|
Log-Analyse und Auswertung: Logfiles gemacht, was jetzt??Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
17.07.2009, 18:50 | #1 |
| Logfiles gemacht, was jetzt?? Oi.. Zuallererst.. ich bin kein Computer Profi oder sowas .. deswegen schon mal sorry wenn ich blöd bin. Hab seit heute morgen bei jedem Neustart eine Fehlermeldung RUNDLL irgndwas bekommen. Zusätzlich noch tausend Warnungen von AntiVir (WORM/Palevo.hka , TR/Spy.Gen , und co.) Bin dann hier gelandet und hab mal CCleaner durchlaufen lassen, und einen Malware Scan gemacht, nach dem Neustart war die RUNDLL Meldung weg, aber die kleinen Fehler Fenster in denen nur "starting" stand waren noch da, und die AntiVir Meldungen natürlich auch .. Hier meine Logfiles: Malwarebytes' Anti-Malware 1.39 Datenbank Version: 2451 Windows 5.1.2600 Service Pack 3 17.07.2009 19:21:07 mbam-log-2009-07-17 (19-21-07).txt Scan-Methode: Vollständiger Scan (C:\|) Durchsuchte Objekte: 240470 Laufzeit: 1 hour(s), 52 minute(s), 33 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 7 Infizierte Registrierungswerte: 16 Infizierte Dateiobjekte der Registrierung: 1 Infizierte Verzeichnisse: 0 Infizierte Dateien: 34 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.48349.exe (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe (Trojan.Agent) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully. Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Dokumente und Einstellungen\Yubisaki.GRAPEFRUIT\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. c:\uudoam.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\all users.windows\anwendungsdaten\antispyinfo\ghaf8jkdfd.dll.q_Quarantine_8043A98_q (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\localservice.nt-autorität\lokale einstellungen\temporary internet files\Content.IE5\SHABGL2Z\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\Yubisaki\eigene dateien\Keygen.EXE (Trojan.Agent) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\Yubisaki\eigene dateien\bruf\ResHack\system32\dllcache\dmload.sys (Trojan.Spambot) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\Yubisaki\eigene dateien\bruf\ResHack\system32\drivers\dmload.sys (Trojan.Spambot) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\yubisaki.grapefruit\Desktop\Desktop\keygen_photoshop_cs3\keygen photoshop cs3\activator\activator.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\yubisaki.grapefruit\eigene dateien\alt\Keygen.EXE (Trojan.Agent) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\yubisaki.grapefruit\lokale einstellungen\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\yubisaki.grapefruit\lokale einstellungen\Temp\nfujtyid56iey4hh244.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\dokumente und einstellungen\yubisaki.grapefruit\lokale einstellungen\Temp\install.48349.exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\system volume information\_restore{bc5f1db8-0869-499e-aac0-a3e2fdf353a0}\RP40\A0008007.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\system volume information\_restore{bc5f1db8-0869-499e-aac0-a3e2fdf353a0}\RP43\A0008194.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\system volume information\_restore{bc5f1db8-0869-499e-aac0-a3e2fdf353a0}\RP43\A0008196.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\system volume information\_restore{bc5f1db8-0869-499e-aac0-a3e2fdf353a0}\RP43\A0008197.tlb (Trojan.Dropper) -> Quarantined and deleted successfully. c:\system volume information\_restore{bc5f1db8-0869-499e-aac0-a3e2fdf353a0}\RP43\A0008198.dll (Trojan.Dropper) -> Quarantined and deleted successfully. c:\system volume information\_restore{bc5f1db8-0869-499e-aac0-a3e2fdf353a0}\RP43\A0008199.dll (Trojan.Dropper) -> Quarantined and deleted successfully. c:\system volume information\_restore{bc5f1db8-0869-499e-aac0-a3e2fdf353a0}\RP43\A0008200.ocx (Trojan.Dropper) -> Quarantined and deleted successfully. c:\system volume information\_restore{bc5f1db8-0869-499e-aac0-a3e2fdf353a0}\RP43\A0008201.OCX (Worm.Nyxem) -> Quarantined and deleted successfully. c:\WINDOWS\system32\mobsyn.exe (Backdoor.Bot) -> Quarantined and deleted successfully. c:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Quarantined and deleted successfully. c:\WINDOWS\system32\sopidkc.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\system32\usbwte.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully. c:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\BN1.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\BN2.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\BN3.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:39:19, on 17.07.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\Explorer.EXE C:\Programme\Avira\AntiVir Desktop\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\TUProgSt.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\RTHDCPL.EXE C:\Programme\Avira\AntiVir Desktop\avgnt.exe C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\PROGRA~1\GEMEIN~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE C:\Programme\DNA\btdna.exe C:\WINDOWS\system32\lxcccoms.exe C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programme\AskBarDis\bar\bin\askBar1.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxccmon.exe] "C:\Programme\Lexmark 3300 Series\lxccmon.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programme\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\GEMEIN~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Programme\DNA\btdna.exe" O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6.5\ICQ.exe" silent O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - S-1-5-18 Startup: Logitech . Produktregistrierung.lnk = C:\Programme\Logitech\QuickCam\eReg.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Logitech . Produktregistrierung.lnk = C:\Programme\Logitech\QuickCam\eReg.exe (User 'Default user') O4 - Startup: Logitech . Produktregistrierung.lnk = C:\Programme\Logitech\QuickCam\eReg.exe O8 - Extra context menu item: An vorhandenes PDF anfügen - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\DOKUME~1\YUBISA~1.GRA\LOKALE~1\Temp\29199390160mmx.dll O22 - SharedTaskScheduler: kjhsf87fhjdsfn93rjkndfdf - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - (no file) O23 - Service: Adobe Version Cue CS3 {de_DE} (Adobe Version Cue CS3) - Adobe Systems Incorporated - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe -- End of file - 7741 bytes Wenn mir jetz jemand sagen kann was ich machen soll wär ich echt super dankbar =/ |
17.07.2009, 19:02 | #2 | |
| Logfiles gemacht, was jetzt??Zitat:
Danach geht es hier hin: http://www.trojaner-board.de/446942-post3.html Und anschließend danach hier hin: http://www.trojaner-board.de/51262-a...sicherung.html Tja mit dem Keygen für Cs3 eine Master Collection von Adobe hast du dir das Genick gebrochen! wütend Dampf ablasse
__________________ |
Themen zu Logfiles gemacht, was jetzt?? |
1.tmp, adobe, antivir, antivir guard, ask toolbar, avira, bonjour, computer, content.ie5, cs3, desktop, dll meldung, einstellungen, fehlermeldung, helper, hijackthis, hkus\s-1-5-18, install.exe, internet, internet explorer, konvertieren, malware, malware.trace, monitor, pdf-datei, photoshop, registrierungsschlüssel, rundll, scan, security.hijack, server, services.exe, software, spyware.onlinegames, super, system, taskman, tr/spy.gen, trojan.downloader, trojan.dropper, trojan.fakealert.h, trojan.spambot, tuneup.defrag, userinit.exe, windows xp, windows\temp |