|
Plagegeister aller Art und deren Bekämpfung: Problem mit einem Trojaner b.exe und mas.exeWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
30.07.2009, 14:06 | #1 |
| Problem mit einem Trojaner b.exe und mas.exe Hallo ich habe seid gestern einen Trojaner auf meinen Computer Es fing an mit Popus im Internet Browser Mitlerweile schlägt ständig mein Antivir aus und sagt das ein Trojaner sich in der mas.exe befindet, ich hab mich dann ein wenig schlau gemacht und gelesen das ich den Prozess mas.exe im Tastmanager beenden soll und habs gemacht. Ich hatte mehrere minuten ruhe und dachte mir das dass problem gelöst ist. Ein weniger später gehts wieder los, Antivir schlägt aus und diesmal die b.exe. Wieder Tastmanger geöfnet und den Prozess beendet aber nun schlägt Antivir wieder bei der mas.exe aus Wäre echt nett wenn mir jemand helfen könnte und bitte gut erklärt ,den ich bin leihe in dem gebiet. PS: Mein Antivir sagt: Trojaner Endeckt mas.exe fakealert |
30.07.2009, 14:29 | #2 |
/// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exeEine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.
Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg. Solltest Du Dich für eine Bereinigung entscheiden, arbeite bitte folgendes ab. Poste bitte alle Logfiles in Code-Tags. Klicke antworten --> # danach [code]text[/code] So sollte das dann hier aussehen nach dem antworten: Code:
ATTFilter deine Logfile schritt 1 Wende bitte Malwarebytes nach Anleitung an. schritt 2
__________________ |
30.07.2009, 16:22 | #3 |
| Problem mit einem Trojaner b.exe und mas.exe Bericht von Malwarebytes:
__________________Code:
ATTFilter Malwarebytes' Anti-Malware 1.39 Datenbank Version: 2529 Windows 5.1.2600 Service Pack 3 30.07.2009 17:13:55 mbam-log-2009-07-30 (17-13-55).txt Scan-Methode: Vollständiger Scan (C:\|E:\|F:\|Z:\|) Durchsuchte Objekte: 187281 Laufzeit: 1 hour(s), 21 minute(s), 54 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 9 Infizierte Registrierungswerte: 1 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 3 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: c:\dokumente und einstellungen\Jann\lokale einstellungen\anwendungsdaten\Mozilla\Firefox\Profiles\pdtqtvn6.default\Cache\5558608Cd01 (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully. Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by Jann at 2009-07-30 17:16:33 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 66 GB (61%) free of 108 GB Total RAM: 2047 MB (53% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:16:33, on 30.07.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\TUProgSt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\a-squared Free\a2service.exe C:\Programme\Windows Media Player\wmplayer.exe C:\Programme\Teamspeak2_RC2\TeamSpeak.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\Jann\Desktop\RSIT.exe C:\Programme\trend micro\Jann.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKLM\..\RunOnce: [ Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6.5\ICQ.exe" silent O4 - HKCU\..\Run: [NordBull] C:\WINDOWS\msa.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231193178781 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe -- End of file - 4890 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\1-Klick-Wartung.job C:\WINDOWS\tasks\Norton Security Scan for Jann.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] AcroIEHlprObj Class - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Programme\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "avgnt"=C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497] "KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes' Anti-Malware"=C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe [2009-07-13 414992] " Malwarebytes Anti-Malware (reboot)"=C:\Programme\Malwarebytes' Anti-Malware\mbam.exe [2009-07-13 1287440] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ICQ"=C:\Programme\ICQ6.5\ICQ.exe [2009-03-01 172792] "NordBull"=C:\WINDOWS\msa.exe [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll [2007-06-27 118784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Programme\ICQ6.5\ICQ.exe"="C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6" "C:\World of Warcraft\Launcher.exe"="C:\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher" "C:\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe"="C:\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe:*:Enabled:Blizzard Downloader" "C:\Programme\Xfire\Xfire.exe"="C:\Programme\Xfire\Xfire.exe:*:Enabled:Xfire" "C:\Programme\Java\jre6\bin\java.exe"="C:\Programme\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary" "E:\Steam\steamapps\nettworld10@web.de\counter-strike\hl.exe"="E:\Steam\steamapps\nettworld10@web.de\counter-strike\hl.exe:*:Enabled:Half-Life Launcher" "E:\Programme\THQ\Titan Quest\Titan Quest.exe"="E:\Programme\THQ\Titan Quest\Titan Quest.exe:*:Enabled:Titan Quest" "E:\Steam\steamapps\jann100\counter-strike source\hl2.exe"="E:\Steam\steamapps\jann100\counter-strike source\hl2.exe:*:Enabled:hl2" "E:\Programme\Electronic Arts\Battlefield 2142\BF2142.exe"="E:\Programme\Electronic Arts\Battlefield 2142\BF2142.exe:*:Enabled:Battlefield 2" "E:\Programme\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe"="E:\Programme\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club" "E:\Programme\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe"="E:\Programme\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "E:\Programme\Rockstar Games\Grand Theft Auto IV\GTAIV.exe"="E:\Programme\Rockstar Games\Grand Theft Auto IV\GTAIV.exe:*:Enabled:Grand Theft Auto IV" "E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqw.exe"="E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqw.exe:*:Enabled:Enemy Territory - QUAKE Wars(TM)" "E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqwded.exe"="E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqwded.exe:*:Enabled:etqwded.exe" "C:\Programme\Pando Networks\Media Booster\PMB.exe"="C:\Programme\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster" "E:\Steam\Steam.exe"="E:\Steam\Steam.exe:*:Enabled:Steam" "C:\World of Warcraft\BackgroundDownloader.exe"="C:\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader" "E:\Programme\uTorrent\uTorrent.exe"="E:\Programme\uTorrent\uTorrent.exe:*:Enabled:µTorrent" "C:\Programme\Skype\Phone\Skype.exe"="C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5508c63d-3bd4-11de-aad1-001109c0e01c}] shell\AutoRun\command - F:\laucher.exe shell\shell1\command - F:\laucher.exe ======List of files/folders created in the last 1 months====== 2009-07-30 17:14:59 ----D---- C:\Programme\trend micro 2009-07-30 17:14:58 ----D---- C:\rsit 2009-07-30 17:14:21 ----A---- C:\WINDOWS\system32\sguoirh.txt 2009-07-30 15:49:33 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Malwarebytes 2009-07-30 15:49:22 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2009-07-30 15:49:21 ----D---- C:\Programme\Malwarebytes' Anti-Malware 2009-07-30 14:20:27 ----D---- C:\Programme\a-squared Free 2009-07-29 16:18:08 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Publish Providers 2009-07-29 16:17:53 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Sony 2009-07-29 16:11:21 ----D---- C:\Programme\Vstplugins 2009-07-29 16:11:11 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony 2009-07-29 16:10:56 ----D---- C:\Programme\Sony 2009-07-29 16:10:36 ----D---- C:\Programme\Sony Setup 2009-07-29 15:47:35 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\uTorrent 2009-07-20 22:55:36 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\espionServerData 2009-07-20 22:55:36 ----A---- C:\AdobeDebug.txt 2009-07-16 18:07:35 ----A---- C:\WINDOWS\system32\TUProgSt.exe 2009-07-16 18:07:34 ----A---- C:\WINDOWS\system32\uxtuneup.dll 2009-07-16 18:07:33 ----A---- C:\WINDOWS\system32\TuneUpDefragService.exe 2009-07-16 18:07:32 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\TuneUp Software 2009-07-16 18:06:46 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software 2009-07-16 18:06:43 ----D---- C:\Programme\TuneUp Utilities 2009 2009-07-16 18:05:48 ----SHD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{55A29068-F2CE-456C-9148-C869879E2357} 2009-07-14 20:49:44 ----D---- C:\Cache 2009-07-09 15:03:07 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\skypePM 2009-07-09 14:31:25 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Skype 2009-07-09 14:30:58 ----D---- C:\Programme\Gemeinsame Dateien\Skype 2009-07-09 14:30:54 ----RD---- C:\Programme\Skype 2009-07-09 14:30:45 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype 2009-07-09 13:25:24 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\vlc ======List of files/folders modified in the last 1 months====== 2009-07-30 17:14:59 ----RD---- C:\Programme 2009-07-30 17:14:21 ----D---- C:\WINDOWS\system32\drivers 2009-07-30 17:14:21 ----D---- C:\WINDOWS\system32 2009-07-30 17:13:55 ----SD---- C:\WINDOWS\Tasks 2009-07-30 15:49:27 ----D---- C:\WINDOWS\Prefetch 2009-07-30 15:46:44 ----D---- C:\WINDOWS\Temp 2009-07-30 15:46:30 ----D---- C:\Programme\Mozilla Firefox 2009-07-30 15:12:03 ----D---- C:\WINDOWS 2009-07-30 15:08:38 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\teamspeak2 2009-07-30 13:53:03 ----D---- C:\WINDOWS\system32\CatRoot2 2009-07-30 01:08:08 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-07-29 18:00:04 ----D---- C:\Programme\Norton Security Scan 2009-07-29 16:11:47 ----SHD---- C:\WINDOWS\Installer 2009-07-29 16:11:42 ----SHD---- C:\Config.Msi 2009-07-29 16:08:24 ----HD---- C:\Programme\InstallShield Installation Information 2009-07-23 22:51:13 ----D---- C:\WINDOWS\Minidump 2009-07-22 12:33:03 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2009-07-20 22:55:37 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe 2009-07-20 22:55:36 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Adobe 2009-07-20 22:48:45 ----A---- C:\WINDOWS\win.ini 2009-07-19 18:01:44 ----D---- C:\Programme\Gemeinsame Dateien\Symantec Shared 2009-07-16 21:26:24 ----D---- C:\World of Warcraft 2009-07-16 18:07:36 ----D---- C:\WINDOWS\system32\config 2009-07-09 14:30:58 ----D---- C:\Programme\Gemeinsame Dateien 2009-07-07 13:03:31 ----D---- C:\Programme\Gemeinsame Dateien\Blizzard Entertainment 2009-07-04 18:31:46 ----D---- C:\Programme\EA GAMES ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AmdK8;AMD-Prozessortreiber; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 43520] R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgio.sys [] R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-05-27 75096] R1 kbdhid;Tastatur-HID-Treiber; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14720] R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2004-05-05 4228] R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-11-08 21248] R2 ithsgt;ithsgt; C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2009-05-18 162432] R2 lilsgt;lilsgt; C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2009-05-18 12032] R2 tifsfilter;Acronis TrueImage FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2007-08-10 28768] R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-12-04 4025984] R3 Arp1394;1394-ARP-Clientprotokoll; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800] R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-06-27 2303488] R3 avgntflt;avgntflt; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgntflt.sys [] R3 hidusb;Microsoft HID Class-Treiber; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 mouhid;Maus-HID-Treiber; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12288] R3 NIC1394;1394-Netzwerktreiber; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824] R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2004-05-17 33280] R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2004-05-17 12928] R3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128] R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbohci;Miniporttreiber für Microsoft USB Open Host-Controller; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152] S3 ahm26h75;ahm26h75; C:\WINDOWS\system32\drivers\ahm26h75.sys [] S3 BthEnum;Bluetooth-Auflistungsdienst; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024] S3 BthPan;Bluetooth-Gerät (PAN); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120] S3 BTHPORT;Bluetooth-Porttreiber; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-04-14 273920] S3 BTHUSB;USB-Treiber für Bluetooth-Funkgerät; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944] S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS [] S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-05-27 25280] S3 M2500;802.11g Wireless Network Driver; C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-06-24 191360] S3 npkcusb;npkcusb; \??\E:\Programme\RebirthRO\npkcusb.sys [] S3 RFCOMM;Bluetooth-Gerät (RFCOMM-Protokoll-TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136] S3 USBSTOR;USB-Massenspeichertreiber; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 a2free;a-squared Free Service; C:\Programme\a-squared Free\a2service.exe [2009-07-13 719392] R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe [2007-08-10 151552] R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400] R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Planer; C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865] R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297] R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-06-27 483328] R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] R2 JavaQuickStarterService;Java Quick Starter; C:\Programme\Java\jre6\bin\jqs.exe [2009-03-09 152984] R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-07-16 604416] R2 UxTuneUp;TuneUp Designerweiterung; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336] S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-06-29 520192] S3 aspnet_state;ASP.NET-Zustandsdienst; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864] S3 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376] S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-07-16 361216] S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880] -----------------EOF----------------- Code:
ATTFilter Nicht Verfübar Geändert von Kelethine (30.07.2009 um 17:03 Uhr) |
30.07.2009, 20:06 | #4 | |
/// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exeCode:
ATTFilter 30.07.2009 17:13:55 mbam-log-2009-07-30 (17-13-55).txt Scan-Methode: Vollständiger Scan (C:\|E:\|F:\|Z:\|) Durchsuchte Objekte: 187281 Laufzeit: 1 hour(s), 21 minute(s), 54 second(s) Logfile of random's system information tool 1.06 (written by random/random) Run by Jann at 2009-07-30 17:16:33 Microsoft Windows XP Home Edition Service Pack 3 Zitat:
schritt 1 Lösche unter C:\RSIT\ die log.txt und info.txt doppelklick auf die RSIT.exe Poste beide Logfiles
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
30.07.2009, 22:11 | #5 |
| Problem mit einem Trojaner b.exe und mas.exe Log: Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by Jann at 2009-07-30 23:09:35 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 66 GB (61%) free of 108 GB Total RAM: 2047 MB (57% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:09:44, on 30.07.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\ICQ6.5\ICQ.exe C:\Programme\a-squared Free\a2service.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\TUProgSt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Teamspeak2_RC2\TeamSpeak.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\Jann\Desktop\RSIT.exe C:\Programme\trend micro\Jann.exe C:\Programme\Skype\Toolbars\Shared\SkypeNames.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6.5\ICQ.exe" silent O4 - HKCU\..\Run: [NordBull] C:\WINDOWS\msa.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231193178781 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe -- End of file - 4639 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\1-Klick-Wartung.job C:\WINDOWS\tasks\Norton Security Scan for Jann.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] AcroIEHlprObj Class - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Programme\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "avgnt"=C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497] "KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k [] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ICQ"=C:\Programme\ICQ6.5\ICQ.exe [2009-03-01 172792] "NordBull"=C:\WINDOWS\msa.exe [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll [2007-06-27 118784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Programme\ICQ6.5\ICQ.exe"="C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6" "C:\World of Warcraft\Launcher.exe"="C:\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher" "C:\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe"="C:\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe:*:Enabled:Blizzard Downloader" "C:\Programme\Xfire\Xfire.exe"="C:\Programme\Xfire\Xfire.exe:*:Enabled:Xfire" "C:\Programme\Java\jre6\bin\java.exe"="C:\Programme\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary" "E:\Steam\steamapps\nettworld10@web.de\counter-strike\hl.exe"="E:\Steam\steamapps\nettworld10@web.de\counter-strike\hl.exe:*:Enabled:Half-Life Launcher" "E:\Programme\THQ\Titan Quest\Titan Quest.exe"="E:\Programme\THQ\Titan Quest\Titan Quest.exe:*:Enabled:Titan Quest" "E:\Steam\steamapps\jann100\counter-strike source\hl2.exe"="E:\Steam\steamapps\jann100\counter-strike source\hl2.exe:*:Enabled:hl2" "E:\Programme\Electronic Arts\Battlefield 2142\BF2142.exe"="E:\Programme\Electronic Arts\Battlefield 2142\BF2142.exe:*:Enabled:Battlefield 2" "E:\Programme\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe"="E:\Programme\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club" "E:\Programme\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe"="E:\Programme\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "E:\Programme\Rockstar Games\Grand Theft Auto IV\GTAIV.exe"="E:\Programme\Rockstar Games\Grand Theft Auto IV\GTAIV.exe:*:Enabled:Grand Theft Auto IV" "E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqw.exe"="E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqw.exe:*:Enabled:Enemy Territory - QUAKE Wars(TM)" "E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqwded.exe"="E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqwded.exe:*:Enabled:etqwded.exe" "C:\Programme\Pando Networks\Media Booster\PMB.exe"="C:\Programme\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster" "E:\Steam\Steam.exe"="E:\Steam\Steam.exe:*:Enabled:Steam" "C:\World of Warcraft\BackgroundDownloader.exe"="C:\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader" "E:\Programme\uTorrent\uTorrent.exe"="E:\Programme\uTorrent\uTorrent.exe:*:Enabled:µTorrent" "C:\Programme\Skype\Phone\Skype.exe"="C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5508c63d-3bd4-11de-aad1-001109c0e01c}] shell\AutoRun\command - F:\laucher.exe shell\shell1\command - F:\laucher.exe ======List of files/folders created in the last 1 months====== 2009-07-30 17:14:59 ----D---- C:\Programme\trend micro 2009-07-30 17:14:58 ----D---- C:\rsit 2009-07-30 15:49:33 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Malwarebytes 2009-07-30 15:49:22 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2009-07-30 15:49:21 ----D---- C:\Programme\Malwarebytes' Anti-Malware 2009-07-30 14:20:27 ----D---- C:\Programme\a-squared Free 2009-07-29 16:18:08 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Publish Providers 2009-07-29 16:17:53 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Sony 2009-07-29 16:11:21 ----D---- C:\Programme\Vstplugins 2009-07-29 16:11:11 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony 2009-07-29 16:10:56 ----D---- C:\Programme\Sony 2009-07-29 16:10:36 ----D---- C:\Programme\Sony Setup 2009-07-29 15:47:35 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\uTorrent 2009-07-20 22:55:36 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\espionServerData 2009-07-20 22:55:36 ----A---- C:\AdobeDebug.txt 2009-07-16 18:07:35 ----A---- C:\WINDOWS\system32\TUProgSt.exe 2009-07-16 18:07:34 ----A---- C:\WINDOWS\system32\uxtuneup.dll 2009-07-16 18:07:33 ----A---- C:\WINDOWS\system32\TuneUpDefragService.exe 2009-07-16 18:07:32 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\TuneUp Software 2009-07-16 18:06:46 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software 2009-07-16 18:06:43 ----D---- C:\Programme\TuneUp Utilities 2009 2009-07-16 18:05:48 ----SHD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{55A29068-F2CE-456C-9148-C869879E2357} 2009-07-14 20:49:44 ----D---- C:\Cache 2009-07-09 15:03:07 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\skypePM 2009-07-09 14:31:25 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Skype 2009-07-09 14:30:58 ----D---- C:\Programme\Gemeinsame Dateien\Skype 2009-07-09 14:30:54 ----RD---- C:\Programme\Skype 2009-07-09 14:30:45 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype 2009-07-09 13:25:24 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\vlc ======List of files/folders modified in the last 1 months====== 2009-07-30 21:49:58 ----D---- C:\Programme\Mozilla Firefox 2009-07-30 19:17:21 ----D---- C:\WINDOWS\Temp 2009-07-30 19:16:17 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-07-30 17:19:55 ----D---- C:\WINDOWS\system32\drivers 2009-07-30 17:19:55 ----D---- C:\WINDOWS\system32 2009-07-30 17:14:59 ----RD---- C:\Programme 2009-07-30 17:13:55 ----SD---- C:\WINDOWS\Tasks 2009-07-30 15:49:27 ----D---- C:\WINDOWS\Prefetch 2009-07-30 15:12:03 ----D---- C:\WINDOWS 2009-07-30 15:08:38 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\teamspeak2 2009-07-30 13:53:03 ----D---- C:\WINDOWS\system32\CatRoot2 2009-07-29 18:00:04 ----D---- C:\Programme\Norton Security Scan 2009-07-29 16:11:47 ----SHD---- C:\WINDOWS\Installer 2009-07-29 16:11:42 ----SHD---- C:\Config.Msi 2009-07-29 16:08:24 ----HD---- C:\Programme\InstallShield Installation Information 2009-07-23 22:51:13 ----D---- C:\WINDOWS\Minidump 2009-07-22 12:33:03 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2009-07-20 22:55:37 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe 2009-07-20 22:55:36 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Adobe 2009-07-20 22:48:45 ----A---- C:\WINDOWS\win.ini 2009-07-19 18:01:44 ----D---- C:\Programme\Gemeinsame Dateien\Symantec Shared 2009-07-16 21:26:24 ----D---- C:\World of Warcraft 2009-07-16 18:07:36 ----D---- C:\WINDOWS\system32\config 2009-07-09 14:30:58 ----D---- C:\Programme\Gemeinsame Dateien 2009-07-07 13:03:31 ----D---- C:\Programme\Gemeinsame Dateien\Blizzard Entertainment 2009-07-04 18:31:46 ----D---- C:\Programme\EA GAMES ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AmdK8;AMD-Prozessortreiber; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 43520] R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgio.sys [] R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-05-27 75096] R1 kbdhid;Tastatur-HID-Treiber; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14720] R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2004-05-05 4228] R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-11-08 21248] R2 ithsgt;ithsgt; C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2009-05-18 162432] R2 lilsgt;lilsgt; C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2009-05-18 12032] R2 tifsfilter;Acronis TrueImage FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2007-08-10 28768] R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-12-04 4025984] R3 Arp1394;1394-ARP-Clientprotokoll; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800] R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-06-27 2303488] R3 avgntflt;avgntflt; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgntflt.sys [] R3 hidusb;Microsoft HID Class-Treiber; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 mouhid;Maus-HID-Treiber; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12288] R3 NIC1394;1394-Netzwerktreiber; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824] R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2004-05-17 33280] R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2004-05-17 12928] R3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128] R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbohci;Miniporttreiber für Microsoft USB Open Host-Controller; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152] S3 avrxubcq;avrxubcq; C:\WINDOWS\system32\drivers\avrxubcq.sys [] S3 BthEnum;Bluetooth-Auflistungsdienst; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024] S3 BthPan;Bluetooth-Gerät (PAN); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120] S3 BTHPORT;Bluetooth-Porttreiber; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-04-14 273920] S3 BTHUSB;USB-Treiber für Bluetooth-Funkgerät; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944] S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS [] S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-05-27 25280] S3 M2500;802.11g Wireless Network Driver; C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-06-24 191360] S3 npkcusb;npkcusb; \??\E:\Programme\RebirthRO\npkcusb.sys [] S3 RFCOMM;Bluetooth-Gerät (RFCOMM-Protokoll-TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136] S3 USBSTOR;USB-Massenspeichertreiber; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 a2free;a-squared Free Service; C:\Programme\a-squared Free\a2service.exe [2009-07-13 719392] R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe [2007-08-10 151552] R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400] R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Planer; C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865] R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297] R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-06-27 483328] R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] R2 JavaQuickStarterService;Java Quick Starter; C:\Programme\Java\jre6\bin\jqs.exe [2009-03-09 152984] R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-07-16 604416] R2 UxTuneUp;TuneUp Designerweiterung; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336] S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-06-29 520192] S3 aspnet_state;ASP.NET-Zustandsdienst; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864] S3 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376] S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-07-16 361216] S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880] -----------------EOF----------------- |
30.07.2009, 22:12 | #6 |
| Problem mit einem Trojaner b.exe und mas.exe Info: Code:
ATTFilter info.txt logfile of random's system information tool 1.06 2009-07-30 23:09:47 ======Uninstall list====== -->MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844} -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Acronis True Image-->C:\Programme\Acronis\TrueImage\MediaBuilder.exe -uninstall Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Help Center 2.1-->MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71} Adobe Photoshop Elements 5.0-->msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B} Adobe Reader 6.0 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-000000000001} Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe" a-squared Free 4.5-->"C:\Programme\a-squared Free\unins000.exe" ATI - Software Uninstall Utility-->C:\Programme\ATI Technologies\UninstallAll\AtiCimUn.exe ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean Audacity 1.3.7 (Unicode)-->"C:\Programme\Audacity 1.3 Beta (Unicode)\unins000.exe" Avira AntiVir Personal - Free Antivirus-->C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE Battlefield 2142-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x7 -removeonly Counter-Strike-->"E:\Steam\steam.exe" steam://uninstall/10 Dark Messiah Might and Magic Single Player-->"E:\Steam\steam.exe" steam://uninstall/2100 Die Sims 2: Open For Business-->C:\Programme\EA GAMES\Die Sims 2 Open For Business\EAUninstall.exe Die Sims 2: Wilde Campus-Jahre-->E:\Campus\EAUninstall.exe Die Sims 2-->C:\Programme\EA GAMES\Die Sims 2\EAUninstall.exe Die Sims™ 2 Haustiere-->E:\Programme\Tiere\EAUninstall.exe Enemy Territory - QUAKE Wars(TM)-->C:\Programme\InstallShield Installation Information\{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}\setup.exe -runfromtemp -l0x0407 Fahrenheit-->MsiExec.exe /I{BA10AC78-E687-4523-8B93-540428FC256F} Fiesta-->"C:\Programme\InstallShield Installation Information\{E127B28D-1A2A-45C4-A74E-C817E0A74E3E}\setup.exe" -runfromtemp -l0x0009 -removeonly Forsaken Ragnarok Online All-In-One-->E:\Program Files\ForsakenRO\Uninstall.exe Free YouTube to Mp3 Converter version 3.1-->"C:\Programme\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe" FULL CLIENT-->"C:\WINDOWS\FULL CLIENT\uninstall.exe" "/U:E:\Programme\RebirthRO\\Uninstall\uninstall.xml" Grand Theft Auto IV-->"C:\Programme\InstallShield Installation Information\{579BA58C-F33D-4970-9953-B94B43768AC3}\setup.exe" -runfromtemp -l0x0007 -removeonly HijackThis 2.0.2-->"C:\Programme\trend micro\HijackThis.exe" /uninstall Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840} Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" ICQ6.5-->"C:\Programme\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly J2SE Runtime Environment 5.0-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000} Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF} Malwarebytes' Anti-Malware-->"C:\Programme\Malwarebytes' Anti-Malware\unins000.exe" Microsoft .NET Framework 1.1 German Language Pack-->MsiExec.exe /X{E78BFA60-5393-4C38-82AB-E8019E464EB4} Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp" Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 2.0 Language Pack - DEU-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0 Language Pack - DEU\install.exe Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28} Microsoft .NET Framework 3.0 German Language Pack-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0 German Language Pack\setup.exe Microsoft .NET Framework 3.0 German Language Pack-->MsiExec.exe /X{F2A7F421-1679-48D5-B918-96999014ED53} Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003} Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4D243BA7-9AC4-46D1-90E5-EEB88974F501} Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6} Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft-Basissmartcard-Kryptografiedienstanbieterpaket-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Morrowind-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Programme\Bethesda Softworks\Morrowind\MWUninstall\Setup.exe" -l0x7 Mozilla Firefox (3.0.12)-->C:\Programme\Mozilla Firefox\uninstall\helper.exe MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44} Norton PartitionMagic 8.0-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502} Norton Security Scan (Symantec Corporation)-->"C:\Programme\Gemeinsame Dateien\Symantec Shared\NSSSetup\{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4}_2_0_1\NSSSetup.exe" /X Norton Security Scan-->MsiExec.exe /X{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4} NVIDIA Drivers-->C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI Oblivion-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x7 -removeonly Pando Media Booster-->C:\Programme\Pando Networks\Media Booster\uninst.exe Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\Setup.exe" -l0x7 -removeonly Rockstar Games Social Club-->"C:\Programme\InstallShield Installation Information\{08B3869E-D282-424C-9AFC-870E04A4BA14}\setup.exe" -runfromtemp -l0x0007 -removeonly ROSE Online Evolution-->"C:\WINDOWS\ROSE Online Evolution\uninstall.exe" "/U:C:\Programme\Triggersoft\ROSE Online Evolution\Uninstall\uninstall.xml" Sicherheitsupdate für Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf Skype web features-->MsiExec.exe /I{8B53527D-BBB2-43A5-91D7-9ED772FD737F} Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36} Stronghold Crusader-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8C3727F2-8E37-49E4-820C-03B1677F53B6}\setup.exe" TeamSpeak 2 RC2-->C:\Programme\Teamspeak2_RC2\unins000.exe TuneUp Utilities 2009-->MsiExec.exe /I{55A29068-F2CE-456C-9148-C869879E2357} Uninstall 1.0.0.1-->"C:\Programme\Gemeinsame Dateien\DVDVideoSoft\unins000.exe" Vegas Movie Studio Platinum 9.0-->MsiExec.exe /X{97E038E1-41AD-4C93-BCDC-6A2394AEE352} VideoLAN VLC media player 0.8.4a-->E:\Programme\VideoLAN\VLC\uninstall.exe Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333} Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe" Windows Media Encoder 9-Reihe-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} Windows Media Encoder 9-Reihe-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} Windows Media Format 11 runtime-->"C:\Programme\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11-->"C:\Programme\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows Presentation Foundation Language Pack (DEU)-->MsiExec.exe /X{92DF2F1B-F63C-4D9A-B3E1-B2D11AE29790} Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840} Windows Workflow Foundation DE Language Pack-->MsiExec.exe /I{7228FD8C-3B9E-4204-AE36-8A466107685B} Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD} Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C710CEED791003E4D635992B02471584893356A0\amdk8.inf WinRAR-->C:\Programme\WinRAR\uninstall.exe World of Warcraft-->C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\WORLD OF WARCRAFT\Uninstall.exe Xfire (remove only)-->"C:\Programme\Xfire\uninst.exe" Xilisoft 3GP Video Converter-->C:\Programme\Xilisoft\3GP Video Converter 3\Uninstall.exe XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe" ======Security center information====== AV: Avira AntiVir PersonalEdition ======System event log====== Computer Name: JANN-055EC30FA6 Event Code: 6009 Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. Record Number: 8849 Source Name: EventLog Time Written: 20090711145008.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 6006 Message: Der Ereignisprotokolldienst wurde beendet. Record Number: 8848 Source Name: EventLog Time Written: 20090711144924.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 7036 Message: Dienst "Ati HotKey Poller" befindet sich jetzt im Status "Beendet". Record Number: 8847 Source Name: Service Control Manager Time Written: 20090711144914.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 26 Message: Anwendungspopup: Wow: This application has encountered a critical error: ERROR #134 (0x85100086) Fatal Condition Program: C:\World of Warcraft\WoW.exe Failed to read file ENVIRONMENTS\STARS\ICECROWN_CLOUDSA07.blp. Press OK to terminate the application. Record Number: 8846 Source Name: Application Popup Time Written: 20090711144854.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 26 Message: Anwendungspopup: Wow: This application has encountered a critical error: ERROR #134 (0x85100086) Fatal Condition Program: C:\World of Warcraft\WoW.exe Failed to read file ENVIRONMENTS\STARS\ICECROWN_CLOUDSA07.blp. Press OK to terminate the application. Record Number: 8845 Source Name: Application Popup Time Written: 20090711144827.000000+120 Event Type: Informationen User: =====Application event log===== Computer Name: JANN-055EC30FA6 Event Code: 1800 Message: Der Windows-Sicherheitscenterdienst wurde gestartet. Record Number: 435 Source Name: SecurityCenter Time Written: 20090511153310.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 4096 Message: Der AntiVir Dienst wurde erfolgreich gestartet! Record Number: 434 Source Name: Avira AntiVir Time Written: 20090511153308.000000+120 Event Type: Informationen User: NT-AUTORITÄT\SYSTEM Computer Name: JANN-055EC30FA6 Event Code: 105 Message: The service was started. Record Number: 433 Source Name: ATI Smart Time Written: 20090511153301.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 4097 Message: Die Anwendung "C:\Programme\ICQ6.5\ICQ.exe" hat einen Programmfehler verursacht. Datum und Zeit des Fehlers: 10.05.2009 um 21:06:46.953 Ausnahme: c0000005 an Adresse 401074E3 (coolcore49) Record Number: 432 Source Name: DrWatson Time Written: 20090510210647.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 1000 Message: Fehlgeschlagene Anwendung icq.exe, Version 6.5.0.1042, fehlgeschlagenes Modul coolcore49.dll, Version 4.9.0.5711, Fehleradresse 0x000074e3. Record Number: 431 Source Name: Application Error Time Written: 20090510210643.000000+120 Event Type: Fehler User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Programme\ATI Technologies\ATI.ACE\Core-Static "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 12 Stepping 0, AuthenticAMD "PROCESSOR_REVISION"=0c00 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "RGSCLauncher"=E:\Programme\Rockstar Games\Rockstar Games Social Club "RGSC"=E:\Programme\Rockstar Games\Rockstar Games Social Club\1_0_0_0 -----------------EOF----------------- |
30.07.2009, 22:22 | #7 |
/// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exe
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
31.07.2009, 15:27 | #8 |
| Problem mit einem Trojaner b.exe und mas.exe ich glaube das der Virus entfernt wurde , ich bekomm keine Fehlermeldungen mehr und gar nichts. kann das sein? |
31.07.2009, 15:37 | #9 |
/// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exe nein Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner schon sauber ist
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
31.07.2009, 15:41 | #10 |
| Problem mit einem Trojaner b.exe und mas.exe Achso ok dann lass ich den anderen Scan auch nochmal durchlaufen |
01.08.2009, 13:24 | #11 |
| Problem mit einem Trojaner b.exe und mas.exeCode:
ATTFilter GMER 1.0.15.15011 [9lrc63s6.exe] - http://www.gmer.net Rootkit scan 2009-08-01 13:31:25 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT splv.sys ZwCreateKey [0xBA6A70E0] SSDT AAD7728C ZwCreateThread SSDT splv.sys ZwEnumerateKey [0xBA6C5CA4] SSDT splv.sys ZwEnumerateValueKey [0xBA6C6032] SSDT splv.sys ZwOpenKey [0xBA6A70C0] SSDT AAD77278 ZwOpenProcess SSDT AAD7727D ZwOpenThread SSDT splv.sys ZwQueryKey [0xBA6C610A] SSDT splv.sys ZwQueryValueKey [0xBA6C5F8A] SSDT splv.sys ZwSetValueKey [0xBA6C619C] SSDT AAD77287 ZwTerminateProcess SSDT AAD77282 ZwWriteVirtualMemory INT 0x62 ? 89DE9BF8 INT 0x63 ? 89DE9BF8 INT 0x73 ? 89DE9BF8 INT 0x82 ? 89DE9BF8 INT 0xA4 ? 89BECBF8 INT 0xB4 ? 89BECBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? splv.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload B99DE8AC 5 Bytes JMP 89BEC1D8 .text ah10d47y.SYS AA96E386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text ah10d47y.SYS AA96E3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ah10d47y.SYS AA96E3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text ah10d47y.SYS AA96E3C9 1 Byte [30] .text ah10d47y.SYS AA96E3C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Programme\a-squared Free\a2service.exe[1300] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0045493D C:\Programme\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A8042] splv.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A813E] splv.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A80C0] splv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A8800] splv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A86D6] splv.sys IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KfRaiseIrql] 00001CA9 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!HalTranslateBusAddress] 8186C636 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89DE81F8 Device \Driver\usbohci \Device\USBPDO-0 89BEB1F8 Device \Driver\usbohci \Device\USBPDO-1 89BEB1F8 Device \Driver\PCI_PNP4750 \Device\00000046 splv.sys Device \Driver\usbehci \Device\USBPDO-2 89BD31F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89DEA1F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis) Device \Driver\Ftdisk \Device\HarddiskVolume2 89DEA1F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis) Device \Driver\Cdrom \Device\CdRom0 89B891F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 89DEA1F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis) Device \Driver\sptd \Device\221006000 splv.sys Device \Driver\Cdrom \Device\CdRom1 89B891F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 88F251F8 Device \Driver\NetBT \Device\NetbiosSmb 88F251F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{18318899-5893-44F2-B5D6-A43B135AB15A} 88F251F8 Device \Driver\usbohci \Device\USBFDO-0 89BEB1F8 Device \Driver\usbohci \Device\USBFDO-1 89BEB1F8 Device \Driver\usbehci \Device\USBFDO-2 89BD31F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88DC91F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 88DC91F8 Device \Driver\Ftdisk \Device\FtControl 89DEA1F8 Device \Driver\ah10d47y \Device\Scsi\ah10d47y1Port3Path0Target0Lun0 89513500 Device \Driver\ah10d47y \Device\Scsi\ah10d47y1 89513500 Device \FileSystem\Cdfs \Cdfs 88DC11F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b0acdd Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x68 0x00 0x36 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x31 0x72 0xE6 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x44 0x35 0x1E 0xB1 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b0acdd (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x68 0x00 0x36 0x10 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x31 0x72 0xE6 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x44 0x35 0x1E 0xB1 ... ---- EOF - GMER 1.0.15 ---- |
01.08.2009, 16:38 | #12 |
/// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exe Bitte lade Registry Search.zip von Bobbi Flekman runter und speichere es auf deinem Desktop.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
03.08.2009, 21:15 | #13 |
| Problem mit einem Trojaner b.exe und mas.exe Ich hoffe ich hab alles richtig gemacht. Code:
ATTFilter Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.6.0 ; Results at 03.08.2009 22:14:31 for strings: ; 'nordbull' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... |
03.08.2009, 22:20 | #14 |
/// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exe schritt 1 Deine Java Version ist nicht aktuell. Deinstalliere bitte alle alten Versionen. Downloade Dir bitte Java Update 14 und installiere diese. schritt 2 Deinstalliere bitte deine aktuelle Version von Adobe Reader Start--> Systemsteuerung--> Software--> Adobe Reader und lade dir die neue Version von Hier herunter Als alternative würde ich dir den schlankeren Foxit Reader empfehlen schritt 3 Was ist Laufwerk F:? Bitte stecke bei diesem Scan alle externen Medien an. Halte dabei dieShift-taste gedrückt Lösche unter C:\RSIT die Log.txt und die info.txt. doppelklick auf die RSIT.exe und poste bitte beide logfiles.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
05.08.2009, 15:18 | #15 |
| Problem mit einem Trojaner b.exe und mas.exeCode:
ATTFilter info.txt logfile of random's system information tool 1.06 2009-08-05 14:12:30 ======Uninstall list====== -->MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844} -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Acronis*True*Image-->C:\Programme\Acronis\TrueImage\MediaBuilder.exe -uninstall Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Help Center 2.1-->MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71} Adobe Photoshop Elements 5.0-->msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B} Adobe Reader 9.1 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A91000000001} Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe" a-squared Free 4.5-->"C:\Programme\a-squared Free\unins000.exe" ATI - Software Uninstall Utility-->C:\Programme\ATI Technologies\UninstallAll\AtiCimUn.exe ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean Audacity 1.3.7 (Unicode)-->"C:\Programme\Audacity 1.3 Beta (Unicode)\unins000.exe" Avira AntiVir Personal - Free Antivirus-->C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE Battlefield 2142-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x7 -removeonly Corel Paint Shop Pro Photo X2-->MsiExec.exe /X{64E72FB1-2343-4977-B4A8-262CD53D0BD3} Counter-Strike-->"E:\Steam\steam.exe" steam://uninstall/10 Dark Messiah Might and Magic Single Player-->"E:\Steam\steam.exe" steam://uninstall/2100 Die Sims 2: Open For Business-->C:\Programme\EA GAMES\Die Sims 2 Open For Business\EAUninstall.exe Die Sims 2: Wilde Campus-Jahre-->E:\Campus\EAUninstall.exe Die Sims 2-->C:\Programme\EA GAMES\Die Sims 2\EAUninstall.exe Die Sims™ 2 Haustiere-->E:\Programme\Tiere\EAUninstall.exe Enemy Territory - QUAKE Wars(TM)-->C:\Programme\InstallShield Installation Information\{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}\setup.exe -runfromtemp -l0x0407 Fahrenheit-->MsiExec.exe /I{BA10AC78-E687-4523-8B93-540428FC256F} Fiesta-->"C:\Programme\InstallShield Installation Information\{E127B28D-1A2A-45C4-A74E-C817E0A74E3E}\setup.exe" -runfromtemp -l0x0009 -removeonly Forsaken Ragnarok Online All-In-One-->E:\Program Files\ForsakenRO\Uninstall.exe Free YouTube to Mp3 Converter version 3.1-->"C:\Programme\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe" FULL CLIENT-->"C:\WINDOWS\FULL CLIENT\uninstall.exe" "/U:E:\Programme\RebirthRO\\Uninstall\uninstall.xml" Grand Theft Auto IV-->"C:\Programme\InstallShield Installation Information\{579BA58C-F33D-4970-9953-B94B43768AC3}\setup.exe" -runfromtemp -l0x0007 -removeonly HijackThis 2.0.2-->"C:\Programme\trend micro\HijackThis.exe" /uninstall Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840} Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" ICQ6.5-->"C:\Programme\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly J2SE Runtime Environment 5.0-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000} Java(TM) 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF} Malwarebytes' Anti-Malware-->"C:\Programme\Malwarebytes' Anti-Malware\unins000.exe" Microsoft .NET Framework 1.1 German Language Pack-->MsiExec.exe /X{E78BFA60-5393-4C38-82AB-E8019E464EB4} Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp" Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} Microsoft .NET Framework 2.0 Language Pack - DEU-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0 Language Pack - DEU\install.exe Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28} Microsoft .NET Framework 3.0 German Language Pack-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0 German Language Pack\setup.exe Microsoft .NET Framework 3.0 German Language Pack-->MsiExec.exe /X{F2A7F421-1679-48D5-B918-96999014ED53} Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003} Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4D243BA7-9AC4-46D1-90E5-EEB88974F501} Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6} Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft-Basissmartcard-Kryptografiedienstanbieterpaket-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Morrowind-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Programme\Bethesda Softworks\Morrowind\MWUninstall\Setup.exe" -l0x7 Mozilla Firefox (3.0.13)-->C:\Programme\Mozilla Firefox\uninstall\helper.exe MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44} Norton PartitionMagic 8.0-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502} Norton Security Scan (Symantec Corporation)-->"C:\Programme\Gemeinsame Dateien\Symantec Shared\NSSSetup\{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4}_2_0_1\NSSSetup.exe" /X Norton Security Scan-->MsiExec.exe /X{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4} NVIDIA Drivers-->C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI Oblivion-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x7 -removeonly Pando Media Booster-->C:\Programme\Pando Networks\Media Booster\uninst.exe Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\Setup.exe" -l0x7 -removeonly Rockstar Games Social Club-->"C:\Programme\InstallShield Installation Information\{08B3869E-D282-424C-9AFC-870E04A4BA14}\setup.exe" -runfromtemp -l0x0007 -removeonly ROSE Online Evolution-->"C:\WINDOWS\ROSE Online Evolution\uninstall.exe" "/U:C:\Programme\Triggersoft\ROSE Online Evolution\Uninstall\uninstall.xml" Sicherheitsupdate für Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf Skype web features-->MsiExec.exe /I{8B53527D-BBB2-43A5-91D7-9ED772FD737F} Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36} Stronghold Crusader-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8C3727F2-8E37-49E4-820C-03B1677F53B6}\setup.exe" TeamSpeak 2 RC2-->C:\Programme\Teamspeak2_RC2\unins000.exe TuneUp Utilities 2009-->MsiExec.exe /I{55A29068-F2CE-456C-9148-C869879E2357} Uninstall 1.0.0.1-->"C:\Programme\Gemeinsame Dateien\DVDVideoSoft\unins000.exe" Vegas Movie Studio Platinum 9.0-->MsiExec.exe /X{97E038E1-41AD-4C93-BCDC-6A2394AEE352} VideoLAN VLC media player 0.8.4a-->E:\Programme\VideoLAN\VLC\uninstall.exe Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333} Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe" Windows Media Encoder 9-Reihe-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} Windows Media Encoder 9-Reihe-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} Windows Media Format 11 runtime-->"C:\Programme\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Player 11-->"C:\Programme\Windows Media Player\Setup_wm.exe" /Uninstall Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe" Windows Presentation Foundation Language Pack (DEU)-->MsiExec.exe /X{92DF2F1B-F63C-4D9A-B3E1-B2D11AE29790} Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840} Windows Workflow Foundation DE Language Pack-->MsiExec.exe /I{7228FD8C-3B9E-4204-AE36-8A466107685B} Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD} Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C710CEED791003E4D635992B02471584893356A0\amdk8.inf WinRAR-->C:\Programme\WinRAR\uninstall.exe World of Warcraft-->C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\WORLD OF WARCRAFT\Uninstall.exe Xfire (remove only)-->"C:\Programme\Xfire\uninst.exe" Xilisoft 3GP Video Converter-->C:\Programme\Xilisoft\3GP Video Converter 3\Uninstall.exe XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe" Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe ======Security center information====== AV: Avira AntiVir PersonalEdition (outdated) ======System event log====== Computer Name: JANN-055EC30FA6 Event Code: 6006 Message: Der Ereignisprotokolldienst wurde beendet. Record Number: 10161 Source Name: EventLog Time Written: 20090721175058.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 1073 Message: Der Versuch, Neustart auf JANN-055EC30FA6 durchzuführen ist fehlgeschlagen. Record Number: 10160 Source Name: USER32 Time Written: 20090721175025.000000+120 Event Type: Warnung User: NT-AUTORITÄT\SYSTEM Computer Name: JANN-055EC30FA6 Event Code: 7036 Message: Dienst "Ati HotKey Poller" befindet sich jetzt im Status "Beendet". Record Number: 10159 Source Name: Service Control Manager Time Written: 20090721175012.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 26 Message: Anwendungspopup: Wow: This application has encountered a critical error: ERROR #134 (0x85100086) Fatal Condition Program: C:\World of Warcraft\WoW.exe Failed to read file world\kalimdor\darkshore\passivedoodads\ruins\darkshoreruinwall03.m2. Press OK to terminate the application. Record Number: 10158 Source Name: Application Popup Time Written: 20090721173211.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 4226 Message: TCP/IP hat das Sicherheitslimit erreicht, das für die Anzahl gleichzeitiger TCP-Verbindungsversuche festgelegt wurde. Record Number: 10157 Source Name: Tcpip Time Written: 20090721173135.000000+120 Event Type: Warnung User: =====Application event log===== Computer Name: JANN-055EC30FA6 Event Code: 105 Message: The service was started. Record Number: 437 Source Name: ATI Smart Time Written: 20090512192329.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 1517 Message: Die Registrierung des Benutzers "JANN-055EC30FA6\Jann" wurde gespeichert, obwohl eine Anwendung oder ein Dienst auf die Registrierung während der Abmeldung zugegriffen hat. Der von der Registrierung des Benutzers verwendete Speicher wurde nicht freigegeben. Der Upload der Registrierung wird durchgeführt, wenn diese nicht mehr verwendet wird. Dies wird oft durch Dienste verursacht, die unter einem Benutzerkonto ausgeführt werden. Versuchen Sie diese so zu Konfigurieren, dass sie unter den Konten "Lokaler Dienst" oder "Netzwerkdienst" ausgeführt werden. Record Number: 436 Source Name: Userenv Time Written: 20090511181606.000000+120 Event Type: Warnung User: NT-AUTORITÄT\SYSTEM Computer Name: JANN-055EC30FA6 Event Code: 1800 Message: Der Windows-Sicherheitscenterdienst wurde gestartet. Record Number: 435 Source Name: SecurityCenter Time Written: 20090511153310.000000+120 Event Type: Informationen User: Computer Name: JANN-055EC30FA6 Event Code: 4096 Message: Der AntiVir Dienst wurde erfolgreich gestartet! Record Number: 434 Source Name: Avira AntiVir Time Written: 20090511153308.000000+120 Event Type: Informationen User: NT-AUTORITÄT\SYSTEM Computer Name: JANN-055EC30FA6 Event Code: 105 Message: The service was started. Record Number: 433 Source Name: ATI Smart Time Written: 20090511153301.000000+120 Event Type: Informationen User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Programme\ATI Technologies\ATI.ACE\Core-Static "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 12 Stepping 0, AuthenticAMD "PROCESSOR_REVISION"=0c00 "NUMBER_OF_PROCESSORS"=1 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "RGSCLauncher"=E:\Programme\Rockstar Games\Rockstar Games Social Club "RGSC"=E:\Programme\Rockstar Games\Rockstar Games Social Club\1_0_0_0 -----------------EOF----------------- |
Themen zu Problem mit einem Trojaner b.exe und mas.exe |
antivir, b.exe, beenden, beendet, befindet, compu, endeckt, erklärt, fakealert, gelöst, gestern, interne, internet, leihe, manager, mas.exe, minute, minuten, problem, problem gelöst, prozess, schlau, schlägt, troja, trojaner, trojaner endeckt, wenig |