| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: TR/Dropper genWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
03.06.2009, 08:36
| #1 |
| |  TR/Dropper gen AntiVir meldete mir heute morgen als erstes damit eine Datei, die ich selten benutze; das letzte mal vor Monaten: TQ Savegame Tool v.3.52 -> Quarantäne. Dann suchte ich danach und fand einiges beunruhigendes bis hin zu "unbedingt System neu aufsetzen". Hier fand ich einen noch offenen thread dazu und habe noch unter Adrenalin schon mal ComboFix laufen lassen: Code:
ATTFilter ComboFix 09-06-01.03 - Thomas 03.06.2009 8:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1031.18.1023.398 [GMT 2:00]
Running from: c:\dokumente und einstellungen\Thomas\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\install.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.
2009-06-01 06:35 . 2009-06-01 06:38 -------- d-----w- c:\dokumente und einstellungen\Thomas\Anwendungsdaten\ChessBase
2009-05-13 12:07 . 2009-05-13 12:07 -------- d-----w- c:\dokumente und einstellungen\Thomas\.netbeans-derby
2009-05-08 16:56 . 2009-02-25 13:15 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-05-08 13:38 . 2009-05-08 13:38 -------- d-----w- C:\ATI
2009-05-08 11:50 . 2009-05-11 14:39 -------- d-----w- c:\dokumente und einstellungen\Thomas\Lokale Einstellungen\Anwendungsdaten\GaHero
2009-05-07 23:14 . 2009-05-07 23:14 -------- d-----w- c:\programme\JoWood
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 06:49 . 2009-03-26 16:40 -------- d-----w- c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Free Download Manager
2009-06-03 06:08 . 2008-07-26 16:47 -------- d-----w- c:\programme\TQ Savegame Tool v.3.52
2009-06-03 05:43 . 2007-05-01 17:04 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-03 05:42 . 2007-05-01 17:04 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2009-06-02 20:35 . 2009-03-14 18:27 1 ----a-w- c:\dokumente und einstellungen\Thomas\Anwendungsdaten\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-19 07:35 . 2007-05-10 17:09 -------- d-----w- c:\programme\Morrowind Enchanted Editor
2009-05-10 20:54 . 2003-09-14 12:35 83800 ----a-w- c:\windows\system32\perfc007.dat
2009-05-10 20:54 . 2003-09-14 12:35 454916 ----a-w- c:\windows\system32\perfh007.dat
2009-05-08 16:55 . 2003-09-14 14:32 -------- d--h--w- c:\programme\InstallShield Installation Information
2009-05-02 06:27 . 2009-05-02 06:24 -------- d-----w- c:\programme\NetBeans 6.5.1
2009-05-02 06:23 . 2009-05-02 06:23 -------- d-----w- c:\programme\Sun
2009-05-02 06:22 . 2009-05-02 06:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-02 06:22 . 2009-05-02 06:19 -------- d-----w- c:\programme\Java
2009-04-30 13:55 . 2008-08-28 16:11 -------- d---a-w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
2009-04-28 19:35 . 2009-04-28 19:35 -------- d-----w- c:\programme\I-Mod Productions
2009-04-15 12:58 . 2007-12-12 18:36 -------- d-----w- c:\programme\X Plugin Manager
2009-04-11 13:19 . 2007-06-10 10:08 -------- d-----w- c:\programme\Windows Grep
2009-04-09 22:01 . 2007-05-01 14:38 26944 ----a-w- c:\dokumente und einstellungen\Thomas\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-03-16 12:18 . 2009-04-16 06:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 12:18 . 2009-04-16 06:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 12:18 . 2009-04-16 06:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 12:18 . 2009-04-16 06:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-03-12 16:59 . 2009-03-12 16:51 65 ----a-w- c:\windows\system32\bd7320.dat
2009-03-12 16:47 . 2009-03-12 16:47 10134 ----a-r- c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Microsoft\Installer\{2BC2781A-F7F6-452E-95EB-018A522F1B2C}\ARPPRODUCTICON.exe
2009-03-09 13:27 . 2009-04-16 06:18 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-03-09 13:27 . 2009-04-16 06:18 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-03-09 13:27 . 2009-04-16 06:18 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-03-06 14:19 . 2003-09-14 12:35 286720 ----a-w- c:\windows\system32\pdh.dll
2006-05-03 09:06 . 2007-06-13 17:22 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-06-13 17:22 31232 --sh--r- c:\windows\system32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AnVir Task Manager Free"="c:\programme\AnVir Task Manager Free\AnVir.exe" [2008-11-13 1544416]
"Free Download Manager"="c:\programme\Free Download Manager\fdm.exe" [2009-01-31 3399727]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2007-06-29 185896]
"SSBkgdUpdate"="c:\programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\programme\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\programme\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\programme\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\programme\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-05 741376]
"ControlCenter3"="c:\programme\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-05-02 148888]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-07 23552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\dokumente und einstellungen\Thomas\Startmen\Programme\Autostart\
ImpulseNow.lnk - c:\programme\Stardock\Impulse\Now\ImpulseNow.exe [2009-4-10 323584]
OpenOffice.org 3.0.lnk - c:\programme\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 11:41 294912 ----a-w- c:\programme\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
backup=c:\windows\pss\Adobe Reader - Schnellstart.lnkCommon Startup
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^USB Tastatur Kontrollfeld.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\USB Tastatur Kontrollfeld.lnk
backup=c:\windows\pss\USB Tastatur Kontrollfeld.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WANMiniportService"=2 (0x2)
"ose"=3 (0x3)
"LogWatch"=2 (0x2)
"InCDsrv"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"CTAudSvcService"=2 (0x2)
"Creative Audio Engine Licensing Service"=3 (0x3)
"CA_LIC_SRVR"=3 (0x3)
"CA_LIC_CLNT"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"a2free"=2 (0x2)
"a2AntiMalware"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\SPIELE\\Space Empires IV Gold\\Se4.exe"=
"d:\\SPIELE\\civ4\\Civilization4.exe"=
"d:\\SPIELE\\civ4\\Warlords\\Civ4Warlords.exe"=
"d:\\SPIELE\\civ4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"d:\\SPIELE\\GP4\\GP4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\SPIELE\\Privateer\\bin\\soundserver.exe"=
"c:\\Programme\\Free Download Manager\\fdm.exe"=
R1 atitray;atitray;c:\programme\Ray Adams\ATI Tray Tools\atitray.sys [01.06.2008 00:41 17952]
R1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\sasdifsv.sys [10.10.2006 13:53 5632]
R1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [27.02.2007 12:39 32256]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [05.08.2008 22:09 93544]
R2 ACEDRV06;ACEDRV06;c:\windows\system32\drivers\ACEDRV06.sys [08.12.2007 14:45 99840]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [15.01.2009 18:52 2368]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [08.10.2008 02:21 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [08.10.2008 02:21 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [08.10.2008 02:21 72728]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;c:\windows\system32\drivers\PhTVTune.sys [12.06.2003 08:47 24704]
R3 PRISM_A00;PRISM 802.11g Driver;c:\windows\system32\drivers\PRISMA00.sys [10.09.2003 13:22 362688]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\programme\Gemeinsame Dateien\Creative Labs Shared\Service\CTAELicensing.exe [25.12.2008 11:07 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [08.10.2008 02:21 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [08.10.2008 02:21 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [08.10.2008 02:21 72728]
S3 cusbohcn;cusbohcn;\??\c:\dokume~1\Thomas\LOKALE~1\Temp\cusbohcn.sys --> c:\dokume~1\Thomas\LOKALE~1\Temp\cusbohcn.sys [?]
S3 SASENUM;SASENUM;c:\programme\SUPERAntiSpyware\SASENUM.SYS [16.02.2006 17:51 4096]
S4 CA_LIC_CLNT;CA-Lizenz-Client;c:\programme\CA\SharedComponents\CA_LIC\lic98rmt.exe [20.09.2002 16:27 77824]
S4 CA_LIC_SRVR;CA-Lizenzserver;c:\programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe [20.09.2002 16:41 77824]
S4 LogWatch;Ereignisprotokoll-Überwachung;c:\programme\CA\SharedComponents\CA_LIC\LogWatNT.exe [20.09.2002 16:29 53248]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aldi.com/
IE: Alles mit FDM herunterladen - file://c:\programme\Free Download Manager\dlall.htm
IE: Auswahl mit FDM herunterladen - file://c:\programme\Free Download Manager\dlselected.htm
IE: Datei mit FDM herunterladen - file://c:\programme\Free Download Manager\dllink.htm
IE: Videos mit FDM herunterladen - file://c:\programme\Free Download Manager\dlfvideo.htm
TCP: {C28582C3-FD0C-4CAC-ADCB-B300F10A1E1D} = 89.246.64.8 62.220.18.8
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\dokumente und einstellungen\Thomas\Anwendungsdaten\Mozilla\Firefox\Profiles\jklvca32.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.forumophilia.com/forum20.html
FF - component: c:\programme\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\programme\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-03 08:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3118728441-2249847619-4003075874-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-3118728441-2249847619-4003075874-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3b,5e,7c,d6,2d,12,be,63,a3,ce,fe,45,dc,ac,60,c0,d1,bf,c4,bb,15,f9,7c,
d5,1a,6d,4e,73,b8,21,10,3f,6a,fc,e1,22,12,93,62,75,8b,ec,48,22,67,4f,fe,26,\
"??"=hex:41,e0,42,8c,cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{094B2BCB-5F41-A489-844CA2903E1BF922}\{1B79708C-954D-DA8B-5F143B07D51E051A}\{8065E7BA-FA41-5074-25B3B36277F50BBE}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,81,89,80,
7a,70,cb,dc,67,26,72,9b,6f,34,24,7c,1a,68,37,c3,85,42,b9,d6,a8,55,39,c0,7b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0FE9758D-999D-5364-A982D9FF5B788FED}\{C0BD10EF-72B8-B20F-55BDE04C7FD39C0B}\{292331AE-173A-E499-B30D8FE5870ABBF2}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{156E5059-1974-1C21-234A49AFACAB4059}\{B90FCDFF-5527-F999-5BDD8AB8903FEB58}\{85FE2661-9FF6-1F38-3936C76FCE54F605}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1D0D1DBE-D81F-D306-5437E45696154CEE}\{BB3F4491-C2FA-99A3-3FB31108844B020A}\{37E50F9E-362C-792E-57F19660836F5A8C}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{238B46B1-DB3F-FF9F-817885D113BABB65}\{C7A1A506-D491-606A-8FAD8C1E4DD81C50}\{5DBD0FCF-797E-7771-3B3D82FCE9F240F9}*]
"LBML3FZBDBDV3BUIEQZJ1CU1HB1"=hex:01,00,01,00,00,00,00,00,46,4e,90,ef,91,22,f2,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{29D83109-D499-A3EF-54ABD4209B2D5F0C}\{354D4B2F-7299-D6B0-F9DE68C9556AEC8D}\{1096A586-413B-60D3-8347C002DC18071C}*]
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{66D2B6B0-0AC3-1D5E-AFE4FCFC2DBC1E0D}\{D0054572-6CDD-7E67-D144F5B82EF8A509}\{800AEEDD-FDE9-D9F6-54124DEBF6D799D2}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
"2EQJ2Z3RJDTDB2HBN4IWIN4ITC1"=hex:01,00,01,00,00,00,00,00,50,18,12,ae,1d,3d,93,
38,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{75C78964-9FAD-014A-8CC7FBADED2C52DF}\{536ADE09-4683-F194-E6EBF180967FA049}\{3462E639-3971-056E-531C3527F72CD4AF}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{793A0CD2-18B8-B505-D2705730ED7730B5}\{224F5FE7-6AB9-E5AA-092A0B3F1E7E0249}\{E87C09AA-1A97-D30E-8C0D3EFE96A56BA8}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7CACDF5A-0E2D-A998-38B4B1D490EAE887}\{83892839-8EE2-C547-3E6DBF0265E34072}\{B9A8F094-A05A-7BFC-2DD781993331EE07}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7FA7DB51-4296-4DCE-E915E900AF1A706F}\{6ECD6E35-CD02-B6E7-116E97829ECA1B77}\{2BCFFA55-7302-F76B-60625DCE35F7A6E2}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866E5309-4DE4-EC1D-5303B5015403F078}\{E4D7DA31-B59C-2F42-84703E9617E7637D}\{F8D6A80B-EA06-4220-85CE61582D500BD8}*]
"LBML3FZBDBDV3BUIEQZJ1CU1HB1"=hex:01,00,01,00,00,00,00,00,46,4e,90,ef,91,22,f2,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{866F706E-C193-43C8-FDD122C0F4107633}\{7E887989-0BC7-4BA4-E1547690585F3D70}\{C2DAD515-3BA5-9C52-8BAAB403F8DF78F0}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A8A45CF7-6BE6-B2C1-72491EAB2E9A6B2B}\{B617CAED-A840-2A11-665EBDF0B9E06934}\{20694653-0A9D-BD70-6F24016076B199C3}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFB1E792-937C-2E2C-B503416C70313BBE}\{BD69B123-9CB2-AD51-2CEEB02A3D233088}\{35363435-F6CB-3D47-CEABC35649A0E9E6}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BF1EE1FE-1932-A99C-B95E9DB4FC5D390D}\{14AB012F-1755-CBB6-E6EC0E63008B2B35}\{6CBF63F5-AF79-823D-FB168B9FCC8939EB}*]
"LQP5ZPUUKXNMDKQUSVXO5P66YE1"=hex:01,00,01,00,00,00,00,00,14,69,e6,a8,43,8f,2a,
a0,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C3E67C84-FF81-4ACD-401BD333BA56E9EA}\{F4E9985F-0D7B-FE76-62CD8C76B0126B78}\{BB457FA5-4647-F88E-4919FBC3754B9322}*]
"LBML3FZBDBDV3BUIEQZJ1CU1HB1"=hex:01,00,01,00,00,00,00,00,46,4e,90,ef,91,22,f2,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DA5FD177-5ED9-D129-A0BCADEF3ACDBDBC}\{79EAF540-0E74-317B-4A6E156139C845D3}\{99F2609B-7483-5DDB-3E9DF7E4B6714B5D}*]
"LBML3FZBDBDV3BUIEQZJ1CU1HB1"=hex:01,00,01,00,00,00,00,00,46,4e,90,ef,91,22,f2,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DBE5F6A6-C8E0-8D37-B1C3ECD994E168FF}\{7F7185F9-7F48-A4B8-D3088315D7013D5E}\{124A519E-6019-9B74-2FA3F0240754901A}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E24A3BE2-0E58-440D-C5291999CC5C5741}\{9EE83BBD-CDA7-8737-4BFE3ADA0C41BF51}\{12860FBF-70CB-D90A-D9669DC891BE38B3}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EA0A4278-51A3-7709-84DDEF02950ADF94}\{11936336-4B9A-79DD-A94F2AD208D83E94}\{0A7B61F5-80AE-3EB6-867F93DE000E0517}*]
"DIUMUTVOZPCSSGX5CJY2KLBAVE1"=hex:01,00,01,00,00,00,00,00,64,6d,b1,e3,87,75,1d,
e5,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EAE54BA3-56A0-7636-9D760FE75B19E95C}\{32AED356-A62E-B541-0C1631C471EC4552}\{622BCC28-1320-8061-75578A77CF92A31A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,81,89,80,
7a,70,cb,dc,67,26,72,9b,6f,34,24,7c,1a,68,37,c3,85,42,b9,d6,a8,55,39,c0,7b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FE8DBE89-D247-CDA0-331071706D351D5D}\{D7E03019-A44C-9829-6C33C3798CE56E87}\{A96D9761-82B1-07BB-8B5956B67D5931EC}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,81,89,80,
7a,70,cb,dc,67,26,72,9b,6f,34,24,7c,1a,68,37,c3,85,42,b9,d6,a8,55,39,c0,7b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(568)
c:\programme\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-03 8:55
ComboFix-quarantined-files.txt 2009-06-03 06:54
Pre-Run: 22 Verzeichnis(se), 16.833.511.424 Bytes frei
Post-Run: 21 Verzeichnis(se), 17.751.384.064 Bytes frei
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
262 --- E O F --- 2009-05-15 00:59
Was soll ich tun? Im Moment sitze ich am nicht infizierten Laptop neben dem Patienten. |
|
03.06.2009, 13:40
| #2 |
| | TR/Dropper gen Ich sollte hinzufügen, ich habe die von AntiVir erkannte Datei an 2 online-Auswertungen geschickt und es wurde nur in 3 von 20 bzw. 4 von 40 Scannern als malware erkannt. Aber dadurch kann man ja noch nicht von Fehlalarm sprechen, oder?
__________________Inzwischen habe ich den HijackThis Report dazu: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:14:13, on 03.06.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Creative\Shared Files\CTAudSvc.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\Programme\ScanSoft\PaperPort\pptd40nt.exe C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe C:\Programme\Java\jre6\bin\jusched.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programme\Brother\ControlCenter3\brccMCtl.exe C:\Programme\AnVir Task Manager Free\AnVir.exe C:\Programme\Free Download Manager\fdm.exe C:\Programme\Stardock\Impulse\Now\ImpulseNow.exe C:\Programme\OpenOffice.org 3\program\soffice.exe C:\Programme\OpenOffice.org 3\program\soffice.bin C:\Programme\Brother\Brmfcmon\BrMfcmon.exe C:\Neuer Ordner\HiJackThis.exe C:\Programme\AntiVir PersonalEdition Classic\avscan.exe C:\Programme\Stardock\Impulse\Impulse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.aldi.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programme\Free Download Manager\iefdm2.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Programme\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [IndexSearch] "C:\Programme\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [PPort11reminder] "C:\Programme\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" O4 - HKLM\..\Run: [BrMfcWnd] C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [ControlCenter3] C:\Programme\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AnVir Task Manager Free] "C:\Programme\AnVir Task Manager Free\AnVir.exe" Minimized O4 - HKCU\..\Run: [Free Download Manager] "C:\Programme\Free Download Manager\fdm.exe" -autorun O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: ImpulseNow.lnk = C:\Programme\Stardock\Impulse\Now\ImpulseNow.exe O4 - Startup: OpenOffice.org 3.0.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe O8 - Extra context menu item: Alles mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlall.htm O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlselected.htm O8 - Extra context menu item: Datei mit FDM herunterladen - file://C:\Programme\Free Download Manager\dllink.htm O8 - Extra context menu item: Videos mit FDM herunterladen - file://C:\Programme\Free Download Manager\dlfvideo.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: MedionShop - {8DC086C2-5C5E-4B71-8413-18139AC3D9CF} - hxxp://www.medionshop.de/ (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=hxxp://www.aldi.com O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Programme\Gemeinsame Dateien\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Programme\Creative\Shared Files\CTAudSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe -- End of file - 6611 bytes |
|
06.06.2009, 07:00
| #3 |
| | TR/Dropper gen Bitte schließen. Das Problem ist vermutlich gelöst. Falls doch nicht, halte ich mich beim nächsten mal an die Reihenfolge im gepinnten thread.
__________________MfG, Thomas |
|
| Themen zu TR/Dropper gen |
| adobe, anfang, antivir, anvir, avira, combofix, controlcenter, desktop, einstellungen, explorer, firefox, free download, home, infizierte, installation, jusched.exe, logon.exe, mozilla, neu aufsetzen, nt.exe, opera, programme, registry, scan, software, superantispyware, system, system neu, system neu aufsetzen, taskmanager, tastatur, thomas, usb, windows, windows recovery, windows xp, winlogon.exe |
Linear-Darstellung
