| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Win32.Trojan.Agent/Win32.Worm.Autorun mit Ad-Aware unschädlich gemacht?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
06.08.2009, 14:57
| #1 |
| |  Win32.Trojan.Agent/Win32.Worm.Autorun mit Ad-Aware unschädlich gemacht? Hallo, unten findet ihr die mbam-log, die rsit-info und die rsit-log falls sie hilfreich ist. nun zu meinem problem: Angefangen hat es damit, dass ich Soul Seek zum ersten mal benutzt habe. Während ich die esten Tracks runtergeladen habe ist plötzlich die soulseek.exe verschwunden ohne dass ich etwas gemacht habe. Sie war nicht im Papierkorb und konnte auch nicht über das Startmenü geöffnet werden. Ich habe einen Komplett-Scan mit ClamWin gemacht. Das hat aber nichts gefunden. Daraufhin wollte ich Ad-Aware updaten um damit einen scan machen zu können, Ad-Aware konnte aber nicht mehr auf das Internet zugreifen. Da ich das Programm offen hatte hat es selbstständig gescannt und ich bin zufällig auf den Wurm gestoßen. hier die logfile von Ad-Aware: Logfile created: 05.08.2009 23:14:22 Lavasoft Ad-Aware version: 8.0.7 Extended engine version: 8.1 User performing scan: *** *********************** Definitions database information *********************** Lavasoft definition file: 149.0 Extended engine definition file: 8.1 ******************************** Scan results: ********************************* Scan profile name: Intelligenter Scan (ID: smart) Objects scanned: 5572 Objects detected: 7 Type Detected ========================== Processes.......: 2 Registry entries: 2 Hostfile entries: 0 Files...........: 1 Folders.........: 0 LSPs............: 0 Cookies.........: 2 Browser hijacks.: 0 MRU objects.....: 0 Removed items: Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0 Description: *ivwbox* Family Name: Cookies Clean status: Success Item ID: 409247 Family ID: 0 Quarantined items: Description: c:\program files\windows nt\cmd32.exe Family Name: Win32.Trojan.Agent Clean status: Success Item ID: 741999 Family ID: 936 Description: c:\program files\windows nt\explorer.exe Family Name: Win32.Worm.Autorun Clean status: Success Item ID: 635666 Family ID: 1241 Description: HKU:S-1-5-21-1844237615-606747145-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced:HideFileExt Family Name: Win32.Worm.Autorun Clean status: Success Item ID: 36079 Family ID: 1241 Description: HKU:S-1-5-21-1844237615-606747145-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced:Hidden Family Name: Win32.Worm.Autorun Clean status: Success Item ID: 414374 Family ID: 1241 Description: c:\autorun.inf Family Name: Win32.Worm.Autorun Clean status: Success Item ID: 65306 Family ID: 1241 Scan and cleaning complete: Finished correctly after 23 seconds *********************************** Settings *********************************** Scan profile: ID: smart, enabled:1, value: Intelligenter Scan ID: scancriticalareas, enabled:1, value: true ID: scanrunningapps, enabled:1, value: true ID: scanregistry, enabled:1, value: true ID: scanlsp, enabled:1, value: true ID: scanads, enabled:1, value: false ID: scanhostsfile, enabled:1, value: false ID: scanmru, enabled:1, value: false ID: scanbrowserhijacks, enabled:1, value: true ID: scantrackingcookies, enabled:1, value: true ID: closebrowsers, enabled:1, value: false ID: folderstoscan, enabled:1, value: ID: usespywareheuristics, enabled:1, value: true ID: extendedengine, enabled:0, value: true ID: useheuristics, enabled:0, value: true ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict ID: filescanningoptions, enabled:1 ID: scanrootkits, enabled:1, value: true ID: archives, enabled:1, value: false ID: onlyexecutables, enabled:1, value: true ID: skiplargerthan, enabled:1, value: 20480 Scan global: ID: global, enabled:1 ID: addtocontextmenu, enabled:1, value: true ID: playsoundoninfection, enabled:1, value: false ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav Scheduled scan settings: <Empty> Update settings: ID: updates, enabled:1 ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: schedules, enabled:1, value: true ID: updatedaily, enabled:1, value: Daily ID: time, enabled:1, value: Wed Aug 05 18:06:00 2009 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updateweekly, enabled:1, value: Weekly ID: time, enabled:1, value: Wed Aug 05 18:06:00 2009 ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: true ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: true ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false Appearance settings: ID: appearance, enabled:1 ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource ID: showtrayicon, enabled:1, value: true ID: language, enabled:1, value: de, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language Realtime protection settings: ID: realtime, enabled:1 ID: processprotection, enabled:1, value: true ID: registryprotection, enabled:0, value: true ID: networkprotection, enabled:0, value: true ID: usespywareheuristics, enabled:0, value: true ID: extendedengine, enabled:0, value: true ID: useheuristics, enabled:0, value: true ID: heuristicslevel, enabled:0, value: strict, domain: medium,mild,strict ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant ****************************** System information ****************************** Computer name: ---------- Processor name: AMD Athlon(tm) XP 2000+ Processor identifier: x86 Family 6 Model 8 Stepping 0 Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 2048, number of processors 1 Physical memory available: 327335936 bytes Physical memory total: 536330240 bytes Virtual memory available: 2052239360 bytes Virtual memory total: 2147352576 bytes Memory load: 38% Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Windows startup mode: Running processes: PID: 432 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY PID: 488 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY PID: 512 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY PID: 564 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY PID: 576 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY PID: 728 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 784 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 820 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 868 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 916 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 984 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY PID: 1056 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY PID: 1212 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY PID: 1280 name: C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe owner: SYSTEM domain: NT AUTHORITY PID: 1584 name: C:\WINDOWS\Explorer.EXE owner: Volker Achow domain: ---------- PID: 1604 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY PID: 1800 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY PID: 1880 name: C:\Program Files\Windows NT\explorer.exe owner: *** domain: ---------- PID: 1948 name: E:\Programme\ClamWin\bin\ClamTray.exe owner: *** domain: ---------- PID: 1944 name: C:\Program Files\Ralink\Common\RaUI.exe owner: *** domain: ---------- PID: 1960 name: E:\Programme\Torproject\Vidalia Bundle\Privoxy\privoxy.exe owner: *** domain: ---------- PID: 1956 name: C:\Program Files\Java\jre6\bin\jusched.exe owner: *** domain: ---------- PID: 1972 name: E:\Programme\Adobe Reader\Reader\Reader_sl.exe owner: *** domain: ---------- PID: 2024 name: C:\Program Files\OpenOffice.org 3\program\soffice.exe owner: *** domain: ---------- PID: 2032 name: C:\Program Files\Windows NT\cmd32.exe owner: Volker Achow domain: ---------- PID: 156 name: C:\Program Files\OpenOffice.org 3\program\soffice.bin owner: *** domain: ---------- PID: 472 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: *** domain: ---------- PID: 692 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe owner: *** domain: ---------- Startup items: Name: _nltide_2 imagepath: regsvr32 /s /n /i:U shell32 Name: WebCheck imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED} Name: WPDShServiceObj imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5} Name: PostBootReminder imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9} Name: CDBurn imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9} Name: SysTray imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153} Name: UPnPMonitor imagepath: {e57ce738-33e8-4c51-8354-bb4de9d215d1} Name: CTFMON.EXE imagepath: C:\WINDOWS\system32\CTFMON.EXE Name: ClamWin imagepath: "E:\Programme\ClamWin\bin\ClamTray.exe" --logon Name: Adobe Reader Speed Launcher imagepath: "E:\Programme\Adobe Reader\Reader\Reader_sl.exe" Name: SunJavaUpdateSched imagepath: "C:\Program Files\Java\jre6\bin\jusched.exe" Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1} imagepath: Browseui preloader Name: {8C7461EF-2B13-11d2-BE35-3078302C2030} imagepath: Component Categories cache daemon Name: imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk imagepath: E:\Programme\Torproject\Vidalia Bundle\Privoxy\privoxy.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk imagepath: C:\Program Files\Ralink\Common\RaUI.exe Name: imagepath: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini Bootexecute items: Name: imagepath: autocheck autochk * Running services: Name: AudioSrv displayname: Windows Audio Name: Browser displayname: Computer Browser Name: CryptSvc displayname: Cryptographic Services Name: DcomLaunch displayname: DCOM Server Process Launcher Name: Dhcp displayname: DHCP Client Name: dmserver displayname: Logical Disk Manager Name: Dnscache displayname: DNS Client Name: ERSvc displayname: Error Reporting Service Name: Eventlog displayname: Event Log Name: EventSystem displayname: COM+ Event System Name: FastUserSwitchingCompatibility displayname: Fast User Switching Compatibility Name: JavaQuickStarterService displayname: Java Quick Starter Name: LanmanServer displayname: Server Name: lanmanworkstation displayname: Workstation Name: Lavasoft Ad-Aware Service displayname: Lavasoft Ad-Aware Service Name: LmHosts displayname: TCP/IP NetBIOS Helper Name: Netman displayname: Network Connections Name: Nla displayname: Network Location Awareness (NLA) Name: PlugPlay displayname: Plug and Play Name: PolicyAgent displayname: IPSEC Services Name: ProtectedStorage displayname: Protected Storage Name: RalinkRegistryWriter displayname: Ralink Registry Writer Name: RasMan displayname: Remote Access Connection Manager Name: RemoteRegistry displayname: Remote Registry Name: RpcSs displayname: Remote Procedure Call (RPC) Name: SamSs displayname: Security Accounts Manager Name: seclogon displayname: Secondary Logon Name: SENS displayname: System Event Notification Name: ShellHWDetection displayname: Shell Hardware Detection Name: Spooler displayname: Print Spooler Name: srservice displayname: System Restore Service Name: SSDPSRV displayname: SSDP Discovery Service Name: TapiSrv displayname: Telephony Name: TermService displayname: Terminal Services Name: Themes displayname: Themes Name: TrkWks displayname: Distributed Link Tracking Client Name: W32Time displayname: Windows Time Name: WebClient displayname: WebClient Name: winmgmt displayname: Windows Management Instrumentation |
| Themen zu Win32.Trojan.Agent/Win32.Worm.Autorun mit Ad-Aware unschädlich gemacht? |
| ad-aware, adobe, amd athlon, awareness, bios, c:\windows\system32\services.exe, clean, cleaning, detected, error, explorer.exe, hilfreich, home, internet, jusched.exe, launch, logfile, logon.exe, lsass.exe, microsoft, problem, programm, programme, remote access, security, server, services.exe, software, start menu, svchost.exe, system restore, tcp/ip, updates, win32.trojan.agent, win32.worm.autorun, windows, windows xp, winlogon.exe, wurm |
Baum-Darstellung