trojaner downloader win32/Renos.JW

pauki · 05.07.2010, 20:10

hier das file:

Combofix Logfile:

Code:

ATTFilter

ComboFix 10-07-04.04 - *** 05.07.2010  20:57:44.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.3066.1882 [GMT 2:00]
ausgeführt von:: c:\users\***\Desktop\cofi.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\***\AppData\Local\TempDIR
c:\users\***\AppData\Local\TempDIR\WindowsXP-KB893357-v2-x86-DEU.exe
c:\users\***\AppData\Local\TempDIR\WindowsXP-KB917021-v3-x86-DEU.exe

.
(((((((((((((((((((((((   Dateien erstellt von 2010-06-05 bis 2010-07-05  ))))))))))))))))))))))))))))))
.

2010-07-05 19:03 . 2010-07-05 19:03	--------	d-----w-	c:\users\***\AppData\Local\temp
2010-07-05 19:03 . 2010-07-05 19:03	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-07-05 18:39 . 2010-07-05 18:39	--------	d-----w-	c:\users\***\AppData\Roaming\HPAppData
2010-07-05 18:05 . 2010-07-05 18:05	--------	d-----w-	C:\_OTL
2010-07-02 20:45 . 2010-07-02 20:45	--------	d-----w-	c:\users\***\AppData\Roaming\Malwarebytes
2010-07-02 20:44 . 2010-04-29 10:19	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-02 20:44 . 2010-07-02 20:44	--------	d-----w-	c:\programdata\Malwarebytes
2010-07-02 20:44 . 2010-04-29 10:19	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-07-02 20:44 . 2010-07-02 20:45	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-06-24 20:10 . 2010-06-25 06:28	--------	d-----w-	c:\users\***\AppData\Roaming\HpUpdate
2010-06-24 20:09 . 2010-06-24 20:09	--------	d-----w-	c:\windows\Hewlett-Packard
2010-06-23 16:31 . 2009-11-08 08:55	99176	----a-w-	c:\windows\system32\PresentationHostProxy.dll
2010-06-23 16:31 . 2009-11-08 08:55	49472	----a-w-	c:\windows\system32\netfxperf.dll
2010-06-23 16:31 . 2009-11-08 08:55	297808	----a-w-	c:\windows\system32\mscoree.dll
2010-06-23 16:31 . 2009-11-08 08:55	295264	----a-w-	c:\windows\system32\PresentationHost.exe
2010-06-23 16:31 . 2009-11-08 08:55	1130824	----a-w-	c:\windows\system32\dfshim.dll
2010-06-23 13:54 . 2010-04-16 16:43	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2010-06-23 13:54 . 2010-04-16 14:39	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-16 13:51 . 2010-06-16 13:51	--------	d-----w-	c:\users\***\AppData\Local\AOL
2010-06-16 13:51 . 2010-06-16 13:56	--------	d-----w-	c:\program files\ICQ7.2
2010-06-09 17:02 . 2010-04-05 17:01	67072	----a-w-	c:\windows\system32\asycfilt.dll

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 18:31 . 2009-10-13 20:23	--------	d-----w-	c:\users\***\AppData\Roaming\Skype
2010-07-05 18:06 . 2009-08-18 01:38	48544	----a-w-	c:\programdata\nvModes.dat
2010-07-05 18:03 . 2009-10-13 21:29	--------	d-----w-	c:\users\***\AppData\Roaming\ICQ
2010-07-05 15:22 . 2009-10-13 20:25	--------	d-----w-	c:\users\***\AppData\Roaming\skypePM
2010-07-02 06:41 . 2009-03-26 01:15	628742	----a-w-	c:\windows\system32\perfh007.dat
2010-07-02 06:41 . 2009-03-26 01:15	126454	----a-w-	c:\windows\system32\perfc007.dat
2010-06-24 20:11 . 2009-11-05 13:00	--------	d-----w-	c:\program files\HP
2010-06-23 16:32 . 2009-03-25 17:36	--------	d-----w-	c:\program files\Microsoft.NET
2010-06-16 13:51 . 2009-10-13 21:28	--------	d-----w-	c:\program files\ICQ6.5
2010-06-16 13:51 . 2009-03-04 19:46	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-06-09 21:46 . 2009-11-05 12:58	--------	d-----w-	c:\programdata\HP
2010-06-09 17:20 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-06-09 17:08 . 2009-03-25 17:35	--------	d-----w-	c:\programdata\Microsoft Help
2010-06-05 08:42 . 2010-06-05 08:42	--------	d-----w-	c:\users\***\AppData\Roaming\Engelmann Media
2010-06-04 11:17 . 2009-10-20 09:49	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-05-30 08:53 . 2010-05-30 08:53	--------	d-----w-	c:\program files\Common Files\Skype
2010-05-28 16:56 . 2009-10-13 20:13	--------	d-----w-	c:\program files\CCleaner
2010-05-27 08:08 . 2009-10-13 16:56	72208	----a-w-	c:\users\***\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-27 07:42 . 2010-05-27 07:42	23685	----a-w-	c:\windows\hpqins15.dat
2010-05-27 07:40 . 2010-05-27 07:37	78209	----a-w-	c:\windows\hpqins05.dat
2010-05-27 07:39 . 2010-05-27 07:39	--------	d-----w-	c:\programdata\HP Product Assistant
2010-05-26 17:06 . 2010-06-09 17:01	34304	----a-w-	c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 17:01	289792	----a-w-	c:\windows\system32\atmfd.dll
2010-05-24 15:44 . 2010-05-24 15:41	--------	d-----w-	c:\program files\Common Files\InstallShield
2010-05-24 09:01 . 2010-05-24 09:01	--------	d-----w-	c:\programdata\PC Suite
2010-05-24 09:01 . 2010-05-24 09:01	--------	d-----w-	c:\users\***\AppData\Roaming\PC Suite
2010-05-24 08:58 . 2010-05-24 08:58	--------	d-----w-	c:\program files\MarkAnyContentSAFER
2010-05-24 08:57 . 2007-10-25 15:26	5632	----a-w-	c:\windows\system32\drivers\StarOpen.sys
2010-05-24 08:56 . 2010-05-24 08:46	89280248	----a-w-	c:\users\***\AppData\Roaming\Samsung\New PC Studio\LiveUpdate\Setup_For_Full_Update_IH2_7.exe
2010-05-24 08:46 . 2010-05-24 08:34	--------	d-----w-	c:\program files\Samsung
2010-05-24 08:46 . 2010-05-24 08:46	--------	d-----w-	c:\program files\DIFX
2010-05-24 08:46 . 2010-05-24 08:35	--------	d-----w-	c:\program files\PC Connectivity Solution
2010-05-24 08:35 . 2010-05-24 08:35	--------	d-----w-	c:\users\***\AppData\Roaming\Samsung
2010-05-24 08:35 . 2010-05-24 08:35	--------	d-----w-	c:\program files\MarkAny
2010-05-24 08:31 . 2009-03-25 17:50	--------	d-----w-	c:\program files\Common Files\Adobe
2010-05-21 12:14 . 2009-10-14 10:02	221568	------w-	c:\windows\system32\MpSigStub.exe
2010-05-19 16:56 . 2010-05-19 16:43	188740	----a-w-	c:\windows\hpoins28.dat
2010-05-04 05:59 . 2010-06-09 17:01	916480	----a-w-	c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 17:01	71680	----a-w-	c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 17:01	109056	----a-w-	c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 17:01	133632	----a-w-	c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-09 17:01	2037248	----a-w-	c:\windows\system32\win32k.sys
2010-04-30 21:27 . 2010-04-30 21:27	680	----a-w-	c:\users\***\AppData\Local\d3d9caps.dat
2010-04-23 14:13 . 2010-05-26 07:46	2048	----a-w-	c:\windows\system32\tzres.dll
2010-04-16 16:43 . 2010-06-23 13:54	173056	----a-w-	c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:43 . 2010-06-23 13:54	458752	----a-w-	c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:43 . 2010-06-23 13:54	542720	----a-w-	c:\windows\AppPatch\AcLayers.dll
2010-04-16 16:43 . 2010-06-23 13:54	2159616	----a-w-	c:\windows\AppPatch\AcGenral.dll
2010-04-12 15:29 . 2010-04-22 20:06	411368	----a-w-	c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\program files\Packard Bell\SetupMyPC\SmpSys.exe" [2009-03-18 1160736]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-05-24 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2008-11-06 474168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-22 13785632]
"Camera Assistant Software"="c:\program files\Video Web Camera\traybar.exe" [2009-03-10 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-02-19 866824]
"BackupManagerTray"="c:\program files\NewTech Infosystems\Packard Bell MyBackup\BackupManagerTray.exe" [2009-05-26 254720]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-10-17 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"Acer ePower Management"="c:\program files\Packard Bell\Packard Bell PowerSave Solution\ePowerTrayLauncher.exe" [2009-06-23 440864]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^***^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=c:\users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=c:\windows\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):58,05,15,64,64,51,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3405011576-2756577293-1254122269-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 ePowerSvc;Acer ePower Service;c:\program files\Packard Bell\Packard Bell PowerSave Solution\ePowerSvc.exe [2009-06-23 707104]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\NewTech Infosystems\Packard Bell MyBackup\IScheduleSvc.exe [2009-05-26 62208]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-09-04 223232]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-12-29 3715072]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-05-01 64032]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.t-online.de/
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0407&s=2&o=vp32&d=0809&m=easynote_tj65
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\ICQ7.2\ICQ.exe
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
TCP: {3D1F0CF5-833F-4458-B4BA-C59CA9CC4EBC} = 192.168.2.6,192.168.2.1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-hpqSRMon - (no file)
HKLM-Run-NPSStartup - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-07-05 21:03
Windows 6.0.6002 Service Pack 2 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2010-07-05  21:05:32
ComboFix-quarantined-files.txt  2010-07-05 19:05

Vor Suchlauf: 7 Verzeichnis(se), 402.563.407.872 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 402.499.645.440 Bytes frei

- - End Of File - - EB35CBE51ED711DCE174C85F86AF986C

--- --- ---

lg raik

trojaner downloader win32/Renos.JW

Log-Analyse und Auswertung: trojaner downloader win32/Renos.JW

trojaner downloader win32/Renos.JW

Ähnliche Themen: trojaner downloader win32/Renos.JW