70-6F24016076B199C3}*] "AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d, 44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFB1E792-937C-2E2C-B503416C70313BBE}\{BD69B123-9CB2-AD51-2CEEB02A3D233088}\{35363435-F6CB-3D47-CEABC35649A0E9E6}*] "DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d, e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BF1EE1FE-1932-A99C-B95E9DB4FC5D390D}\{14AB012F-1755-CBB6-E6EC0E63008B2B35}\{6CBF63F5-AF79-823D-FB168B9FCC8939EB}*] "LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a, a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C3E67C84-FF81-4ACD-401BD333BA56E9EA}\{F4E9985F-0D7B-FE76-62CD8C76B0126B78}\{BB457FA5-4647-F88E-4919FBC3754B9322}*] "LBML3FZBDBDV3BUIEQZJ1CU1HB1"=hex:01,00,01,00,00,00,00,00,46,4e,90,ef,91,22,f2, 65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DA5FD177-5ED9-D129-A0BCADEF3ACDBDBC}\{79EAF540-0E74-317B-4A6E156139C845D3}\{99F2609B-7483-5DDB-3E9DF7E4B6714B5D}*] "LBML3FZBDBDV3BUIEQZJ1CU1HB1"=hex:01,00,01,00,00,00,00,00,46,4e,90,ef,91,22,f2, 65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DBE5F6A6-C8E0-8D37-B1C3ECD994E168FF}\{7F7185F9-7F48-A4B8-D3088315D7013D5E}\{124A519E-6019-9B74-2FA3F0240754901A}*] "DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d, e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E24A3BE2-0E58-440D-C5291999CC5C5741}\{9EE83BBD-CDA7-8737-4BFE3ADA0C41BF51}\{12860FBF-70CB-D90A-D9669DC891BE38B3}*] "G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c, a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EA0A4278-51A3-7709-84DDEF02950ADF94}\{11936336-4B9A-79DD-A94F2AD208D83E94}\{0A7B61F5-80AE-3EB6-867F93DE000E0517}*] "DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d, e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EAE54BA3-56A0-7636-9D760FE75B19E95C}\{32AED356-A62E-B541-0C1631C471EC4552}\{622BCC28-1320-8061-75578A77CF92A31A}*] "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,81,89,80, 7a,70,cb,dc,67,26,72,9b,6f,34,24,7c,1a,68,37,c3,85,42,b9,d6,a8,55,39,c0,7b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FE8DBE89-D247-CDA0-331071706D351D5D}\{D7E03019-A44C-9829-6C33C3798CE56E87}\{A96D9761-82B1-07BB-8B5956B67D5931EC}*] "{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,81,89,80, 7a,70,cb,dc,67,26,72,9b,6f,34,24,7c,1a,68,37,c3,85,42,b9,d6,a8,55,39,c0,7b,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(568) c:\programme\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll . Completion time: 2009-06-03 8:55 ComboFix-quarantined-files.txt 2009-06-03 06:54 Pre-Run: 22 Verzeichnis(se), 16.833.511.424 Bytes frei Post-Run: 21 Verzeichnis(se), 17.751.384.064 Bytes frei WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 262 --- E O F --- 2009-05-15 00:59 Was soll ich tun? Im Moment sitze ich am nicht infizierten Laptop neben dem Patienten. |
03.06.2009, 13:40 | #2 |
| TR/Dropper gen Ich sollte hinzufügen, ich habe die von AntiVir erkannte Datei an 2 online-Auswertungen geschickt und es wurde nur in 3 von 20 bzw. 4 von 40 Scannern als malware erkannt. Aber dadurch kann man ja noch nicht von Fehlalarm sprechen, oder?
__________________Inzwischen habe ich den HijackThis Report dazu: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:14:13, on 03.06.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Creative\Shared Files\CTAudSvc.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\Programme\ScanSoft\PaperPort\pptd40nt.exe C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe C:\Programme\Java\jre6\bin\jusched.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programme\Brother\ControlCenter3\brccMCtl.exe C:\Programme\AnVir Task Manager Free\AnVir.exe C:\Programme\Free Download Manager\fdm.exe C:\Programme\Stardock\Impulse\Now\ImpulseNow.exe C:\Programme\OpenOffice.org 3\program\soffice.exe C:\Programme\OpenOffice.org 3\program\soffice.bin C:\Programme\Brother\Brmfcmon\BrMfcmon.exe C:\Neuer Ordner\HiJackThis.exe C:\Programme\AntiVir PersonalEdition Classic\avscan.exe C:\Programme\Stardock\Impulse\Impulse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aldi.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programme\Free Download Manager\iefdm2.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Programme\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [IndexSearch] "C:\Programme\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [PPort11reminder] "C:\Programme\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" O4 - HKLM\..\Run: [BrMfcWnd] C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [ControlCenter3] C:\Programme\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AnVir Task Manager Free] "C:\Programme\AnVir Task Manager Free\AnVir.exe" Minimized O4 - HKCU\..\Run: [Free Download Manager] "C:\Programme\Free Download Manager\fdm.exe" -autorun O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: ImpulseNow.lnk = C:\Programme\Stardock\Impulse\Now\ImpulseNow.exe O4 - Startup: OpenOffice.org 3.0.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe O8 - Extra context menu item: Alles mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlall.htm O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlselected.htm O8 - Extra context menu item: Datei mit FDM herunterladen - file://C:\Programme\Free Download Manager\dllink.htm O8 - Extra context menu item: Videos mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlfvideo.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: MedionShop - {8DC086C2-5C5E-4B71-8413-18139AC3D9CF} - hxxp://www.medionshop.de/ (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=hxxp://www.aldi.com O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Programme\Gemeinsame Dateien\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Programme\Creative\Shared Files\CTAudSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe -- End of file - 6611 bytes |
06.06.2009, 07:00 | #3 |
| TR/Dropper gen Bitte schließen. Das Problem ist vermutlich gelöst. Falls doch nicht, halte ich mich beim nächsten mal an die Reihenfolge im gepinnten thread.
__________________MfG, Thomas |
Themen zu TR/Dropper gen |
adobe, anfang, antivir, anvir, avira, combofix, controlcenter, desktop, einstellungen, explorer, firefox, free download, home, infizierte, installation, jusched.exe, logon.exe, mozilla, neu aufsetzen, nt.exe, opera, programme, registry, scan, software, superantispyware, system, system neu, system neu aufsetzen, taskmanager, tastatur, thomas, usb, windows, windows recovery, windows xp, winlogon.exe |