|
Log-Analyse und Auswertung: 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan]Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
28.01.2010, 18:44 | #1 |
| 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] Nach dem mein Antivir mir gestern den Worm präsentierte, ist heute noch der Trojaner dazu gekommen. Ich habe die Dateien aus dem Antivir Quarantäreordner bei "virustotal" auslesen lassen - ohne Fund. Zunächst erkannte Antivir den Worm in autoexec.exe, später in 'C:\Users\...\AppData\Roaming\SystemProc\lsass.exe. und C:\Users\...\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5W8CX1ZH\update4303[2].exe Im SystemProc Ordner finde ich die Isass.exe nicht um sie analysieren zu lassen. Der Ordner ist leer. Bei den TIF gibt es keinen Ordner Content.IE5 Der Trojaner hat sich wurde soeben, nach einem Erneuten Scannen (diesmal Quickscan) von Malwarebytes nicht mehr angezeigt. Zuvor kam folgende Meldung: Infizierte Verzeichnisse: C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D} (Trojan.Swisyn) -> Quarantined and deleted successfully. C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Trojan.Swisyn) -> Quarantined and deleted successfully. C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Trojan.Swisyn) -> Quarantined and deleted successfully. Infizierte Dateien: C:\Windows\flash.sys (Rootkit.Rustock) -> Quarantined and deleted successfully. C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Trojan.Swisyn) -> Quarantined and deleted successfully. C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Trojan.Swisyn) -> Quarantined and deleted successfully. C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Trojan.Swisyn) -> Quarantined and deleted successfully. C:\autoexec.exe (Trojan.Dropper) -> Quarantined and deleted successfully. CCleaner wurde soeben durchlaufen gelassen. Hier noch das Logfile: Logfile of random's system information tool 1.06 (written by random/random) Run by at 2010-01-28 17:59:09 Microsoft® Windows Vista™ Home Premium Service Pack 2 System drive C: has 14 GB (7%) free of 197 GB Total RAM: 2269 MB (44% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:00:09, on 28.01.2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v7.00 (7.00.6002.18005) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\RtHDVCpl.exe C:\Program Files\Launch Manager\HotkeyApp.exe C:\Windows\system32\taskeng.exe C:\Program Files\Launch Manager\WisKeyState.exe C:\Program Files\Launch Manager\OSD.exe C:\Program Files\avmwlanstick\FRITZWLanMini.exe C:\Program Files\FreePDF_XP\fpassist.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Activ Software\ActivDriver\activmgr.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\...\Downloads\RSIT.exe C:\Program Files\trend micro\....exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll O2 - BHO: TBSB03968 - {AA61DE26-FA67-4575-9033-918671094293} - C:\Users\...\AppData\Roaming\Toolbars\Toolbar fuer eBay\ebay.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O3 - Toolbar: Toolbar fuer eBay - {000E148C-F7A7-445A-9044-93BF6CE09ECB} - C:\Users\...\AppData\Roaming\Toolbars\Toolbar fuer eBay\ebay.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe" O4 - HKLM\..\Run: [WisKeyState] "C:\Program Files\Launch Manager\WisKeyState.exe" O4 - HKLM\..\Run: [LMgrVolOSD] "C:\Program Files\Launch Manager\OSD.exe" O4 - HKLM\..\Run: [FSCRecovery] c:\Program Files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe O4 - HKLM\..\Run: [AVMWlanClient] C:\Program Files\avmwlanstick\FRITZWLANMini.exe O4 - HKLM\..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [ActivControl] C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe (User 'Default user') O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files\PPLive\PPLive.exe O13 - Gopher Prefix: O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: FSCLBaseUpdaterService - Unknown owner - C:\Program Files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe O23 - Service: Google Update Service (gupdate1c9f0429c7a0c50) (gupdate1c9f0429c7a0c50) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe -- End of file - 7036 bytes ======Scheduled tasks folder====== C:\Windows\tasks\Google Software Updater.job C:\Windows\tasks\GoogleUpdateTaskMachineCore.job C:\Windows\tasks\GoogleUpdateTaskMachineUA.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] AskBar BHO - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-08-26 279944] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll [2007-09-25 439792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA61DE26-FA67-4575-9033-918671094293}] TBSB03968 Class - C:\Users\Andreas Gerth\AppData\Roaming\Toolbars\Toolbar fuer eBay\ebay.dll [2008-08-14 2484224] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll [2009-10-19 761840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {000E148C-F7A7-445A-9044-93BF6CE09ECB} - Toolbar fuer eBay - C:\Users\Andreas Gerth\AppData\Roaming\Toolbars\Toolbar fuer eBay\ebay.dll [2008-08-14 2484224] {3041d03e-fd4b-44e0-b742-2d9b88305f98} - Ask Toolbar - C:\Program Files\AskBarDis\bar\bin\askBar.dll [2008-08-26 279944] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-04-01 6025216] "HotkeyApp"=C:\Program Files\Launch Manager\HotkeyApp.exe [2008-03-26 188416] "WisKeyState"=C:\Program Files\Launch Manager\WisKeyState.exe [2008-03-07 208896] "LMgrVolOSD"=C:\Program Files\Launch Manager\OSD.exe [2008-03-03 258048] "FSCRecovery"=c:\Program Files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe [2008-05-08 268096] "AVMWlanClient"=C:\Program Files\avmwlanstick\FRITZWLANMini.exe [2006-06-23 343552] "FreePDF Assistant"=C:\Program Files\FreePDF_XP\fpassist.exe [2007-06-26 312320] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696] "avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153] "ActivControl"=C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe [2009-10-22 1088800] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-10 1233920] "Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-09-29 21755688] "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-21 202240] "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"=C:\Windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe [2008-10-05 235936] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=0 "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "EnableUIADesktopToggle"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "BindDirectlyToPropertySetStorage"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{720f7e06-779c-11dd-96cc-000ae4cf1599}] shell\AutoRun\command - F:\pushinst.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b86b9ad2-fc30-11dd-92f2-000ae4cf1599}] shell\AutoRun\command - G:\LaunchU3.exe -a ======List of files/folders created in the last 1 months====== 2010-01-28 17:59:10 ----D---- C:\Program Files\trend micro 2010-01-28 17:59:09 ----D---- C:\rsit 2010-01-28 00:56:32 ----D---- C:\Users\...\AppData\Roaming\Malwarebytes 2010-01-28 00:56:13 ----D---- C:\ProgramData\Malwarebytes 2010-01-28 00:56:11 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2010-01-28 00:38:22 ----D---- C:\Program Files\TrendMicro 2010-01-28 00:10:14 ----D---- C:\ProgramData\Spybot - Search & Destroy 2010-01-28 00:10:14 ----D---- C:\Program Files\Spybot - Search & Destroy 2010-01-26 16:27:29 ----D---- C:\Users\...\AppData\Roaming\Promethean 2010-01-26 16:23:37 ----D---- C:\ProgramData\Promethean 2010-01-26 16:22:01 ----D---- C:\Users\...\AppData\Roaming\ACTIV Software 2010-01-26 16:22:00 ----D---- C:\Program Files\Common Files\Activ Software 2010-01-26 16:21:56 ----D---- C:\ProgramData\Activ Software 2010-01-26 16:21:56 ----D---- C:\Program Files\Activ Software 2010-01-22 15:47:07 ----A---- C:\Windows\system32\wininet.dll 2010-01-22 15:47:06 ----A---- C:\Windows\system32\mshtml.dll 2010-01-22 15:47:05 ----A---- C:\Windows\system32\urlmon.dll 2010-01-22 15:47:02 ----A---- C:\Windows\system32\ieframe.dll 2010-01-22 15:47:01 ----A---- C:\Windows\system32\ieui.dll 2010-01-22 15:46:59 ----A---- C:\Windows\system32\iepeers.dll 2010-01-22 15:46:59 ----A---- C:\Windows\system32\ieencode.dll 2010-01-22 15:46:57 ----A---- C:\Windows\system32\ieapfltr.dll 2010-01-19 22:55:06 ----SHD---- C:\...\AppData\Roaming\SystemProc 2010-01-13 14:28:11 ----A---- C:\Windows\system32\t2embed.dll 2010-01-13 14:28:11 ----A---- C:\Windows\system32\fontsub.dll ======List of files/folders modified in the last 1 months====== 2010-01-28 17:59:21 ----D---- C:\Windows\Prefetch 2010-01-28 17:59:14 ----D---- C:\Windows\Temp 2010-01-28 17:59:10 ----RD---- C:\Program Files 2010-01-28 17:56:10 ----D---- C:\Users\...\AppData\Roaming\Skype 2010-01-28 17:50:00 ----D---- C:\Windows\Debug 2010-01-28 17:50:00 ----D---- C:\Windows 2010-01-28 17:49:15 ----D---- C:\Program Files\CCleaner 2010-01-28 16:03:32 ----D---- C:\Users\...\AppData\Roaming\skypePM 2010-01-28 14:04:10 ----D---- C:\Windows\Tasks 2010-01-28 12:56:54 ----D---- C:\Program Files\Mozilla Firefox 2010-01-28 12:52:53 ----RSD---- C:\Windows\assembly 2010-01-28 01:32:40 ----D---- C:\Windows\WindowsMobile 2010-01-28 01:32:40 ----D---- C:\Windows\system32\drivers 2010-01-28 00:56:13 ----HD---- C:\ProgramData 2010-01-28 00:39:20 ----SHD---- C:\Windows\Installer 2010-01-28 00:38:11 ----SHD---- C:\System Volume Information 2010-01-27 20:43:32 ----D---- C:\Windows\system32\WDI 2010-01-27 08:48:58 ----D---- C:\Users\...\AppData\Roaming\dvdcss 2010-01-26 20:52:50 ----D---- C:\Windows\System32 2010-01-26 20:52:50 ----A---- C:\Windows\system32\PerfStringBackup.INI 2010-01-26 20:52:49 ----D---- C:\Windows\inf 2010-01-26 16:23:03 ----D---- C:\Windows\system32\catroot 2010-01-26 16:22:00 ----D---- C:\Program Files\Common Files 2010-01-26 15:44:30 ----A---- C:\Windows\NeroDigital.ini 2010-01-24 03:01:48 ----D---- C:\Windows\winsxs 2010-01-22 15:44:22 ----D---- C:\Windows\system32\catroot2 2010-01-19 23:15:45 ----D---- C:\Users\...\AppData\Roaming\Canon 2010-01-14 11:12:06 ----N---- C:\Windows\system32\MpSigStub.exe 2010-01-05 01:17:46 ----A---- C:\Windows\system32\mrt.exe ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608] R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-03-30 96104] R1 Hotkey;Hotkey; C:\Windows\system32\drivers\Hotkey.sys [2003-04-28 9867] R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520] R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-12-07 56816] R3 ActivHidSerMini;Promethean Serial Board Driver; C:\Windows\system32\DRIVERS\activhidsermini.sys [2009-05-05 55936] R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-04-22 3551232] R3 CmBatt;Treiber für Microsoft-ACPI-Kontrollmethodenkompatible Batterie; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-21 14208] R3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys [2009-04-10 236544] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-04-01 2113624] R3 JMCR;JMCR; C:\Windows\system32\DRIVERS\jmcr.sys [2008-04-11 84240] R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista; C:\Windows\system32\DRIVERS\netr28.sys [2007-08-23 313344] R3 prmvmouse;Promethean HID Mouse Service; C:\Windows\system32\DRIVERS\activmouse.sys [2009-10-05 6144] R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-02-14 118784] R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-08-17 190512] R3 usbscan;USB-Scannertreiber; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328] R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\Windows\system32\drivers\WmBEnum.sys [2008-01-24 19336] R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-21 11264] R3 WmXlCore;Logitech Translation Layer Driver; C:\Windows\system32\drivers\WmXlCore.sys [2008-01-24 48904] S3 ACTIVhidmini;Promethean USB Board Driver; C:\Windows\system32\DRIVERS\ACTIVhidmini.sys [2009-10-05 80512] S3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-03-18 903680] S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632] S3 FWLANUSB;AVM FRITZ!WLAN; C:\Windows\system32\DRIVERS\fwlanusb.sys [2006-04-06 264704] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192] S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888] S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016] S3 usbvideo;USB-Videogerät (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-21 134016] S3 WmFilter;Logitech Gaming HID Filter Driver; C:\Windows\system32\drivers\WmFilter.sys [2008-01-24 28168] S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\Windows\system32\drivers\WmVirHid.sys [2008-01-24 14728] S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-21 39936] S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328] S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656] S4 iaStor;Intel AHCI Controller; C:\Windows\system32\drivers\iastor.sys [2007-09-29 308248] S4 JRAID;JRAID; C:\Windows\system32\drivers\jraid.sys [2008-04-03 76688] S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616] S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-21 88576] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-08-06 185089] R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-04-22 671744] R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-20 853288] R2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler; C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe [2008-02-29 307200] R3 WisLMSvc;WisLMSvc; C:\Program Files\Launch Manager\WisLMSvc.exe [2008-01-15 118784] S2 FSCLBaseUpdaterService;FSCLBaseUpdaterService; C:\Program Files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe [2007-06-04 65536] S2 gupdate1c9f0429c7a0c50;Google Update Service (gupdate1c9f0429c7a0c50); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-06-18 133104] S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-10-19 194032] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632] S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-10-23 382248] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184] Ich eine Formatierung eigentlich vermeiden, daher wäre ich vor allen Dingen an alternativen Lösungen interessiert! Kann vielleicht jemand einschätzen, wie gefährlich der Worm/Trojaner ist. Antivir kann es noch nicht. -----------------EOF----------------- schon mal im Voraus. |
02.02.2010, 09:40 | #2 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] Hallo und
__________________Zitat:
Mach mal bitte einen Durchgang mit GMER und poste das Log.
__________________ |
02.02.2010, 13:20 | #3 |
| 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] Erstmal Danke Arne.
__________________Hier das gewünschte Logfile: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-02-02 13:17:53 Windows 6.0.6002 Service Pack 2 Running: eb6dpgyr.exe; Driver: C:\Users\ANDREA~1\AppData\Local\Temp\pgkiauod.sys ---- System - GMER 1.0.15 ---- SSDT 8AA78E74 ZwCreateThread SSDT 8AA78E60 ZwOpenProcess SSDT 8AA78E65 ZwOpenThread SSDT 8AA78E6F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 221 824FE964 4 Bytes [74, 8E, A7, 8A] .text ntkrnlpa.exe!KeSetEvent + 3F1 824FEB34 4 Bytes [60, 8E, A7, 8A] .text ntkrnlpa.exe!KeSetEvent + 40D 824FEB50 4 Bytes [65, 8E, A7, 8A] .text ntkrnlpa.exe!KeSetEvent + 621 824FED64 4 Bytes [6F, 8E, A7, 8A] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8BE10000, 0x1FB52A, 0xE8000020] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74807817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7485A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7480BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [747FF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [748075E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [747FE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74838395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7480DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [747FFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [747FFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747F71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7488CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7482C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [747FD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [747F6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [747F687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1984] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74802AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- |
02.02.2010, 13:43 | #4 |
/// Winkelfunktion /// TB-Süch-Tiger™ | 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] Ok Bitte nun ein Log mit CF machen: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ Logfiles bitte immer in CODE-Tags posten |
02.02.2010, 15:18 | #5 |
| 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] Serus, hier das Logfile von ComboFix ComboFix 10-02-01.03 - Andreas Gerth 02.02.2010 14:50:00.2.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.2269.1391 [GMT 1:00] ausgeführt von:: c:\users\Andreas Gerth\Desktop\cofi.exe SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((( Dateien erstellt von 2010-01-02 bis 2010-02-02 )))))))))))))))))))))))))))))) . 2010-02-02 13:59 . 2010-02-02 13:59 -------- d-----w- c:\users\Public\AppData\Local\temp 2010-02-02 13:59 . 2010-02-02 13:59 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-02-02 13:27 . 2010-02-02 13:42 -------- d-----w- C:\cofi 2010-01-28 16:59 . 2010-01-28 17:00 -------- d-----w- c:\program files\trend micro 2010-01-28 16:59 . 2010-01-28 17:00 -------- d-----w- C:\rsit 2010-01-27 23:56 . 2010-01-27 23:56 -------- d-----w- c:\users\Andreas Gerth\AppData\Roaming\Malwarebytes 2010-01-27 23:56 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-27 23:56 . 2010-01-27 23:56 -------- d-----w- c:\programdata\Malwarebytes 2010-01-27 23:56 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-27 23:56 . 2010-01-27 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-27 23:38 . 2010-01-27 23:38 388096 ----a-r- c:\users\Andreas Gerth\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-01-27 23:38 . 2010-01-27 23:38 -------- d-----w- c:\program files\TrendMicro 2010-01-27 23:10 . 2010-01-28 16:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2010-01-27 23:10 . 2010-01-27 23:10 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-01-26 15:27 . 2010-01-26 15:30 -------- d-----w- c:\users\Andreas Gerth\AppData\Roaming\Promethean 2010-01-26 15:23 . 2010-01-26 15:31 -------- d-----w- c:\programdata\Promethean 2010-01-26 15:23 . 2010-02-02 13:45 63488 ----a-w- c:\programdata\Activ Software\ActivApplications\ActivFocusHook.dll 2010-01-26 15:22 . 2010-01-26 15:22 -------- d-----w- c:\users\Andreas Gerth\AppData\Roaming\ACTIV Software 2010-01-26 15:22 . 2010-01-26 15:23 -------- d-----w- c:\program files\Common Files\Activ Software 2010-01-26 15:21 . 2010-01-26 15:23 -------- d-----w- c:\programdata\Activ Software 2010-01-26 15:21 . 2010-01-26 15:23 -------- d-----w- c:\program files\Activ Software 2010-01-22 14:47 . 2009-12-16 11:44 834048 ----a-w- c:\windows\system32\wininet.dll 2010-01-22 14:46 . 2009-12-18 13:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-01-14 14:25 . 2010-01-14 14:25 1273592 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll 2010-01-13 13:28 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll 2010-01-13 13:28 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-02 13:23 . 2008-10-14 16:52 -------- d-----w- c:\users\Andreas Gerth\AppData\Roaming\Skype 2010-02-02 11:23 . 2008-10-14 16:55 -------- d-----w- c:\users\Andreas Gerth\AppData\Roaming\skypePM 2010-02-01 08:11 . 2009-03-11 16:13 -------- d-----w- c:\users\Andreas Gerth\AppData\Roaming\Canon 2010-01-28 16:49 . 2008-11-20 13:29 -------- d-----w- c:\program files\CCleaner 2010-01-27 07:48 . 2008-08-29 23:23 -------- d-----w- c:\users\Andreas Gerth\AppData\Roaming\dvdcss 2010-01-26 19:52 . 2008-01-21 07:15 621942 ----a-w- c:\windows\system32\perfh007.dat 2010-01-26 19:52 . 2008-01-21 07:15 123860 ----a-w- c:\windows\system32\perfc007.dat 2010-01-19 09:02 . 2008-08-29 17:18 394 ----a-w- c:\users\Andreas Gerth\AppData\Roaming\wklnhst.dat 2010-01-14 10:12 . 2009-10-03 11:44 181120 ------w- c:\windows\system32\MpSigStub.exe 2009-12-07 19:18 . 2009-07-05 21:52 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-11-09 12:31 . 2009-12-12 08:55 24064 ----a-w- c:\windows\system32\nshhttp.dll 2009-11-09 12:30 . 2009-12-12 08:55 30720 ----a-w- c:\windows\system32\httpapi.dll 2009-11-09 10:36 . 2009-12-12 08:55 411648 ----a-w- c:\windows\system32\drivers\http.sys 2003-03-21 11:45 . 2008-12-14 18:38 250544 ----a-w- c:\program files\Common Files\keyhelp.ocx 2006-05-03 10:06 . 2009-03-19 14:12 163328 --sh--r- c:\windows\System32\flvDX.dll 2007-02-21 11:47 . 2009-03-19 14:12 31232 --sh--r- c:\windows\System32\msfDX.dll 2008-03-16 13:30 . 2009-03-19 14:12 216064 --sh--r- c:\windows\System32\nbDX.dll . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-08-26 09:32 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA61DE26-FA67-4575-9033-918671094293}] 2008-08-14 13:57 2484224 ----a-w- c:\users\Andreas Gerth\AppData\Roaming\Toolbars\Toolbar fuer eBay\ebay.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{000E148C-F7A7-445A-9044-93BF6CE09ECB}"= "c:\users\Andreas Gerth\AppData\Roaming\Toolbars\Toolbar fuer eBay\ebay.dll" [2008-08-14 2484224] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{000e148c-f7a7-445a-9044-93bf6ce09ecb}] [HKEY_CLASSES_ROOT\TBSB03968.TBSB03968.3] [HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}] [HKEY_CLASSES_ROOT\TBSB03968.TBSB03968] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{000E148C-F7A7-445A-9044-93BF6CE09ECB}"= "c:\users\Andreas Gerth\AppData\Roaming\Toolbars\Toolbar fuer eBay\ebay.dll" [2008-08-14 2484224] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{000e148c-f7a7-445a-9044-93bf6ce09ecb}] [HKEY_CLASSES_ROOT\TBSB03968.TBSB03968.3] [HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}] [HKEY_CLASSES_ROOT\TBSB03968.TBSB03968] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1233920] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RtHDVCpl.exe" [2008-04-01 6025216] "HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2008-03-26 188416] "WisKeyState"="c:\program files\Launch Manager\WisKeyState.exe" [2008-03-07 208896] "LMgrVolOSD"="c:\program files\Launch Manager\OSD.exe" [2008-03-03 258048] "FSCRecovery"="c:\program files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe" [2008-05-08 268096] "AVMWlanClient"="c:\program files\avmwlanstick\FRITZWLANMini.exe" [2006-06-23 343552] "FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2007-06-26 312320] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2.exe" [2009-10-22 1088800] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):45,e2,3e,75,a5,fd,c9,01 R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [05.07.2009 22:52 108289] R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\System32\drivers\activhidsermini.sys [05.05.2009 17:25 55936] R3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys [01.01.2008 18:02 84240] R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\System32\drivers\netr28.sys [01.01.2008 18:05 313344] R3 prmvmouse;Promethean HID Mouse Service;c:\windows\System32\drivers\activmouse.sys [05.10.2009 17:56 6144] S2 FSCLBaseUpdaterService;FSCLBaseUpdaterService;c:\program files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe [04.06.2007 14:20 65536] S2 gupdate1c9f0429c7a0c50;Google Update Service (gupdate1c9f0429c7a0c50);c:\program files\Google\Update\GoogleUpdate.exe [18.06.2009 19:28 133104] S3 ACTIVhidmini;Promethean USB Board Driver;c:\windows\System32\drivers\ACTIVhidmini.sys [05.10.2009 17:56 80512] S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\System32\drivers\fwlanusb.sys [01.09.2008 19:20 264704] S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [01.01.2008 18:04 118784] . Inhalt des "geplante Tasks" Ordners 2010-02-02 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-18 14:23] 2010-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 18:28] 2010-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 18:28] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=FUJD&bmod=FUJD mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=FUJD&bmod=FUJD IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\users\Andreas Gerth\AppData\Roaming\Mozilla\Firefox\Profiles\sk0ldbhq.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/ig?ct=1056757711&source=hade FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPJPI150_13.dll FF - plugin: c:\program files\Java\jre1.5.0_13\bin\NPOJI610.dll FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-02 14:59 Windows 6.0.6002 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- - - - - - - - > 'Explorer.exe'(3068) c:\programdata\ACTIV Software\ActivApplications\ActivFocusHook.dll . Zeit der Fertigstellung: 2010-02-02 15:04:16 ComboFix-quarantined-files.txt 2010-02-02 14:04 ComboFix2.txt 2010-02-02 13:42 Vor Suchlauf: 17 Verzeichnis(se), 16.319.975.424 Bytes frei Nach Suchlauf: 18 Verzeichnis(se), 16.300.707.840 Bytes frei - - End Of File - - EFB6AD3C63248760352ED1A5F2AC64F8 |
02.02.2010, 18:24 | #6 |
/// Winkelfunktion /// TB-Süch-Tiger™ | 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] Das sieht aus gut aus - ich glaube schon fast, dass MBAM da einen Schädling versehentlich als Rustock erkannt hat Mach bitte noch einen Kontrollscan, öffne Malwarebytes, aktualisiere das Programm, starte einen Vollscan und lass alle etwaigen Funde entfernen. Anschließend wieder das Logfile posten.
__________________ --> 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] |
02.02.2010, 21:56 | #7 |
| 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] Ich denke, dass sieht ganz gut aus. Da mein System eh sehr langsam ist (zugemüllt), wird wohl meine Backup-DVD zum Einsatz kommen. Meine eigenen Dateien sollte ich doch jetzt gefahrlos brennen und aufs neue System spielen können. Oder ist das doch zu gefährlich? Malwarebytes' Anti-Malware 1.44 Datenbank Version: 3680 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 02.02.2010 21:52:10 mbam-log-2010-02-02 (21-52-10).txt Scan-Methode: Vollständiger Scan (C:\|D:\|) Durchsuchte Objekte: 232956 Laufzeit: 1 hour(s), 18 minute(s), 35 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) |
02.02.2010, 22:02 | #8 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan]Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
02.02.2010, 22:23 | #9 |
| 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] Herzlichen Dank! Du hast mir sehr geholfen. Tolles Board!!! |
Themen zu 'WORM/Agent.XO' und TR/Sasfis.zzu.19' [trojan] |
antivir, antivir guard, ask toolbar, askbar, avgntflt.sys, avira, bho, browser, content.ie5, desktop, device driver, ebay, error, excel, firefox, google, gservice, gupdate, hdaudio.sys, hijack, hijackthis, hkus\s-1-5-18, home, home premium, hotkey.sys, iastor.sys, isass.exe, launch, logfile, mozilla, programdata, proxy, realtek, registry, scan, software, stick, toolbars, trojan.dropper, trojan.swisyn, trojaner, usbvideo.sys, virus, windows, wireless lan, worm/agent.xo |