| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Problem mit einem Trojaner b.exe und mas.exeWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
30.07.2009, 14:06
| #1 |
 |  Problem mit einem Trojaner b.exe und mas.exe Hallo ich habe seid gestern einen Trojaner auf meinen Computer Es fing an mit Popus im Internet Browser Mitlerweile schlägt ständig mein Antivir aus und sagt das ein Trojaner sich in der mas.exe befindet, ich hab mich dann ein wenig schlau gemacht und gelesen das ich den Prozess mas.exe im Tastmanager beenden soll und habs gemacht. Ich hatte mehrere minuten ruhe und dachte mir das dass problem gelöst ist. Ein weniger später gehts wieder los, Antivir schlägt aus und diesmal die b.exe. Wieder Tastmanger geöfnet und den Prozess beendet aber nun schlägt Antivir wieder bei der mas.exe aus  Wäre echt nett wenn mir jemand helfen könnte und bitte gut erklärt ,den ich bin leihe in dem gebiet. PS: Mein Antivir sagt: Trojaner Endeckt mas.exe fakealert |
|
30.07.2009, 14:29
| #2 |
| /// Selecta Jahrusso   |  Problem mit einem Trojaner b.exe und mas.exe Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.
Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg. Solltest Du Dich für eine Bereinigung entscheiden, arbeite bitte folgendes ab. Poste bitte alle Logfiles in Code-Tags. Klicke antworten --> # danach [code]text[/code] So sollte das dann hier aussehen nach dem antworten: Code:
ATTFilter deine Logfile
schritt 1 Wende bitte Malwarebytes nach Anleitung an. schritt 2
__________________ |
|
30.07.2009, 16:22
| #3 |
| | Problem mit einem Trojaner b.exe und mas.exe Bericht von Malwarebytes:
__________________Code:
ATTFilter Malwarebytes' Anti-Malware 1.39
Datenbank Version: 2529
Windows 5.1.2600 Service Pack 3
30.07.2009 17:13:55
mbam-log-2009-07-30 (17-13-55).txt
Scan-Methode: Vollständiger Scan (C:\|E:\|F:\|Z:\|)
Durchsuchte Objekte: 187281
Laufzeit: 1 hour(s), 21 minute(s), 54 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 9
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
c:\dokumente und einstellungen\Jann\lokale einstellungen\anwendungsdaten\Mozilla\Firefox\Profiles\pdtqtvn6.default\Cache\5558608Cd01 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by Jann at 2009-07-30 17:16:33 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 66 GB (61%) free of 108 GB Total RAM: 2047 MB (53% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:16:33, on 30.07.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\TUProgSt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\a-squared Free\a2service.exe C:\Programme\Windows Media Player\wmplayer.exe C:\Programme\Teamspeak2_RC2\TeamSpeak.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\Jann\Desktop\RSIT.exe C:\Programme\trend micro\Jann.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKLM\..\RunOnce: [ Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6.5\ICQ.exe" silent O4 - HKCU\..\Run: [NordBull] C:\WINDOWS\msa.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231193178781 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe -- End of file - 4890 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\1-Klick-Wartung.job C:\WINDOWS\tasks\Norton Security Scan for Jann.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] AcroIEHlprObj Class - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Programme\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "avgnt"=C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497] "KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes' Anti-Malware"=C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe [2009-07-13 414992] " Malwarebytes Anti-Malware (reboot)"=C:\Programme\Malwarebytes' Anti-Malware\mbam.exe [2009-07-13 1287440] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ICQ"=C:\Programme\ICQ6.5\ICQ.exe [2009-03-01 172792] "NordBull"=C:\WINDOWS\msa.exe [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll [2007-06-27 118784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Programme\ICQ6.5\ICQ.exe"="C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6" "C:\World of Warcraft\Launcher.exe"="C:\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher" "C:\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe"="C:\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe:*:Enabled:Blizzard Downloader" "C:\Programme\Xfire\Xfire.exe"="C:\Programme\Xfire\Xfire.exe:*:Enabled:Xfire" "C:\Programme\Java\jre6\bin\java.exe"="C:\Programme\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary" "E:\Steam\steamapps\nettworld10@web.de\counter-strike\hl.exe"="E:\Steam\steamapps\nettworld10@web.de\counter-strike\hl.exe:*:Enabled:Half-Life Launcher" "E:\Programme\THQ\Titan Quest\Titan Quest.exe"="E:\Programme\THQ\Titan Quest\Titan Quest.exe:*:Enabled:Titan Quest" "E:\Steam\steamapps\jann100\counter-strike source\hl2.exe"="E:\Steam\steamapps\jann100\counter-strike source\hl2.exe:*:Enabled:hl2" "E:\Programme\Electronic Arts\Battlefield 2142\BF2142.exe"="E:\Programme\Electronic Arts\Battlefield 2142\BF2142.exe:*:Enabled:Battlefield 2" "E:\Programme\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe"="E:\Programme\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club" "E:\Programme\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe"="E:\Programme\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "E:\Programme\Rockstar Games\Grand Theft Auto IV\GTAIV.exe"="E:\Programme\Rockstar Games\Grand Theft Auto IV\GTAIV.exe:*:Enabled:Grand Theft Auto IV" "E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqw.exe"="E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqw.exe:*:Enabled:Enemy Territory - QUAKE Wars(TM)" "E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqwded.exe"="E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqwded.exe:*:Enabled:etqwded.exe" "C:\Programme\Pando Networks\Media Booster\PMB.exe"="C:\Programme\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster" "E:\Steam\Steam.exe"="E:\Steam\Steam.exe:*:Enabled:Steam" "C:\World of Warcraft\BackgroundDownloader.exe"="C:\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader" "E:\Programme\uTorrent\uTorrent.exe"="E:\Programme\uTorrent\uTorrent.exe:*:Enabled:µTorrent" "C:\Programme\Skype\Phone\Skype.exe"="C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5508c63d-3bd4-11de-aad1-001109c0e01c}] shell\AutoRun\command - F:\laucher.exe shell\shell1\command - F:\laucher.exe ======List of files/folders created in the last 1 months====== 2009-07-30 17:14:59 ----D---- C:\Programme\trend micro 2009-07-30 17:14:58 ----D---- C:\rsit 2009-07-30 17:14:21 ----A---- C:\WINDOWS\system32\sguoirh.txt 2009-07-30 15:49:33 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Malwarebytes 2009-07-30 15:49:22 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2009-07-30 15:49:21 ----D---- C:\Programme\Malwarebytes' Anti-Malware 2009-07-30 14:20:27 ----D---- C:\Programme\a-squared Free 2009-07-29 16:18:08 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Publish Providers 2009-07-29 16:17:53 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Sony 2009-07-29 16:11:21 ----D---- C:\Programme\Vstplugins 2009-07-29 16:11:11 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony 2009-07-29 16:10:56 ----D---- C:\Programme\Sony 2009-07-29 16:10:36 ----D---- C:\Programme\Sony Setup 2009-07-29 15:47:35 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\uTorrent 2009-07-20 22:55:36 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\espionServerData 2009-07-20 22:55:36 ----A---- C:\AdobeDebug.txt 2009-07-16 18:07:35 ----A---- C:\WINDOWS\system32\TUProgSt.exe 2009-07-16 18:07:34 ----A---- C:\WINDOWS\system32\uxtuneup.dll 2009-07-16 18:07:33 ----A---- C:\WINDOWS\system32\TuneUpDefragService.exe 2009-07-16 18:07:32 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\TuneUp Software 2009-07-16 18:06:46 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software 2009-07-16 18:06:43 ----D---- C:\Programme\TuneUp Utilities 2009 2009-07-16 18:05:48 ----SHD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{55A29068-F2CE-456C-9148-C869879E2357} 2009-07-14 20:49:44 ----D---- C:\Cache 2009-07-09 15:03:07 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\skypePM 2009-07-09 14:31:25 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Skype 2009-07-09 14:30:58 ----D---- C:\Programme\Gemeinsame Dateien\Skype 2009-07-09 14:30:54 ----RD---- C:\Programme\Skype 2009-07-09 14:30:45 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype 2009-07-09 13:25:24 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\vlc ======List of files/folders modified in the last 1 months====== 2009-07-30 17:14:59 ----RD---- C:\Programme 2009-07-30 17:14:21 ----D---- C:\WINDOWS\system32\drivers 2009-07-30 17:14:21 ----D---- C:\WINDOWS\system32 2009-07-30 17:13:55 ----SD---- C:\WINDOWS\Tasks 2009-07-30 15:49:27 ----D---- C:\WINDOWS\Prefetch 2009-07-30 15:46:44 ----D---- C:\WINDOWS\Temp 2009-07-30 15:46:30 ----D---- C:\Programme\Mozilla Firefox 2009-07-30 15:12:03 ----D---- C:\WINDOWS 2009-07-30 15:08:38 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\teamspeak2 2009-07-30 13:53:03 ----D---- C:\WINDOWS\system32\CatRoot2 2009-07-30 01:08:08 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-07-29 18:00:04 ----D---- C:\Programme\Norton Security Scan 2009-07-29 16:11:47 ----SHD---- C:\WINDOWS\Installer 2009-07-29 16:11:42 ----SHD---- C:\Config.Msi 2009-07-29 16:08:24 ----HD---- C:\Programme\InstallShield Installation Information 2009-07-23 22:51:13 ----D---- C:\WINDOWS\Minidump 2009-07-22 12:33:03 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2009-07-20 22:55:37 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe 2009-07-20 22:55:36 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Adobe 2009-07-20 22:48:45 ----A---- C:\WINDOWS\win.ini 2009-07-19 18:01:44 ----D---- C:\Programme\Gemeinsame Dateien\Symantec Shared 2009-07-16 21:26:24 ----D---- C:\World of Warcraft 2009-07-16 18:07:36 ----D---- C:\WINDOWS\system32\config 2009-07-09 14:30:58 ----D---- C:\Programme\Gemeinsame Dateien 2009-07-07 13:03:31 ----D---- C:\Programme\Gemeinsame Dateien\Blizzard Entertainment 2009-07-04 18:31:46 ----D---- C:\Programme\EA GAMES ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AmdK8;AMD-Prozessortreiber; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 43520] R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgio.sys [] R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-05-27 75096] R1 kbdhid;Tastatur-HID-Treiber; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14720] R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2004-05-05 4228] R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-11-08 21248] R2 ithsgt;ithsgt; C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2009-05-18 162432] R2 lilsgt;lilsgt; C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2009-05-18 12032] R2 tifsfilter;Acronis TrueImage FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2007-08-10 28768] R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-12-04 4025984] R3 Arp1394;1394-ARP-Clientprotokoll; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800] R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-06-27 2303488] R3 avgntflt;avgntflt; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgntflt.sys [] R3 hidusb;Microsoft HID Class-Treiber; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 mouhid;Maus-HID-Treiber; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12288] R3 NIC1394;1394-Netzwerktreiber; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824] R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2004-05-17 33280] R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2004-05-17 12928] R3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128] R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbohci;Miniporttreiber für Microsoft USB Open Host-Controller; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152] S3 ahm26h75;ahm26h75; C:\WINDOWS\system32\drivers\ahm26h75.sys [] S3 BthEnum;Bluetooth-Auflistungsdienst; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024] S3 BthPan;Bluetooth-Gerät (PAN); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120] S3 BTHPORT;Bluetooth-Porttreiber; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-04-14 273920] S3 BTHUSB;USB-Treiber für Bluetooth-Funkgerät; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944] S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS [] S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-05-27 25280] S3 M2500;802.11g Wireless Network Driver; C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-06-24 191360] S3 npkcusb;npkcusb; \??\E:\Programme\RebirthRO\npkcusb.sys [] S3 RFCOMM;Bluetooth-Gerät (RFCOMM-Protokoll-TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136] S3 USBSTOR;USB-Massenspeichertreiber; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 a2free;a-squared Free Service; C:\Programme\a-squared Free\a2service.exe [2009-07-13 719392] R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe [2007-08-10 151552] R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400] R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Planer; C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865] R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297] R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-06-27 483328] R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] R2 JavaQuickStarterService;Java Quick Starter; C:\Programme\Java\jre6\bin\jqs.exe [2009-03-09 152984] R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-07-16 604416] R2 UxTuneUp;TuneUp Designerweiterung; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336] S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-06-29 520192] S3 aspnet_state;ASP.NET-Zustandsdienst; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864] S3 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376] S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-07-16 361216] S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880] -----------------EOF----------------- Code:
ATTFilter Nicht Verfübar
Geändert von Kelethine (30.07.2009 um 17:03 Uhr) |
|
30.07.2009, 20:06
| #4 | |
| /// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exeCode:
ATTFilter 30.07.2009 17:13:55
mbam-log-2009-07-30 (17-13-55).txt
Scan-Methode: Vollständiger Scan (C:\|E:\|F:\|Z:\|)
Durchsuchte Objekte: 187281
Laufzeit: 1 hour(s), 21 minute(s), 54 second(s)
Logfile of random's system information tool 1.06 (written by random/random)
Run by Jann at 2009-07-30 17:16:33
Microsoft Windows XP Home Edition Service Pack 3
 Zitat:
schritt 1 Lösche unter C:\RSIT\ die log.txt und info.txt doppelklick auf die RSIT.exe Poste beide Logfiles
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
30.07.2009, 22:11
| #5 |
| | Problem mit einem Trojaner b.exe und mas.exe Log: Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by Jann at 2009-07-30 23:09:35 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 66 GB (61%) free of 108 GB Total RAM: 2047 MB (57% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:09:44, on 30.07.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\ICQ6.5\ICQ.exe C:\Programme\a-squared Free\a2service.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\TUProgSt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Teamspeak2_RC2\TeamSpeak.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\Jann\Desktop\RSIT.exe C:\Programme\trend micro\Jann.exe C:\Programme\Skype\Toolbars\Shared\SkypeNames.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6.5\ICQ.exe" silent O4 - HKCU\..\Run: [NordBull] C:\WINDOWS\msa.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231193178781 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe -- End of file - 4639 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\1-Klick-Wartung.job C:\WINDOWS\tasks\Norton Security Scan for Jann.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] AcroIEHlprObj Class - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 50376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Programme\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "avgnt"=C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497] "KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k [] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ICQ"=C:\Programme\ICQ6.5\ICQ.exe [2009-03-01 172792] "NordBull"=C:\WINDOWS\msa.exe [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] C:\WINDOWS\system32\Ati2evxx.dll [2007-06-27 118784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\Programme\ICQ6.5\ICQ.exe"="C:\Programme\ICQ6.5\ICQ.exe:*:Enabled:ICQ6" "C:\World of Warcraft\Launcher.exe"="C:\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher" "C:\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe"="C:\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-deDE-downloader.exe:*:Enabled:Blizzard Downloader" "C:\Programme\Xfire\Xfire.exe"="C:\Programme\Xfire\Xfire.exe:*:Enabled:Xfire" "C:\Programme\Java\jre6\bin\java.exe"="C:\Programme\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary" "E:\Steam\steamapps\nettworld10@web.de\counter-strike\hl.exe"="E:\Steam\steamapps\nettworld10@web.de\counter-strike\hl.exe:*:Enabled:Half-Life Launcher" "E:\Programme\THQ\Titan Quest\Titan Quest.exe"="E:\Programme\THQ\Titan Quest\Titan Quest.exe:*:Enabled:Titan Quest" "E:\Steam\steamapps\jann100\counter-strike source\hl2.exe"="E:\Steam\steamapps\jann100\counter-strike source\hl2.exe:*:Enabled:hl2" "E:\Programme\Electronic Arts\Battlefield 2142\BF2142.exe"="E:\Programme\Electronic Arts\Battlefield 2142\BF2142.exe:*:Enabled:Battlefield 2" "E:\Programme\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe"="E:\Programme\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club" "E:\Programme\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe"="E:\Programme\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "E:\Programme\Rockstar Games\Grand Theft Auto IV\GTAIV.exe"="E:\Programme\Rockstar Games\Grand Theft Auto IV\GTAIV.exe:*:Enabled:Grand Theft Auto IV" "E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqw.exe"="E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqw.exe:*:Enabled:Enemy Territory - QUAKE Wars(TM)" "E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqwded.exe"="E:\Programme\id Software\Enemy Territory - QUAKE Wars\etqwded.exe:*:Enabled:etqwded.exe" "C:\Programme\Pando Networks\Media Booster\PMB.exe"="C:\Programme\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster" "E:\Steam\Steam.exe"="E:\Steam\Steam.exe:*:Enabled:Steam" "C:\World of Warcraft\BackgroundDownloader.exe"="C:\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader" "E:\Programme\uTorrent\uTorrent.exe"="E:\Programme\uTorrent\uTorrent.exe:*:Enabled:µTorrent" "C:\Programme\Skype\Phone\Skype.exe"="C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5508c63d-3bd4-11de-aad1-001109c0e01c}] shell\AutoRun\command - F:\laucher.exe shell\shell1\command - F:\laucher.exe ======List of files/folders created in the last 1 months====== 2009-07-30 17:14:59 ----D---- C:\Programme\trend micro 2009-07-30 17:14:58 ----D---- C:\rsit 2009-07-30 15:49:33 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Malwarebytes 2009-07-30 15:49:22 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2009-07-30 15:49:21 ----D---- C:\Programme\Malwarebytes' Anti-Malware 2009-07-30 14:20:27 ----D---- C:\Programme\a-squared Free 2009-07-29 16:18:08 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Publish Providers 2009-07-29 16:17:53 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Sony 2009-07-29 16:11:21 ----D---- C:\Programme\Vstplugins 2009-07-29 16:11:11 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony 2009-07-29 16:10:56 ----D---- C:\Programme\Sony 2009-07-29 16:10:36 ----D---- C:\Programme\Sony Setup 2009-07-29 15:47:35 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\uTorrent 2009-07-20 22:55:36 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\espionServerData 2009-07-20 22:55:36 ----A---- C:\AdobeDebug.txt 2009-07-16 18:07:35 ----A---- C:\WINDOWS\system32\TUProgSt.exe 2009-07-16 18:07:34 ----A---- C:\WINDOWS\system32\uxtuneup.dll 2009-07-16 18:07:33 ----A---- C:\WINDOWS\system32\TuneUpDefragService.exe 2009-07-16 18:07:32 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\TuneUp Software 2009-07-16 18:06:46 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software 2009-07-16 18:06:43 ----D---- C:\Programme\TuneUp Utilities 2009 2009-07-16 18:05:48 ----SHD---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{55A29068-F2CE-456C-9148-C869879E2357} 2009-07-14 20:49:44 ----D---- C:\Cache 2009-07-09 15:03:07 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\skypePM 2009-07-09 14:31:25 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Skype 2009-07-09 14:30:58 ----D---- C:\Programme\Gemeinsame Dateien\Skype 2009-07-09 14:30:54 ----RD---- C:\Programme\Skype 2009-07-09 14:30:45 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype 2009-07-09 13:25:24 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\vlc ======List of files/folders modified in the last 1 months====== 2009-07-30 21:49:58 ----D---- C:\Programme\Mozilla Firefox 2009-07-30 19:17:21 ----D---- C:\WINDOWS\Temp 2009-07-30 19:16:17 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-07-30 17:19:55 ----D---- C:\WINDOWS\system32\drivers 2009-07-30 17:19:55 ----D---- C:\WINDOWS\system32 2009-07-30 17:14:59 ----RD---- C:\Programme 2009-07-30 17:13:55 ----SD---- C:\WINDOWS\Tasks 2009-07-30 15:49:27 ----D---- C:\WINDOWS\Prefetch 2009-07-30 15:12:03 ----D---- C:\WINDOWS 2009-07-30 15:08:38 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\teamspeak2 2009-07-30 13:53:03 ----D---- C:\WINDOWS\system32\CatRoot2 2009-07-29 18:00:04 ----D---- C:\Programme\Norton Security Scan 2009-07-29 16:11:47 ----SHD---- C:\WINDOWS\Installer 2009-07-29 16:11:42 ----SHD---- C:\Config.Msi 2009-07-29 16:08:24 ----HD---- C:\Programme\InstallShield Installation Information 2009-07-23 22:51:13 ----D---- C:\WINDOWS\Minidump 2009-07-22 12:33:03 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2009-07-20 22:55:37 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe 2009-07-20 22:55:36 ----D---- C:\Dokumente und Einstellungen\Jann\Anwendungsdaten\Adobe 2009-07-20 22:48:45 ----A---- C:\WINDOWS\win.ini 2009-07-19 18:01:44 ----D---- C:\Programme\Gemeinsame Dateien\Symantec Shared 2009-07-16 21:26:24 ----D---- C:\World of Warcraft 2009-07-16 18:07:36 ----D---- C:\WINDOWS\system32\config 2009-07-09 14:30:58 ----D---- C:\Programme\Gemeinsame Dateien 2009-07-07 13:03:31 ----D---- C:\Programme\Gemeinsame Dateien\Blizzard Entertainment 2009-07-04 18:31:46 ----D---- C:\Programme\EA GAMES ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AmdK8;AMD-Prozessortreiber; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 43520] R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgio.sys [] R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-05-27 75096] R1 kbdhid;Tastatur-HID-Treiber; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14720] R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2004-05-05 4228] R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-11-08 21248] R2 ithsgt;ithsgt; C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2009-05-18 162432] R2 lilsgt;lilsgt; C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2009-05-18 12032] R2 tifsfilter;Acronis TrueImage FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2007-08-10 28768] R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2006-12-04 4025984] R3 Arp1394;1394-ARP-Clientprotokoll; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800] R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-06-27 2303488] R3 avgntflt;avgntflt; \??\C:\Programme\Avira\AntiVir PersonalEdition Classic\avgntflt.sys [] R3 hidusb;Microsoft HID Class-Treiber; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368] R3 mouhid;Maus-HID-Treiber; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12288] R3 NIC1394;1394-Netzwerktreiber; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824] R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2004-05-17 33280] R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2004-05-17 12928] R3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128] R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208] R3 usbhub;USB2-aktivierter Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520] R3 usbohci;Miniporttreiber für Microsoft USB Open Host-Controller; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152] S3 avrxubcq;avrxubcq; C:\WINDOWS\system32\drivers\avrxubcq.sys [] S3 BthEnum;Bluetooth-Auflistungsdienst; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024] S3 BthPan;Bluetooth-Gerät (PAN); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120] S3 BTHPORT;Bluetooth-Porttreiber; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-04-14 273920] S3 BTHUSB;USB-Treiber für Bluetooth-Funkgerät; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944] S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS [] S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2009-05-27 25280] S3 M2500;802.11g Wireless Network Driver; C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-06-24 191360] S3 npkcusb;npkcusb; \??\E:\Programme\RebirthRO\npkcusb.sys [] S3 RFCOMM;Bluetooth-Gerät (RFCOMM-Protokoll-TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136] S3 USBSTOR;USB-Massenspeichertreiber; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 a2free;a-squared Free Service; C:\Programme\a-squared Free\a2service.exe [2009-07-13 719392] R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe [2007-08-10 151552] R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400] R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Planer; C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865] R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297] R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-06-27 483328] R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] R2 JavaQuickStarterService;Java Quick Starter; C:\Programme\Java\jre6\bin\jqs.exe [2009-03-09 152984] R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-07-16 604416] R2 UxTuneUp;TuneUp Designerweiterung; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336] S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-06-29 520192] S3 aspnet_state;ASP.NET-Zustandsdienst; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864] S3 IDriverT;InstallDriver Table Manager; C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376] S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-07-16 361216] S3 WMPNetworkSvc;Windows Media Player-Netzwerkfreigabedienst; C:\Programme\Windows Media Player\WMPNetwk.exe [2006-11-03 920576] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880] -----------------EOF----------------- |
|
30.07.2009, 22:12
| #6 |
| | Problem mit einem Trojaner b.exe und mas.exe Info: Code:
ATTFilter info.txt logfile of random's system information tool 1.06 2009-07-30 23:09:47
======Uninstall list======
-->MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acronis True Image-->C:\Programme\Acronis\TrueImage\MediaBuilder.exe -uninstall
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 2.1-->MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Photoshop Elements 5.0-->msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}
Adobe Reader 6.0 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-000000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
a-squared Free 4.5-->"C:\Programme\a-squared Free\unins000.exe"
ATI - Software Uninstall Utility-->C:\Programme\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.3.7 (Unicode)-->"C:\Programme\Audacity 1.3 Beta (Unicode)\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Battlefield 2142-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x7 -removeonly
Counter-Strike-->"E:\Steam\steam.exe" steam://uninstall/10
Dark Messiah Might and Magic Single Player-->"E:\Steam\steam.exe" steam://uninstall/2100
Die Sims 2: Open For Business-->C:\Programme\EA GAMES\Die Sims 2 Open For Business\EAUninstall.exe
Die Sims 2: Wilde Campus-Jahre-->E:\Campus\EAUninstall.exe
Die Sims 2-->C:\Programme\EA GAMES\Die Sims 2\EAUninstall.exe
Die Sims™ 2 Haustiere-->E:\Programme\Tiere\EAUninstall.exe
Enemy Territory - QUAKE Wars(TM)-->C:\Programme\InstallShield Installation Information\{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}\setup.exe -runfromtemp -l0x0407
Fahrenheit-->MsiExec.exe /I{BA10AC78-E687-4523-8B93-540428FC256F}
Fiesta-->"C:\Programme\InstallShield Installation Information\{E127B28D-1A2A-45C4-A74E-C817E0A74E3E}\setup.exe" -runfromtemp -l0x0009 -removeonly
Forsaken Ragnarok Online All-In-One-->E:\Program Files\ForsakenRO\Uninstall.exe
Free YouTube to Mp3 Converter version 3.1-->"C:\Programme\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
FULL CLIENT-->"C:\WINDOWS\FULL CLIENT\uninstall.exe" "/U:E:\Programme\RebirthRO\\Uninstall\uninstall.xml"
Grand Theft Auto IV-->"C:\Programme\InstallShield Installation Information\{579BA58C-F33D-4970-9953-B94B43768AC3}\setup.exe" -runfromtemp -l0x0007 -removeonly
HijackThis 2.0.2-->"C:\Programme\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ICQ6.5-->"C:\Programme\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
J2SE Runtime Environment 5.0-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Malwarebytes' Anti-Malware-->"C:\Programme\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 German Language Pack-->MsiExec.exe /X{E78BFA60-5393-4C38-82AB-E8019E464EB4}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Language Pack - DEU-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0 Language Pack - DEU\install.exe
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 German Language Pack-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0 German Language Pack\setup.exe
Microsoft .NET Framework 3.0 German Language Pack-->MsiExec.exe /X{F2A7F421-1679-48D5-B918-96999014ED53}
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4D243BA7-9AC4-46D1-90E5-EEB88974F501}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft-Basissmartcard-Kryptografiedienstanbieterpaket-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Morrowind-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Programme\Bethesda Softworks\Morrowind\MWUninstall\Setup.exe" -l0x7
Mozilla Firefox (3.0.12)-->C:\Programme\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
Norton PartitionMagic 8.0-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502}
Norton Security Scan (Symantec Corporation)-->"C:\Programme\Gemeinsame Dateien\Symantec Shared\NSSSetup\{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4}_2_0_1\NSSSetup.exe" /X
Norton Security Scan-->MsiExec.exe /X{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4}
NVIDIA Drivers-->C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
Oblivion-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x7 -removeonly
Pando Media Booster-->C:\Programme\Pando Networks\Media Booster\uninst.exe
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\Setup.exe" -l0x7 -removeonly
Rockstar Games Social Club-->"C:\Programme\InstallShield Installation Information\{08B3869E-D282-424C-9AFC-870E04A4BA14}\setup.exe" -runfromtemp -l0x0007 -removeonly
ROSE Online Evolution-->"C:\WINDOWS\ROSE Online Evolution\uninstall.exe" "/U:C:\Programme\Triggersoft\ROSE Online Evolution\Uninstall\uninstall.xml"
Sicherheitsupdate für Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Skype web features-->MsiExec.exe /I{8B53527D-BBB2-43A5-91D7-9ED772FD737F}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Stronghold Crusader-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8C3727F2-8E37-49E4-820C-03B1677F53B6}\setup.exe"
TeamSpeak 2 RC2-->C:\Programme\Teamspeak2_RC2\unins000.exe
TuneUp Utilities 2009-->MsiExec.exe /I{55A29068-F2CE-456C-9148-C869879E2357}
Uninstall 1.0.0.1-->"C:\Programme\Gemeinsame Dateien\DVDVideoSoft\unins000.exe"
Vegas Movie Studio Platinum 9.0-->MsiExec.exe /X{97E038E1-41AD-4C93-BCDC-6A2394AEE352}
VideoLAN VLC media player 0.8.4a-->E:\Programme\VideoLAN\VLC\uninstall.exe
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Encoder 9-Reihe-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9-Reihe-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime-->"C:\Programme\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Programme\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation Language Pack (DEU)-->MsiExec.exe /X{92DF2F1B-F63C-4D9A-B3E1-B2D11AE29790}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation DE Language Pack-->MsiExec.exe /I{7228FD8C-3B9E-4204-AE36-8A466107685B}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C710CEED791003E4D635992B02471584893356A0\amdk8.inf
WinRAR-->C:\Programme\WinRAR\uninstall.exe
World of Warcraft-->C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\WORLD OF WARCRAFT\Uninstall.exe
Xfire (remove only)-->"C:\Programme\Xfire\uninst.exe"
Xilisoft 3GP Video Converter-->C:\Programme\Xilisoft\3GP Video Converter 3\Uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
======Security center information======
AV: Avira AntiVir PersonalEdition
======System event log======
Computer Name: JANN-055EC30FA6
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free.
Record Number: 8849
Source Name: EventLog
Time Written: 20090711145008.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 6006
Message: Der Ereignisprotokolldienst wurde beendet.
Record Number: 8848
Source Name: EventLog
Time Written: 20090711144924.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 7036
Message: Dienst "Ati HotKey Poller" befindet sich jetzt im Status "Beendet".
Record Number: 8847
Source Name: Service Control Manager
Time Written: 20090711144914.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 26
Message: Anwendungspopup: Wow: This application has encountered a critical error:
ERROR #134 (0x85100086) Fatal Condition
Program: C:\World of Warcraft\WoW.exe
Failed to read file ENVIRONMENTS\STARS\ICECROWN_CLOUDSA07.blp.
Press OK to terminate the application.
Record Number: 8846
Source Name: Application Popup
Time Written: 20090711144854.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 26
Message: Anwendungspopup: Wow: This application has encountered a critical error:
ERROR #134 (0x85100086) Fatal Condition
Program: C:\World of Warcraft\WoW.exe
Failed to read file ENVIRONMENTS\STARS\ICECROWN_CLOUDSA07.blp.
Press OK to terminate the application.
Record Number: 8845
Source Name: Application Popup
Time Written: 20090711144827.000000+120
Event Type: Informationen
User:
=====Application event log=====
Computer Name: JANN-055EC30FA6
Event Code: 1800
Message: Der Windows-Sicherheitscenterdienst wurde gestartet.
Record Number: 435
Source Name: SecurityCenter
Time Written: 20090511153310.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 4096
Message: Der AntiVir Dienst wurde erfolgreich gestartet!
Record Number: 434
Source Name: Avira AntiVir
Time Written: 20090511153308.000000+120
Event Type: Informationen
User: NT-AUTORITÄT\SYSTEM
Computer Name: JANN-055EC30FA6
Event Code: 105
Message: The service was started.
Record Number: 433
Source Name: ATI Smart
Time Written: 20090511153301.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 4097
Message: Die Anwendung "C:\Programme\ICQ6.5\ICQ.exe" hat einen Programmfehler verursacht.
Datum und Zeit des Fehlers: 10.05.2009 um 21:06:46.953
Ausnahme: c0000005 an Adresse 401074E3 (coolcore49)
Record Number: 432
Source Name: DrWatson
Time Written: 20090510210647.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 1000
Message: Fehlgeschlagene Anwendung icq.exe, Version 6.5.0.1042, fehlgeschlagenes Modul coolcore49.dll, Version 4.9.0.5711, Fehleradresse 0x000074e3.
Record Number: 431
Source Name: Application Error
Time Written: 20090510210643.000000+120
Event Type: Fehler
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Programme\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0c00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RGSCLauncher"=E:\Programme\Rockstar Games\Rockstar Games Social Club
"RGSC"=E:\Programme\Rockstar Games\Rockstar Games Social Club\1_0_0_0
-----------------EOF-----------------
|
|
30.07.2009, 22:22
| #7 |
| /// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exe
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
31.07.2009, 15:27
| #8 |
| | Problem mit einem Trojaner b.exe und mas.exe ich glaube das der Virus entfernt wurde , ich bekomm keine Fehlermeldungen mehr und gar nichts. kann das sein? |
|
31.07.2009, 15:37
| #9 |
| /// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exe nein  Das Verschwinden der Symptome bedeutet nicht, dass Dein Rechner schon sauber ist 
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
31.07.2009, 15:41
| #10 |
| | Problem mit einem Trojaner b.exe und mas.exe Achso ok dann lass ich den anderen Scan auch nochmal durchlaufen |
|
01.08.2009, 13:24
| #11 |
| | Problem mit einem Trojaner b.exe und mas.exeCode:
ATTFilter GMER 1.0.15.15011 [9lrc63s6.exe] - http://www.gmer.net
Rootkit scan 2009-08-01 13:31:25
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT splv.sys ZwCreateKey [0xBA6A70E0]
SSDT AAD7728C ZwCreateThread
SSDT splv.sys ZwEnumerateKey [0xBA6C5CA4]
SSDT splv.sys ZwEnumerateValueKey [0xBA6C6032]
SSDT splv.sys ZwOpenKey [0xBA6A70C0]
SSDT AAD77278 ZwOpenProcess
SSDT AAD7727D ZwOpenThread
SSDT splv.sys ZwQueryKey [0xBA6C610A]
SSDT splv.sys ZwQueryValueKey [0xBA6C5F8A]
SSDT splv.sys ZwSetValueKey [0xBA6C619C]
SSDT AAD77287 ZwTerminateProcess
SSDT AAD77282 ZwWriteVirtualMemory
INT 0x62 ? 89DE9BF8
INT 0x63 ? 89DE9BF8
INT 0x73 ? 89DE9BF8
INT 0x82 ? 89DE9BF8
INT 0xA4 ? 89BECBF8
INT 0xB4 ? 89BECBF8
---- Kernel code sections - GMER 1.0.15 ----
? splv.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload B99DE8AC 5 Bytes JMP 89BEC1D8
.text ah10d47y.SYS AA96E386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ah10d47y.SYS AA96E3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ah10d47y.SYS AA96E3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ah10d47y.SYS AA96E3C9 1 Byte [30]
.text ah10d47y.SYS AA96E3C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\Programme\a-squared Free\a2service.exe[1300] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0045493D C:\Programme\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A8042] splv.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A813E] splv.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A80C0] splv.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A8800] splv.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A86D6] splv.sys
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ah10d47y.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 89DE81F8
Device \Driver\usbohci \Device\USBPDO-0 89BEB1F8
Device \Driver\usbohci \Device\USBPDO-1 89BEB1F8
Device \Driver\PCI_PNP4750 \Device\00000046 splv.sys
Device \Driver\usbehci \Device\USBPDO-2 89BD31F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89DEA1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Ftdisk \Device\HarddiskVolume2 89DEA1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\Cdrom \Device\CdRom0 89B891F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 89DEA1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
Device \Driver\sptd \Device\221006000 splv.sys
Device \Driver\Cdrom \Device\CdRom1 89B891F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88F251F8
Device \Driver\NetBT \Device\NetbiosSmb 88F251F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{18318899-5893-44F2-B5D6-A43B135AB15A} 88F251F8
Device \Driver\usbohci \Device\USBFDO-0 89BEB1F8
Device \Driver\usbohci \Device\USBFDO-1 89BEB1F8
Device \Driver\usbehci \Device\USBFDO-2 89BD31F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88DC91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88DC91F8
Device \Driver\Ftdisk \Device\FtControl 89DEA1F8
Device \Driver\ah10d47y \Device\Scsi\ah10d47y1Port3Path0Target0Lun0 89513500
Device \Driver\ah10d47y \Device\Scsi\ah10d47y1 89513500
Device \FileSystem\Cdfs \Cdfs 88DC11F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272b0acdd
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x68 0x00 0x36 0x10 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x31 0x72 0xE6 0x66 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x44 0x35 0x1E 0xB1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272b0acdd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x68 0x00 0x36 0x10 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x31 0x72 0xE6 0x66 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x44 0x35 0x1E 0xB1 ...
---- EOF - GMER 1.0.15 ----
|
|
01.08.2009, 16:38
| #12 |
| /// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exe Bitte lade Registry Search.zip von Bobbi Flekman runter und speichere es auf deinem Desktop.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
03.08.2009, 21:15
| #13 |
| | Problem mit einem Trojaner b.exe und mas.exe Ich hoffe ich hab alles richtig gemacht. Code:
ATTFilter Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 03.08.2009 22:14:31 for strings:
; 'nordbull'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
; End Of The Log...
|
|
03.08.2009, 22:20
| #14 |
| /// Selecta Jahrusso | Problem mit einem Trojaner b.exe und mas.exe schritt 1 Deine Java Version ist nicht aktuell. Deinstalliere bitte alle alten Versionen. Downloade Dir bitte Java Update 14 und installiere diese. schritt 2 Deinstalliere bitte deine aktuelle Version von Adobe Reader Start--> Systemsteuerung--> Software--> Adobe Reader und lade dir die neue Version von Hier herunter Als alternative würde ich dir den schlankeren Foxit Reader empfehlen schritt 3 Was ist Laufwerk F:? Bitte stecke bei diesem Scan alle externen Medien an. Halte dabei dieShift-taste gedrückt Lösche unter C:\RSIT die Log.txt und die info.txt. doppelklick auf die RSIT.exe und poste bitte beide logfiles.
__________________ mfg, Daniel ASAP & UNITE Member Alliance of Security Analysis Professionals Unified Network of Instructors and Trusted Eliminators Lerne, zurück zu schlagen und unterstütze uns! TB Akademie |
|
05.08.2009, 15:18
| #15 |
| | Problem mit einem Trojaner b.exe und mas.exeCode:
ATTFilter info.txt logfile of random's system information tool 1.06 2009-08-05 14:12:30
======Uninstall list======
-->MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acronis*True*Image-->C:\Programme\Acronis\TrueImage\MediaBuilder.exe -uninstall
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 2.1-->MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Photoshop Elements 5.0-->msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}
Adobe Reader 9.1 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A91000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
a-squared Free 4.5-->"C:\Programme\a-squared Free\unins000.exe"
ATI - Software Uninstall Utility-->C:\Programme\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.3.7 (Unicode)-->"C:\Programme\Audacity 1.3 Beta (Unicode)\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Battlefield 2142-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x7 -removeonly
Corel Paint Shop Pro Photo X2-->MsiExec.exe /X{64E72FB1-2343-4977-B4A8-262CD53D0BD3}
Counter-Strike-->"E:\Steam\steam.exe" steam://uninstall/10
Dark Messiah Might and Magic Single Player-->"E:\Steam\steam.exe" steam://uninstall/2100
Die Sims 2: Open For Business-->C:\Programme\EA GAMES\Die Sims 2 Open For Business\EAUninstall.exe
Die Sims 2: Wilde Campus-Jahre-->E:\Campus\EAUninstall.exe
Die Sims 2-->C:\Programme\EA GAMES\Die Sims 2\EAUninstall.exe
Die Sims™ 2 Haustiere-->E:\Programme\Tiere\EAUninstall.exe
Enemy Territory - QUAKE Wars(TM)-->C:\Programme\InstallShield Installation Information\{B7A585C8-CE4E-4150-84C6-A13C3CB1379F}\setup.exe -runfromtemp -l0x0407
Fahrenheit-->MsiExec.exe /I{BA10AC78-E687-4523-8B93-540428FC256F}
Fiesta-->"C:\Programme\InstallShield Installation Information\{E127B28D-1A2A-45C4-A74E-C817E0A74E3E}\setup.exe" -runfromtemp -l0x0009 -removeonly
Forsaken Ragnarok Online All-In-One-->E:\Program Files\ForsakenRO\Uninstall.exe
Free YouTube to Mp3 Converter version 3.1-->"C:\Programme\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
FULL CLIENT-->"C:\WINDOWS\FULL CLIENT\uninstall.exe" "/U:E:\Programme\RebirthRO\\Uninstall\uninstall.xml"
Grand Theft Auto IV-->"C:\Programme\InstallShield Installation Information\{579BA58C-F33D-4970-9953-B94B43768AC3}\setup.exe" -runfromtemp -l0x0007 -removeonly
HijackThis 2.0.2-->"C:\Programme\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ICQ6.5-->"C:\Programme\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
J2SE Runtime Environment 5.0-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java(TM) 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
Malwarebytes' Anti-Malware-->"C:\Programme\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 German Language Pack-->MsiExec.exe /X{E78BFA60-5393-4C38-82AB-E8019E464EB4}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Language Pack - DEU-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0 Language Pack - DEU\install.exe
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 German Language Pack-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0 German Language Pack\setup.exe
Microsoft .NET Framework 3.0 German Language Pack-->MsiExec.exe /X{F2A7F421-1679-48D5-B918-96999014ED53}
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4D243BA7-9AC4-46D1-90E5-EEB88974F501}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft-Basissmartcard-Kryptografiedienstanbieterpaket-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Morrowind-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Programme\Bethesda Softworks\Morrowind\MWUninstall\Setup.exe" -l0x7
Mozilla Firefox (3.0.13)-->C:\Programme\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
Norton PartitionMagic 8.0-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502}
Norton Security Scan (Symantec Corporation)-->"C:\Programme\Gemeinsame Dateien\Symantec Shared\NSSSetup\{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4}_2_0_1\NSSSetup.exe" /X
Norton Security Scan-->MsiExec.exe /X{D16D8A48-65A4-4B19-8A02-DC9A40FB80C4}
NVIDIA Drivers-->C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
Oblivion-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x7 -removeonly
Pando Media Booster-->C:\Programme\Pando Networks\Media Booster\uninst.exe
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\Setup.exe" -l0x7 -removeonly
Rockstar Games Social Club-->"C:\Programme\InstallShield Installation Information\{08B3869E-D282-424C-9AFC-870E04A4BA14}\setup.exe" -runfromtemp -l0x0007 -removeonly
ROSE Online Evolution-->"C:\WINDOWS\ROSE Online Evolution\uninstall.exe" "/U:C:\Programme\Triggersoft\ROSE Online Evolution\Uninstall\uninstall.xml"
Sicherheitsupdate für Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Skype web features-->MsiExec.exe /I{8B53527D-BBB2-43A5-91D7-9ED772FD737F}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Stronghold Crusader-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8C3727F2-8E37-49E4-820C-03B1677F53B6}\setup.exe"
TeamSpeak 2 RC2-->C:\Programme\Teamspeak2_RC2\unins000.exe
TuneUp Utilities 2009-->MsiExec.exe /I{55A29068-F2CE-456C-9148-C869879E2357}
Uninstall 1.0.0.1-->"C:\Programme\Gemeinsame Dateien\DVDVideoSoft\unins000.exe"
Vegas Movie Studio Platinum 9.0-->MsiExec.exe /X{97E038E1-41AD-4C93-BCDC-6A2394AEE352}
VideoLAN VLC media player 0.8.4a-->E:\Programme\VideoLAN\VLC\uninstall.exe
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Encoder 9-Reihe-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9-Reihe-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime-->"C:\Programme\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Programme\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation Language Pack (DEU)-->MsiExec.exe /X{92DF2F1B-F63C-4D9A-B3E1-B2D11AE29790}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation DE Language Pack-->MsiExec.exe /I{7228FD8C-3B9E-4204-AE36-8A466107685B}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)-->C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C710CEED791003E4D635992B02471584893356A0\amdk8.inf
WinRAR-->C:\Programme\WinRAR\uninstall.exe
World of Warcraft-->C:\Programme\Gemeinsame Dateien\Blizzard Entertainment\WORLD OF WARCRAFT\Uninstall.exe
Xfire (remove only)-->"C:\Programme\Xfire\uninst.exe"
Xilisoft 3GP Video Converter-->C:\Programme\Xilisoft\3GP Video Converter 3\Uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe
======Security center information======
AV: Avira AntiVir PersonalEdition (outdated)
======System event log======
Computer Name: JANN-055EC30FA6
Event Code: 6006
Message: Der Ereignisprotokolldienst wurde beendet.
Record Number: 10161
Source Name: EventLog
Time Written: 20090721175058.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 1073
Message: Der Versuch, Neustart auf JANN-055EC30FA6 durchzuführen ist fehlgeschlagen.
Record Number: 10160
Source Name: USER32
Time Written: 20090721175025.000000+120
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: JANN-055EC30FA6
Event Code: 7036
Message: Dienst "Ati HotKey Poller" befindet sich jetzt im Status "Beendet".
Record Number: 10159
Source Name: Service Control Manager
Time Written: 20090721175012.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 26
Message: Anwendungspopup: Wow: This application has encountered a critical error:
ERROR #134 (0x85100086) Fatal Condition
Program: C:\World of Warcraft\WoW.exe
Failed to read file world\kalimdor\darkshore\passivedoodads\ruins\darkshoreruinwall03.m2.
Press OK to terminate the application.
Record Number: 10158
Source Name: Application Popup
Time Written: 20090721173211.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 4226
Message: TCP/IP hat das Sicherheitslimit erreicht, das für die Anzahl gleichzeitiger TCP-Verbindungsversuche festgelegt wurde.
Record Number: 10157
Source Name: Tcpip
Time Written: 20090721173135.000000+120
Event Type: Warnung
User:
=====Application event log=====
Computer Name: JANN-055EC30FA6
Event Code: 105
Message: The service was started.
Record Number: 437
Source Name: ATI Smart
Time Written: 20090512192329.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 1517
Message: Die Registrierung des Benutzers "JANN-055EC30FA6\Jann" wurde gespeichert, obwohl eine Anwendung oder ein Dienst auf die Registrierung während der Abmeldung zugegriffen hat. Der von der Registrierung des Benutzers verwendete Speicher wurde nicht freigegeben. Der Upload der Registrierung wird durchgeführt, wenn diese nicht mehr verwendet wird.
Dies wird oft durch Dienste verursacht, die unter einem Benutzerkonto ausgeführt werden. Versuchen Sie diese so zu Konfigurieren, dass sie unter den Konten "Lokaler Dienst" oder "Netzwerkdienst" ausgeführt werden.
Record Number: 436
Source Name: Userenv
Time Written: 20090511181606.000000+120
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: JANN-055EC30FA6
Event Code: 1800
Message: Der Windows-Sicherheitscenterdienst wurde gestartet.
Record Number: 435
Source Name: SecurityCenter
Time Written: 20090511153310.000000+120
Event Type: Informationen
User:
Computer Name: JANN-055EC30FA6
Event Code: 4096
Message: Der AntiVir Dienst wurde erfolgreich gestartet!
Record Number: 434
Source Name: Avira AntiVir
Time Written: 20090511153308.000000+120
Event Type: Informationen
User: NT-AUTORITÄT\SYSTEM
Computer Name: JANN-055EC30FA6
Event Code: 105
Message: The service was started.
Record Number: 433
Source Name: ATI Smart
Time Written: 20090511153301.000000+120
Event Type: Informationen
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Programme\ATI Technologies\ATI.ACE\Core-Static
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0c00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RGSCLauncher"=E:\Programme\Rockstar Games\Rockstar Games Social Club
"RGSC"=E:\Programme\Rockstar Games\Rockstar Games Social Club\1_0_0_0
-----------------EOF-----------------
|
|
| Themen zu Problem mit einem Trojaner b.exe und mas.exe |
| antivir, b.exe, beenden, beendet, befindet, compu, endeckt, erklärt, fakealert, gelöst, gestern, interne, internet, leihe, manager, mas.exe, minute, minuten, problem, problem gelöst, prozess, schlau, schlägt, troja, trojaner, trojaner endeckt, wenig |
Linear-Darstellung
