| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder daWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
07.09.2009, 15:31
| #1 |
 |  Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da hallo, habe auf meinem acer aspire 5930 mal den CCleaner und dann das Malwarebytes Anti-maleware laufen lassen. dabei wurden beim letzteren 3 infizierte dateien gefunden. habe sie gelöscht und nochmal Malwarebytes durchlaufen lassen und siehe da, die gleichen 3 dateien erscheinen erneut. was kann ich tun??? log: Malwarebytes' Anti-Malware 1.40 Datenbank Version: 2750 Windows 6.0.6002 Service Pack 2 07.09.2009 13:46:30 mbam-log-2009-09-07 (13-46-30).txt Scan-Methode: Vollständiger Scan (C:\|D:\|) Durchsuchte Objekte: 213815 Laufzeit: 1 hour(s), 0 minute(s), 29 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 3 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Users\Public\Favorites\netservice.exe (Backdoor.Agent) -> Delete on reboot. C:\Users\Public\Favorites\NginuL_na.exe (Worm.AutoRun) -> Delete on reboot. C:\Users\Public\Favorites\plug\001.dll (Backdoor.Agent) -> Delete on reboot. Natürlich hab ich auch gleich mal die Sache mit RSIT gemacht und die beiden txt.-datein in den Anhang gepackt. Kann mir jemand erklären was da auf meinem notebook so vor sich geht u wie ich den Schaden wieder beheben kann?? Vielen Dank im Voraus tinar |
|
07.09.2009, 20:43
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da Hallo,
__________________mach bitte einen Durchlauf mit Combofix: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Wichtig! Bitte die combofix.exe per Rechtsklick, "Ziel speichern unter" unter smss.exe abspeichern! Besonders hartnäckige Malware erkennt eine combofix.exe und würde sich vor ihr gezielt verstecken! Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code]
__________________ |
|
08.09.2009, 09:16
| #3 |
| | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da hallo arne,
__________________danke für deine antwort. habe jetzt deine anweisungen befolgt. hier der log: Code:
ATTFilter ComboFix 09-09-07.03 - Tina 08.09.2009 9:54.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.43.1031.18.3066.1929 [GMT 2:00]
ausgeführt von:: c:\users\Tina\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1213283760-3574752915-3584318309-500
c:\users\Tina\AppData\Roaming\.#
c:\users\Tina\AppData\Roaming\.#\MBX@68C@1B32990.###
c:\users\Tina\AppData\Roaming\.#\MBX@68C@1B329C0.###
c:\users\Tina\AppData\Roaming\.#\MBX@68C@1B329F0.###
c:\windows\Installer\17f1e6.msi
c:\windows\Installer\29daa.msi
c:\windows\Installer\9599e.msi
c:\windows\Suyin.reg
.
((((((((((((((((((((((( Dateien erstellt von 2009-08-08 bis 2009-09-08 ))))))))))))))))))))))))))))))
.
2009-09-08 08:05 . 2009-09-08 08:05 -------- d-----w- c:\users\Tina\AppData\Local\temp
2009-09-08 08:05 . 2009-09-08 08:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-08 06:54 . 2009-09-08 06:54 -------- d-----w- c:\program files\CCleaner
2009-09-07 14:22 . 2009-09-07 14:22 -------- d-----w- c:\program files\trend micro
2009-09-07 14:22 . 2009-09-07 14:22 -------- d-----w- C:\rsit
2009-09-07 06:58 . 2009-09-07 06:58 -------- d-----w- c:\users\Tina\AppData\Roaming\Malwarebytes
2009-09-07 06:58 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 06:58 . 2009-09-07 06:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 06:58 . 2009-09-07 06:58 -------- d-----w- c:\programdata\Malwarebytes
2009-09-07 06:58 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-02 09:56 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-02 09:55 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-30 18:34 . 2009-08-30 18:34 -------- d-----w- c:\users\Tina\AppData\Local\Seven Zip
2009-08-27 14:26 . 2009-08-27 14:26 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-08-27 08:19 . 2009-08-27 08:19 -------- d-----w- c:\users\Tina\Office Genuine Advantage
2009-08-27 08:06 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-12 07:55 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 07:55 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 07:55 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 07:54 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 07:47 . 2008-05-08 03:32 618442 ----a-w- c:\windows\system32\perfh007.dat
2009-09-08 07:47 . 2008-05-08 03:32 122842 ----a-w- c:\windows\system32\perfc007.dat
2009-09-08 07:26 . 2009-03-03 17:36 -------- d-----w- c:\programdata\NCH Swift Sound
2009-09-06 17:45 . 2009-01-09 10:54 -------- d-----w- c:\users\Tina\AppData\Roaming\Azureus
2009-08-30 19:00 . 2008-05-07 17:52 -------- d-----w- c:\program files\Acer GameZone
2009-08-22 08:53 . 2009-01-12 06:12 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-14 09:54 . 2009-03-02 21:51 -------- d-----w- c:\program files\Nokia
2009-08-12 08:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-06 14:00 . 2009-01-09 10:54 -------- d-----w- c:\program files\Vuze
2009-08-06 13:12 . 2009-05-27 08:20 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 13:07 . 2009-08-03 13:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 13:07 . 2009-08-03 13:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 13:07 . 2009-08-03 13:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-01 18:28 . 2009-01-08 19:05 27744 ----a-w- c:\programdata\nvModes.dat
2009-08-01 17:32 . 2009-01-20 15:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-24 21:09 . 2009-07-24 21:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-24 21:04 . 2009-07-24 21:04 -------- d-----w- c:\program files\Common Files\PCSuite
2009-07-24 21:04 . 2009-07-24 21:04 -------- d-----w- c:\program files\Common Files\Nokia
2009-07-24 21:03 . 2009-03-03 17:35 -------- d-----w- c:\program files\NCH Swift Sound
2009-07-24 21:03 . 2009-03-02 21:54 -------- d-----w- c:\program files\DIFX
2009-07-24 21:02 . 2009-07-24 21:02 -------- d-----w- c:\program files\PC Connectivity Solution
2009-07-24 20:56 . 2009-03-02 21:51 -------- d-----w- c:\programdata\Installations
2009-07-24 20:34 . 2009-07-24 20:34 -------- d-----w- c:\program files\NCH Software
2009-07-24 20:34 . 2009-03-03 17:36 -------- d-----w- c:\users\Tina\AppData\Roaming\NCH Swift Sound
2009-07-21 21:52 . 2009-07-30 11:39 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 11:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 11:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 11:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-15 12:40 . 2009-08-12 07:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 07:56 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 07:56 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 07:56 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-06-26 20:55 . 2009-06-26 20:55 66080 ----a-w- c:\windows\system32\drivers\nvhda32v.sys
2009-06-26 20:54 . 2009-06-26 20:54 57344 ----a-w- c:\windows\system32\nvapo32v.dll
2009-06-26 20:54 . 2009-06-26 20:54 19456 ----a-w- c:\windows\system32\nvhdap32.dll
2009-06-24 20:07 . 2008-09-03 16:26 151552 ----a-w- c:\windows\system32\nvcohda.dll
2009-06-24 20:07 . 2009-06-24 20:07 485920 ----a-w- c:\windows\system32\nvuhda.exe
2009-06-24 20:07 . 2008-09-03 06:46 485920 ----a-w- c:\windows\system32\nvuninst.exe
2009-06-15 23:15 . 2009-08-12 07:56 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 14:54 . 2009-08-12 07:56 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-06-15 14:53 . 2009-07-15 06:44 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:53 . 2009-08-12 07:56 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-15 14:53 . 2009-08-12 07:56 270848 ----a-w- c:\windows\system32\schannel.dll
2009-06-15 14:53 . 2009-08-12 07:56 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-15 14:52 . 2009-08-12 07:56 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-15 14:52 . 2009-07-15 06:44 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-08-12 07:56 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-06-15 14:52 . 2009-07-15 06:44 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-15 06:44 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:48 . 2009-08-12 07:56 9728 ----a-w- c:\windows\system32\lsass.exe
2009-06-15 12:42 . 2009-07-15 06:44 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-09-03 16:29 . 2008-09-03 16:28 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-04 21:38 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-19 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-19 92704]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-25 809480]
"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-03-07 544768]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-04 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-04-30 397312]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-25 6111232]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
openvpn-gui-1.0.3 - Verknpfung.lnk - c:\program files\OpenVPN\bin\openvpn-gui-1.0.3.exe [2007-4-26 104968]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):33,24,e7,c5,98,de,c9,01
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5AD711F2-CD42-429E-818E-E2A72FAD3FF2}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{2DB9864A-7249-4E0B-9B05-84DF35F6E304}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{1078D01E-5551-4BBA-B6D4-0A4CB6DB4C87}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{0515AB49-D391-4A91-8DAF-53C4D3C2F355}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{663E24DB-746F-4613-A025-711B5352DF9A}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{31A2002C-2D07-4788-A180-D1FB7DF92E6E}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{CD04A254-A2E8-4ADB-96D2-91074CD83499}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{F8E54DE7-41B5-4DD2-A261-D946D7440FDA}"= c:\program files\Acer\Acer VCM\VC.exe:Acer VCM
"{EB293C86-F9EA-4CBE-883F-CCFAF47ABFD8}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{24871FD4-B030-4B6C-B327-2D144DF2C6DB}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PlayMovie.exe:Acer Play Movie
"{1DCFB0D9-BB65-49A4-A415-034A10AA8F0F}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe:Acer Play Movie Resident Program
"{EE90021A-91EA-4C55-B3F7-536169B6240A}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:Acer HomeMedia
"TCP Query User{CBC64765-7F7E-4483-808A-59D6690AC2BC}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{530A262B-EB7C-4597-ABDF-D1556C6D2DBA}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{C4B520CB-53DE-44EB-80C3-F66727E9EBC5}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{5BDB02D6-FA41-4EE0-A7E0-A32A5F41D933}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java(TM) Platform SE binary
"{0878B95E-89BD-41D0-8348-699FC8787D32}"= c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{0633E73E-813E-488A-A597-BEAE22BA6C8E}"= c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{ADCFDB3F-400C-4EE4-96AA-3F1089227BC4}"= c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{7B9DEB3B-4AF4-4BAE-B8D1-38A55F391D5F}"= c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{DE81F683-3FE4-4218-B79A-38B9451214D4}"= c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{250901CB-94F4-4979-A3FF-12034AD59591}"= c:\program files\HP\Digital Imaging\bin\hpqcopy2.exe:hpqcopy2.exe
"{A9E3AAE9-BEE9-4A4B-909E-B6BD1E3CCA6B}"= c:\program files\HP\Digital Imaging\bin\hpqgplgtupl.exe:hpqgplgtupl.exe
"{80FF3CDE-95FC-480D-9464-0A3982EDAF42}"= c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe:hpqgpc01.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [03.09.2008 09:10 61424]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [27.05.2009 10:20 108289]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [03.03.2008 13:11 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [03.09.2008 09:11 81504]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [07.05.2008 20:06 24576]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [06.04.2008 22:42 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [03.09.2008 09:11 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [04.04.2008 03:03 131072]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [03.09.2008 08:56 233472]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [30.03.2009 16:28 1533808]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17.11.2008 08:40 3668480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [26.06.2009 22:55 66080]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\System32\drivers\tap0901.sys [26.04.2007 01:53 25088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [21.01.2008 04:23 179712]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [08.01.2009 20:21 24064]
S3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys [03.09.2008 08:55 84240]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
HKLM-Run-eRecoveryService - (no file)
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://start.icq.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0c07&s=2&o=vp32&d=0908&m=aspire_5930
uInternet Settings,ProxyServer = http=proxy.uni-klu.ac.at:3128
uInternet Settings,ProxyOverride = <local>
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Tina\AppData\Roaming\Mozilla\Firefox\Profiles\deui0wsy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - hxxps://campus.uni-klu.ac.at/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1434207&SearchSource=2&q=
FF - prefs.js: network.proxy.http - proxy.uni-klu.ac.at
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:\users\Tina\AppData\Roaming\Mozilla\Firefox\Profiles\deui0wsy.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 10:05
Windows 6.0.6002 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2009-09-08 10:08
ComboFix-quarantined-files.txt 2009-09-08 08:08
Vor Suchlauf: 13 Verzeichnis(se), 97.038.999.552 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 96.973.221.888 Bytes frei
257 --- E O F --- 2009-09-04 16:50
tinar |
|
08.09.2009, 17:09
| #5 |
| | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da guten abend, so hab Malwarebytes u RSIT nochmal durchlaufen lassen: Code:
ATTFilter Malwarebytes' Anti-Malware 1.40
Datenbank Version: 2750
Windows 6.0.6002 Service Pack 2
08.09.2009 14:48:43
mbam-log-2009-09-08 (14-48-43).txt
Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 215210
Laufzeit: 47 minute(s), 41 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\Users\Public\Favorites\netservice.exe (Backdoor.Agent) -> Delete on reboot.
C:\Users\Public\Favorites\NginuL_na.exe (Worm.AutoRun) -> Delete on reboot.
C:\Users\Public\Favorites\plug\001.dll (Backdoor.Agent) -> Delete on reboot.
|
|
08.09.2009, 17:13
| #6 |
| | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da und wie versprochen der log von RSIT vom 2. durchlauf - muss diesen aber auf 2 beiträge aufteilen Code:
ATTFilter Logfile of random's system information tool 1.06 (written by random/random) Run by Tina at 2009-09-08 18:06:12 Microsoft® Windows Vista™ Home Premium Service Pack 2 System drive C: has 92 GB (63%) free of 146 GB Total RAM: 3066 MB (70% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:06:23, on 08.09.2009 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18813) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\System32\rundll32.exe C:\Windows\RtHDVCpl.exe C:\Windows\PLFSetI.exe C:\Users\Tina\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehmsas.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Users\Tina\Desktop\RSIT.exe C:\Program Files\trend micro\Tina.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0c07&s=2&o=vp32&d=0908&m=aspire_5930 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - - (no file) O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.415.1646\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe O4 - Global Startup: openvpn-gui-1.0.3 - Verknüpfung.lnk = C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: HP Intelligente Auswahl - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 7790 bytes ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-09 320920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live ID-Anmelde-Hilfsprogramm - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2009-01-08 2575160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.415.1646\swg.dll [2009-01-08 736240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-09 34816] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}] HP Smart BHO Class - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2008-03-27 501056] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {0BF43445-2F28-4351-9252-17FE6E806AA0} {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll [2008-03-04 142896] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2009-01-08 2575160] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184] "SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-02-22 1037608] "NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-07-19 13543968] "NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-07-19 92704] "RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-04-25 6111232] "PLFSetI"=C:\Windows\PLFSetI.exe [2007-10-23 200704] "LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2008-07-25 809480] "eAudio"=C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe [2008-03-07 544768] "eDataSecurity Loader"=C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [2008-03-04 526896] "ePower_DMC"=C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe [2008-04-30 397312] "WarReg_PopUp"=C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe [2008-01-29 303104] "avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-21 125952] "Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcadeDeluxeAgent] C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe [2008-04-10 147456] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray] C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe [2008-04-06 34040] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-01-08 24064] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-09 136600] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup openvpn-gui-1.0.3 - Verknüpfung.lnk - C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= [] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "EnableUIADesktopToggle"=0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDrives"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "BindDirectlyToPropertySetStorage"= "NoDrives"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b7d259f-8b2c-11de-bc8d-001d72c72dd5}] shell\AutoRun\command - F:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d201cbfe-ddca-11dd-866a-0016ea4f0ecc}] shell\AutoRun\command - F:\AutoRun.exe ======File associations====== .js - edit - C:\Windows\System32\Notepad.exe %1 .js - open - C:\Windows\System32\WScript.exe "%1" %* ======List of files/folders created in the last 1 months====== 2009-09-08 10:08:50 ----SHD---- C:\$RECYCLE.BIN 2009-09-08 10:08:48 ----A---- C:\ComboFix.txt 2009-09-08 10:05:37 ----D---- C:\Windows\temp 2009-09-08 09:53:01 ----A---- C:\Windows\zip.exe 2009-09-08 09:53:01 ----A---- C:\Windows\SWXCACLS.exe 2009-09-08 09:53:01 ----A---- C:\Windows\SWSC.exe 2009-09-08 09:53:01 ----A---- C:\Windows\SWREG.exe 2009-09-08 09:53:01 ----A---- C:\Windows\sed.exe 2009-09-08 09:53:01 ----A---- C:\Windows\PEV.exe 2009-09-08 09:53:01 ----A---- C:\Windows\NIRCMD.exe 2009-09-08 09:53:01 ----A---- C:\Windows\grep.exe 2009-09-08 09:52:52 ----SD---- C:\ComboFix 2009-09-08 09:52:52 ----D---- C:\Windows\ERDNT 2009-09-08 09:51:43 ----D---- C:\Qoobox 2009-09-08 08:54:53 ----D---- C:\Program Files\CCleaner 2009-09-07 16:22:12 ----D---- C:\Program Files\trend micro 2009-09-07 16:22:11 ----D---- C:\rsit 2009-09-07 08:58:12 ----D---- C:\Users\Tina\AppData\Roaming\Malwarebytes 2009-09-07 08:58:02 ----D---- C:\ProgramData\Malwarebytes 2009-09-07 08:58:02 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2009-09-02 11:56:00 ----A---- C:\Windows\system32\Apphlpdm.dll 2009-09-02 11:55:59 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll 2009-08-27 16:26:09 ----D---- C:\ProgramData\Office Genuine Advantage 2009-08-27 10:06:57 ----A---- C:\Windows\system32\tzres.dll 2009-08-12 09:56:59 ----A---- C:\Windows\system32\wdigest.dll 2009-08-12 09:56:59 ----A---- C:\Windows\system32\schannel.dll 2009-08-12 09:56:59 ----A---- C:\Windows\system32\msv1_0.dll 2009-08-12 09:56:59 ----A---- C:\Windows\system32\kerberos.dll 2009-08-12 09:56:58 ----A---- C:\Windows\system32\lsasrv.dll 2009-08-12 09:56:57 ----A---- C:\Windows\system32\secur32.dll 2009-08-12 09:56:57 ----A---- C:\Windows\system32\lsass.exe 2009-08-12 09:56:48 ----A---- C:\Windows\system32\wmp.dll 2009-08-12 09:56:46 ----A---- C:\Windows\system32\wmpdxm.dll 2009-08-12 09:56:46 ----A---- C:\Windows\system32\dxmasf.dll 2009-08-12 09:56:45 ----A---- C:\Windows\system32\wmploc.DLL 2009-08-12 09:56:45 ----A---- C:\Windows\system32\spwmp.dll 2009-08-12 09:55:42 ----A---- C:\Windows\system32\mstscax.dll 2009-08-12 09:55:04 ----A---- C:\Windows\system32\wkssvc.dll 2009-08-12 09:55:01 ----A---- C:\Windows\system32\atl.dll 2009-08-12 09:54:59 ----A---- C:\Windows\system32\avifil32.dll |
|
08.09.2009, 17:14
| #7 |
| | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da und der dritte teil... Code:
ATTFilter
======List of files/folders modified in the last 1 months======
2009-09-08 14:57:37 ----D---- C:\Windows\System32
2009-09-08 14:57:37 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-09-08 14:57:36 ----D---- C:\Windows\inf
2009-09-08 14:52:28 ----D---- C:\Users\Tina\AppData\Roaming\Azureus
2009-09-08 14:49:37 ----D---- C:\Windows\system32\drivers
2009-09-08 14:49:37 ----D---- C:\Windows
2009-09-08 10:08:55 ----D---- C:\Windows\system32\de-DE
2009-09-08 10:05:56 ----A---- C:\Windows\system.ini
2009-09-08 10:04:51 ----SHD---- C:\Windows\Installer
2009-09-08 10:00:52 ----D---- C:\Windows\AppPatch
2009-09-08 10:00:50 ----D---- C:\Program Files\Common Files
2009-09-08 09:52:50 ----D---- C:\Windows\Prefetch
2009-09-08 09:26:13 ----D---- C:\ProgramData\NCH Swift Sound
2009-09-08 08:54:53 ----RD---- C:\Program Files
2009-09-07 18:01:25 ----SHD---- C:\System Volume Information
2009-09-07 08:58:02 ----HD---- C:\ProgramData
2009-09-02 19:50:51 ----D---- C:\Windows\system32\catroot2
2009-09-02 18:40:07 ----D---- C:\Windows\winsxs
2009-09-02 18:29:39 ----D---- C:\Windows\system32\catroot
2009-08-30 21:00:29 ----D---- C:\Program Files\Acer GameZone
2009-08-30 20:34:58 ----SHD---- C:\Config.Msi
2009-08-30 20:04:21 ----D---- C:\Program Files\Mozilla Firefox
2009-08-30 19:59:08 ----D---- C:\Windows\Debug
2009-08-28 07:41:37 ----D---- C:\Windows\rescache
2009-08-27 10:06:28 ----D---- C:\Windows\system32\zh-TW
2009-08-27 10:06:28 ----D---- C:\Windows\system32\zh-HK
2009-08-27 10:06:28 ----D---- C:\Windows\system32\tr-TR
2009-08-27 10:06:28 ----D---- C:\Windows\system32\sv-SE
2009-08-27 10:06:28 ----D---- C:\Windows\system32\pt-BR
2009-08-27 10:06:28 ----D---- C:\Windows\system32\nl-NL
2009-08-27 10:06:28 ----D---- C:\Windows\system32\nb-NO
2009-08-27 10:06:28 ----D---- C:\Windows\system32\ko-KR
2009-08-27 10:06:28 ----D---- C:\Windows\system32\it-IT
2009-08-27 10:06:28 ----D---- C:\Windows\system32\he-IL
2009-08-27 10:06:28 ----D---- C:\Windows\system32\fr-FR
2009-08-27 10:06:28 ----D---- C:\Windows\system32\fi-FI
2009-08-27 10:06:28 ----D---- C:\Windows\system32\es-ES
2009-08-27 10:06:28 ----D---- C:\Windows\system32\en-US
2009-08-27 10:06:28 ----D---- C:\Windows\system32\el-GR
2009-08-27 10:06:28 ----D---- C:\Windows\system32\da-DK
2009-08-27 10:06:28 ----D---- C:\Windows\system32\ar-SA
2009-08-27 10:06:15 ----D---- C:\Program Files\Internet Explorer
2009-08-22 10:53:23 ----D---- C:\Program Files\Mozilla Thunderbird
2009-08-17 16:57:02 ----D---- C:\Windows\ModemLogs
2009-08-14 11:54:59 ----D---- C:\Program Files\Nokia
2009-08-14 11:29:54 ----SD---- C:\Users\Tina\AppData\Roaming\Microsoft
2009-08-14 09:14:10 ----D---- C:\Program Files\Common Files\microsoft shared
2009-08-12 10:16:33 ----D---- C:\Program Files\Windows Media Player
2009-08-12 10:10:10 ----D---- C:\Program Files\Windows Mail
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-05-28 96104]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-06-09 28520]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-08-06 55656]
R2 int15;int15; \??\C:\Windows\system32\drivers\int15.sys [2008-03-21 15392]
R2 irda;IrDA Protocol; C:\Windows\system32\DRIVERS\irda.sys [2008-01-21 95744]
R2 NTIPPKernel;NTIPPKernel; \??\C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-16 122368]
R2 PSDNServ;PSDNServ; C:\Windows\system32\DRIVERS\PSDNServ.sys [2008-03-04 16944]
R2 psdvdisk;PSDVdisk; C:\Windows\system32\DRIVERS\PSDVdisk.sys [2008-03-04 60464]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2008-03-01 1202560]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-21 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-03 21264]
R3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys [2007-08-08 101504]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-04-25 2126688]
R3 KMWDFILTER;HIDUASDesc; C:\Windows\system32\DRIVERS\KMWDFILTER.sys [2008-10-09 17408]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2008-01-31 14848]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver; C:\Windows\system32\drivers\nvhda32v.sys [2009-06-26 66080]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-07-19 7545824]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-02-22 198064]
R3 tap0901;TAP-Win32 Adapter V9; C:\Windows\system32\DRIVERS\tap0901.sys [2007-04-26 25088]
R3 usbvideo;USB-Videogerät (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-21 134016]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-21 11264]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x86.sys [2008-02-21 299008]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
S3 catchme;catchme; \??\C:\Users\Tina\AppData\Local\Temp\catchme.sys []
S3 Dot4;MS IEEE-1284.4-Treiber; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-21 131584]
S3 Dot4Print;Druckerklassentreiber für IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-21 16384]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-21 36864]
S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-21 987648]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-21 200704]
S3 JMCR;JMCR; C:\Windows\system32\DRIVERS\jmcr.sys [2008-04-12 84240]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 nmwcd;Nokia USB Phone Parent; C:\Windows\system32\drivers\ccdcmb.sys [2009-02-09 17664]
S3 nmwcdc;Nokia USB Generic; C:\Windows\system32\drivers\ccdcmbo.sys [2009-02-09 22016]
S3 NSCIRDA;NSC Infrared Device Driver; C:\Windows\system32\DRIVERS\nscirda.sys [2008-01-21 30720]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\Windows\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-21 88576]
S3 upperdev;upperdev; C:\Windows\system32\DRIVERS\usbser_lowerflt.sys [2009-02-09 7808]
S3 usbscan;USB-Scannertreiber; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328]
S3 usbser;USB Modem Driver; C:\Windows\system32\DRIVERS\usbser.sys [2009-04-11 27648]
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2008-01-21 654336]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-21 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2008-03-18 13312]
R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-06-09 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-08-06 185089]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 CLHNService;CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-16 81504]
R2 eDataSecurity Service;eDataSecurity Service; C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [2008-03-04 500784]
R2 ETService;Empowering Technology Service; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2008-10-16 860160]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 Irmon;@%SystemRoot%\System32\irmon.dll,-2000; C:\Windows\system32\svchost.exe [2008-01-21 21504]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2007-12-06 110592]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-21 21504]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-06 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service; C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-07-19 196608]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-21 21504]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2008-10-16 466944]
R2 RS_Service;Raw Socket Service; C:\Program Files\Acer\Acer VCM\RS_Service.exe [2008-01-10 233472]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-21 21504]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-01-08 24064]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-08 138168]
S3 OpenVPNService;OpenVPN Service; C:\Program Files\OpenVPN\bin\openvpnserv.exe [2007-04-26 16384]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-06-02 637952]
-----------------EOF-----------------
liebe grüße tinar |
|
08.09.2009, 18:37
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da Anleitung Avenger (by swandog46) Lade dir das Tool Avenger und speichere es auf dem Desktop:
Code:
ATTFilter files to delete:
C:\Users\Public\Favorites\netservice.exe
C:\Users\Public\Favorites\NginuL_na.exe
C:\Users\Public\Favorites\plug\001.dll
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
09.09.2009, 06:08
| #9 |
| | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da guten morgen, hab das mit dem avenger jetz gemacht. Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: could not open file "C:\Users\Public\Favorites\netservice.exe"
Deletion of file "C:\Users\Public\Favorites\netservice.exe" failed!
Status: 0xc0000280
Error: could not open file "C:\Users\Public\Favorites\NginuL_na.exe"
Deletion of file "C:\Users\Public\Favorites\NginuL_na.exe" failed!
Status: 0xc0000280
Error: could not open file "C:\Users\Public\Favorites\plug\001.dll"
Deletion of file "C:\Users\Public\Favorites\plug\001.dll" failed!
Status: 0xc0000280
Completed script processing.
*******************
Finished! Terminate.
tinar |
|
09.09.2009, 08:17
| #10 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da *hmpf* das war nicht so erfolgreich... Mach das gleiche bitte nochmal mit dem Avenger, nur diesmal dieses Script hier benutzen: Code:
ATTFilter folders to delete:
C:\Users\Public\Favorites
__________________ Logfiles bitte immer in CODE-Tags posten |
|
09.09.2009, 13:06
| #11 |
| | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da so habs nochmal mit dem anderen input gemacht... Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: could not open folder "C:\Users\Public\Favorites"
Deletion of folder "C:\Users\Public\Favorites" failed!
Status: 0xc0000280
Completed script processing.
*******************
Finished! Terminate.
|
|
09.09.2009, 18:22
| #12 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da Moin, das hat alles schon seine Richtigkeit. John.Doe hat mir eben per PN mitgeteilt, dass Malwarebytes anscheinend etwas "findet" was garnicht mehr da ist.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
09.09.2009, 19:39
| #13 |
| | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da abend, na dann kann ja heut mal beruhigt schlafen  vielen dank für alles!!!!! |
|
09.09.2009, 19:41
| #14 |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da Achso, hier noch der Link dazu => http://www.trojaner-board.de/75770-info-falschmeldung-malwarebytes.html
__________________ Logfiles bitte immer in CODE-Tags posten |
|
10.09.2009, 14:24
| #15 |
| | Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da leider ist es mir nicht erlaubt den link u öffnen.... liebe grüße tinar |
|
| Themen zu Backdoor.Agent und Worm.AutoRun entdeckt - gelöscht - aber trotzdem wieder da |
| .dll, a.exe, acer, acer aspire, anhang, anti-malware, aspire, backdoor.agent, beheben, bösartige, ccleaner, dateien, entdeck, entdeckt, erklären, gelöscht, infizierte, infizierte dateien, laufen, malwarebytes, minute, notebook, registrierungsschlüssel, rsit, sache, service, service.exe, version, verzeichnisse, worm.autorun |
Linear-Darstellung
