|
Plagegeister aller Art und deren Bekämpfung: Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exeWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
06.07.2010, 13:19 | #1 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Avira Antivir hat gestern bei mir den genannten Trojaner gefunden und ihn auch in Quarantäne gestellt. Desweitern wurde mir angezeigt, dass sich das Erkennungsmuster RKIT/Bubnix.AU in C:\Windows\System32\drivers\neyrpram.sys befindet. Dies wurde auch in Quarantäne gestellt. Meine Frage ist jetzt wie kann ich diese ganz löschen? |
06.07.2010, 13:23 | #2 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe antivir wird nen grund haben diesen trojaner in quarantäne zu stecken und nicht zu löschen, warum kann ich nicht 100%ig sagen, aber bei mir gabs mal einen trojaner, der hat sich aus dem recycler-ordner (nicht papierkorb) wieder hergestellt und deswegen glaub ich, dass es besser is manche trojaner(und auch viren) in quarantäne zu lassen und sie vor allem als anfänger nicht wieder "befreien", weil wie gesagt: manche können sich selbst wiederherstellen
__________________ |
06.07.2010, 14:03 | #3 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Hallo und
__________________bitte nen Vollscan mit Malwarebytes machen und Log posten. Danach OTL: Systemscan mit OTL Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
__________________ |
06.07.2010, 14:05 | #4 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Bei den drei zuerst aufgeführten Funden wird zwar gesagt, dass diese nich in Quarantäne verschoben werden konnten, aber bei mri auf dem Rechner werden diese dort angezeigt. Also hier mal den genauen Befund: Die Datei 'C:\Windows\System32\drivers\neyrpram.sys' enthielt einen Virus oder unerwünschtes Programm 'RKIT/Bubnix.AU' [trojan]. Durchgeführte Aktion(en): Beim Versuch eine Sicherungskopie der Datei anzulegen ist ein Fehler aufgetreten und die Datei wurde nicht gelöscht. Fehlernummer: 26004. Die Quelldatei konnte nicht gefunden werden. Es wird versucht die Aktion mit Hilfe der ARK Library durchzuführen. Die Datei konnte nicht ins Quarantäneverzeichnis verschoben werden! Die Datei konnte nicht gelöscht werden! Die Datei konnte nicht zum Löschen nach dem Neustart markiert werden. Mögliche Ursache: Ein an das System angeschlossenes Gerät funktioniert nicht. . Die Datei 'C:\Windows\System32\drivers\neyrpram.sys' enthielt einen Virus oder unerwünschtes Programm 'RKIT/Bubnix.AU' [trojan]. Durchgeführte Aktion(en): Beim Versuch eine Sicherungskopie der Datei anzulegen ist ein Fehler aufgetreten und die Datei wurde nicht gelöscht. Fehlernummer: 26004. Die Quelldatei konnte nicht gefunden werden. Es wird versucht die Aktion mit Hilfe der ARK Library durchzuführen. Die Datei konnte nicht ins Quarantäneverzeichnis verschoben werden! Die Datei konnte nicht gelöscht werden! Die Datei konnte nicht zum Löschen nach dem Neustart markiert werden. Mögliche Ursache: Ein an das System angeschlossenes Gerät funktioniert nicht. . Die Datei 'C:\Windows\System32\drivers\neyrpram.sys' enthielt einen Virus oder unerwünschtes Programm 'RKIT/Bubnix.AU' [trojan]. Durchgeführte Aktion(en): Beim Versuch eine Sicherungskopie der Datei anzulegen ist ein Fehler aufgetreten und die Datei wurde nicht gelöscht. Fehlernummer: 26004. Die Quelldatei konnte nicht gefunden werden. Es wird versucht die Aktion mit Hilfe der ARK Library durchzuführen. Die Datei konnte nicht ins Quarantäneverzeichnis verschoben werden! Die Datei konnte nicht gelöscht werden! Die Datei konnte nicht zum Löschen nach dem Neustart markiert werden. Mögliche Ursache: Ein an das System angeschlossenes Gerät funktioniert nicht. . Die Datei 'C:\Users\Verena\AppData\Local\Temp\svchost.exe' enthielt einen Virus oder unerwünschtes Programm 'TR/Crypt.XPACK.Gen' [trojan]. Durchgeführte Aktion(en): Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '5082414a.qua' verschoben! |
06.07.2010, 15:33 | #5 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4281 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18928 06.07.2010 16:27:58 mbam-log-2010-07-06 (16-27-58).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Durchsuchte Objekte: 311090 Laufzeit: 1 Stunde(n), 7 Minute(n), 15 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 3 Infizierte Dateien: 12 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: C:\ProgramData\MPK (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\1 (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\REFOG Keylogger (Refog.Keylogger) -> Quarantined and deleted successfully. Infizierte Dateien: C:\Windows\System32\drivers\neyrpram.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\ProgramData\MPK\key.bin (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\M0000 (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\REFOG Keylogger.lnk (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\1\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\1\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\REFOG Keylogger\Hilfe Themen.lnk (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\REFOG Keylogger\Jetzt bestellen!.lnk (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\REFOG Keylogger\REFOG Keylogger entfernen.lnk (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\REFOG Keylogger\REFOG Keylogger im Internet.lnk (Refog.Keylogger) -> Quarantined and deleted successfully. C:\ProgramData\MPK\REFOG Keylogger\REFOG Keylogger.lnk (Refog.Keylogger) -> Quarantined and deleted successfully. |
06.07.2010, 15:37 | #6 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Hast Du Dir den MPK-Keylogger mal bewusst installiert?
__________________ --> Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe |
06.07.2010, 15:40 | #7 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe OTL Logfile: Code:
ATTFilter OTL logfile created on: 06.07.2010 16:35:46 - Run 1 OTL by OldTimer - Version 3.2.7.1 Folder = C:\Users\Verena\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18928) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 62,00% Memory free 6,00 Gb Paging File | 5,00 Gb Available in Paging File | 83,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 144,09 Gb Total Space | 35,22 Gb Free Space | 24,44% Space Free | Partition Type: NTFS Drive D: | 144,00 Gb Total Space | 143,70 Gb Free Space | 99,79% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: VERENA-PC Current User Name: Verena Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Users\Verena\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Programme\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) PRC - C:\Programme\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Programme\pdf24\pdf24.exe (Geek Software GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH) PRC - \\?\C:\Windows\System32\wbem\WMIADAP.EXE () PRC - C:\Programme\Windows Sidebar\sidebar.exe (Microsoft Corporation) PRC - C:\Windows\explorer.exe (Microsoft Corporation) PRC - C:\Programme\OpenVPN\bin\openvpn.exe () PRC - C:\Programme\OpenVPN\bin\openvpnserv.exe () PRC - C:\Programme\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation) PRC - C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation) PRC - C:\Programme\Samsung\Easy Display Manager\dmhkcore.exe (SAMSUNG Electronics) PRC - C:\Programme\Samsung\Samsung Update Plus\SLUTrayNotifier.exe () PRC - C:\Programme\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe (Samsung Electronics Co., Ltd.) PRC - C:\Programme\Samsung\EBM\EasyBatteryMgr3.exe (SAMSUNG Electronics co., LTD.) PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) PRC - C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) PRC - C:\Programme\Windows Media Player\wmpnetwk.exe (Microsoft Corporation) PRC - C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation) PRC - C:\Programme\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe (Samsung Electronics Co., Ltd.) PRC - C:\Programme\Common Files\microsoft shared\VS7DEBUG\MDM.EXE (Microsoft Corporation) ========== Modules (SafeList) ========== MOD - C:\Users\Verena\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation) MOD - C:\Windows\System32\BtMmHook.dll (Broadcom Corporation.) MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation) SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.) SRV - (OpenVPNService) -- C:\Programme\OpenVPN\bin\openvpnserv.exe () SRV - (EvtEng) -- C:\Programme\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation) SRV - (RegSrvc) -- C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation) SRV - (Samsung Update Plus) -- C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe () SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation) ========== Driver Services (SafeList) ========== DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH) DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH) DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH) DRV - (avgio) -- C:\Programme\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (UsbserFilt) -- C:\Windows\System32\drivers\usbser_lowerfltj.sys (Nokia) DRV - (upperdev) -- C:\Windows\System32\drivers\usbser_lowerflt.sys (Nokia) DRV - (nmwcdc) -- C:\Windows\System32\drivers\ccdcmbo.sys (Nokia) DRV - (nmwcd) -- C:\Windows\System32\drivers\ccdcmb.sys (Nokia) DRV - (tap0901) -- C:\Windows\System32\drivers\tap0901.sys (The OpenVPN Project) DRV - (pccsmcfd) -- C:\Windows\System32\drivers\pccsmcfd.sys (Nokia) DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation) DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation) DRV - (NETw5v32) Intel(R) -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.) DRV - (VMC302) -- C:\Windows\System32\drivers\vmc302.sys (Vimicro Corporation) DRV - (btwaudio) -- C:\Windows\System32\drivers\btwaudio.sys (Broadcom Corporation.) DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.) DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.) DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation) DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.) DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems) DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company) DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.) DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic) DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation) DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation) DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.) DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation) DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd) DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.) DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic) DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic) DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.) DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex) DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.) DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation) DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation) DRV - (NETw3v32) Intel(R) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation) DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.) DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.) DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.) DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.) DRV - (yukonwlh) -- C:\Windows\System32\drivers\yk60x86.sys (Marvell) DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.) DRV - (btwrchid) -- C:\Windows\System32\drivers\btwrchid.sys (Broadcom Corporation.) DRV - (btwavdt) -- C:\Windows\System32\drivers\btwavdt.sys (Broadcom Corporation.) DRV - (KMDFMEMIO) -- C:\Windows\System32\drivers\KMDFMEMIO.sys (SAMSUNG ELECTRONICS CO., LTD.) DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\agrsm.sys (Agere Systems) DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation) DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.) DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation) DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH) DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.) DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.) DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.) DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic) DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic) DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation) DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic) DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.) DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.) DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.) DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.) DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.) DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.) DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies) DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation) DRV - (ialm) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation) DRV - (tap0801) -- C:\Windows\System32\drivers\tap0801.sys (The OpenVPN Project) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com IE - HKLM\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.) IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2319825 IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found IE - HKCU\..\URLSearchHook: {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "ICQ Search" FF - prefs.js..browser.search.defaultthis.engineName: "Winload Customized Web Search" FF - prefs.js..browser.search.defaulturl: "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319825&SearchSource=3&q={searchTerms}" FF - prefs.js..browser.search.selectedEngine: "Winload Customized Web Search" FF - prefs.js..browser.startup.homepage: "hxxp://search.conduit.com/?ctid=CT2319825&SearchSource=13" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.06.29 10:43:13 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.05 12:28:58 | 000,000,000 | ---D | M] [2008.11.06 00:29:21 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\mozilla\Extensions [2010.02.05 08:28:18 | 000,000,000 | ---D | M] -- C:\Users\Verena\AppData\Roaming\mozilla\Firefox\Profiles\ajieacm6.default\extensions [2009.12.16 15:35:14 | 000,000,917 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\conduit.xml [2010.06.30 11:08:37 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-1.xml [2009.04.23 22:19:38 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-2.xml [2009.04.29 18:26:44 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-3.xml [2009.06.16 16:29:44 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-4.xml [2009.07.24 07:49:23 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-5.xml [2009.08.11 17:08:53 | 000,000,950 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin-6.xml [2009.03.25 12:49:20 | 000,000,944 | ---- | M] () -- C:\Users\Verena\AppData\Roaming\Mozilla\FireFox\Profiles\ajieacm6.default\searchplugins\icqplugin.xml [2010.07.06 11:17:14 | 000,000,000 | ---D | M] -- C:\Programme\Mozilla Firefox\extensions [2010.05.14 15:33:08 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010.05.14 15:32:58 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll [2010.03.12 15:44:48 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010.03.12 15:44:48 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml [2010.03.12 15:44:48 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010.03.12 15:44:48 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010.03.12 15:44:48 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Winload Toolbar) - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.) O3 - HKLM\..\Toolbar: (Winload Toolbar) - {40c3cc16-7269-4b32-9531-17f2950fb06f} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.) O3 - HKCU\..\Toolbar\WebBrowser: (Winload Toolbar) - {40C3CC16-7269-4B32-9531-17F2950FB06F} - C:\Programme\Winload\tbWin1.dll (Conduit Ltd.) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [AppleSyncNotifier] C:\Programme\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe () O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [PDFPrint] C:\Programme\pdf24\pdf24.exe (Geek Software GmbH) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.) O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm () O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} hxxp://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab (Oberon Flash Game Host) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.6.1 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img34.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img34.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{0da65834-163f-11df-81a9-0013779efc8e}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found O33 - MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\Shell - "" = AutoRun O33 - MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found O33 - MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\Shell - "" = Autorun O33 - MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\Shell\Open\command - "" = RECYCLER\S-2-4-38-100026351-100008458-100006666-2738.com f:\ O33 - MountPoints2\{ee16fdb2-30fe-11de-9773-0013779efc8e}\Shell\AutoRun\command - "" = F:\wd_windows_tools\setup.exe -- File not found O33 - MountPoints2\{ff559042-da80-11de-89eb-0013779efc8e}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010.07.06 16:34:23 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Verena\Desktop\OTL.exe [2010.07.06 16:28:38 | 000,000,000 | ---D | C] -- C:\Users\Verena\Documents\log [2010.07.06 15:09:45 | 000,000,000 | ---D | C] -- C:\Users\Verena\AppData\Roaming\Malwarebytes [2010.07.06 15:08:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.07.06 15:08:42 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.07.06 15:08:42 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.07.06 15:08:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010.07.06 14:26:19 | 000,000,000 | ---D | C] -- C:\Programme\HijackThis [2010.07.05 12:22:31 | 000,000,000 | ---D | C] -- C:\Windows\Minidump [2010.07.01 11:45:50 | 000,000,000 | ---D | C] -- C:\xampp [2010.06.29 10:35:43 | 000,000,000 | ---D | C] -- C:\Users\Verena\AppData\Local\AOL [2010.06.29 10:35:25 | 000,000,000 | ---D | C] -- C:\Programme\ICQ7.2 [2010.06.24 12:12:47 | 000,000,000 | ---D | C] -- C:\Programme\iPod [2010.06.24 12:12:46 | 000,000,000 | ---D | C] -- C:\Programme\iTunes [2010.06.24 12:09:48 | 000,000,000 | ---D | C] -- C:\Programme\Bonjour [2010.06.23 15:13:27 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe [2010.06.23 15:13:27 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll [2010.06.23 15:13:27 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll [2010.06.23 12:40:21 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll [2010.06.23 12:40:21 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll [2010.06.16 11:53:57 | 000,000,000 | ---D | C] -- C:\Programme\SPORT619D [2010.06.15 10:46:03 | 000,000,000 | ---D | C] -- C:\Users\Verena\Documents\Eignungstests [2010.06.14 11:45:45 | 000,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll [2010.06.14 11:45:45 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll [2010.06.14 11:45:43 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll [2010.06.14 11:45:33 | 002,037,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys [2010.06.14 11:45:25 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll [2010.06.14 11:45:24 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl [2010.06.14 11:45:24 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll [2010.06.14 11:45:24 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll [2010.06.14 11:45:24 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll [2010.06.14 11:45:23 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll [2010.06.14 11:45:23 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe [2010.06.14 11:45:23 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe [2010.06.14 11:45:23 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll [2010.06.14 11:45:23 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll [2010.06.14 11:45:23 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll [2010.06.14 11:45:23 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll [2010.06.14 11:45:23 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll [2010.06.14 11:45:23 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe [2010.06.14 11:45:22 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb [2006.11.24 07:14:44 | 000,139,264 | ---- | C] ( ) -- C:\Windows\System32\MACSSDK_wiz.dll [2006.11.24 07:14:44 | 000,126,976 | ---- | C] ( ) -- C:\Windows\System32\MACSSDK.dll ========== Files - Modified Within 30 Days ========== [2010.07.06 16:37:17 | 000,741,376 | ---- | M] () -- C:\Windows\System32\drivers\neyrpram.sys [2010.07.06 16:35:08 | 002,621,440 | -HS- | M] () -- C:\Users\Verena\NTUSER.DAT [2010.07.06 16:34:28 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Verena\Desktop\OTL.exe [2010.07.06 16:30:33 | 000,186,460 | ---- | M] () -- C:\ProgramData\nvModes.001 [2010.07.06 16:30:32 | 000,186,460 | ---- | M] () -- C:\ProgramData\nvModes.dat [2010.07.06 16:30:25 | 000,004,912 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010.07.06 16:30:25 | 000,004,912 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010.07.06 16:30:20 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010.07.06 16:30:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010.07.06 16:30:11 | 3215,572,992 | -HS- | M] () -- C:\hiberfil.sys [2010.07.06 16:29:38 | 000,524,288 | -HS- | M] () -- C:\Users\Verena\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms [2010.07.06 16:29:38 | 000,065,536 | -HS- | M] () -- C:\Users\Verena\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf [2010.07.06 16:29:31 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat [2010.07.06 16:29:28 | 001,355,803 | -H-- | M] () -- C:\Users\Verena\AppData\Local\IconCache.db [2010.07.06 14:30:34 | 000,001,972 | ---- | M] () -- C:\Users\Verena\Desktop\HiJackThis.lnk [2010.07.06 14:01:04 | 001,441,486 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010.07.06 14:01:04 | 000,626,780 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2010.07.06 14:01:04 | 000,594,224 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010.07.06 14:01:04 | 000,126,396 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2010.07.06 14:01:04 | 000,104,038 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010.07.06 10:20:59 | 000,036,352 | ---- | M] () -- C:\Users\Verena\Documents\WM Tipprunde.xls [2010.07.05 12:26:25 | 270,547,880 | ---- | M] () -- C:\Windows\MEMORY.DMP [2010.07.01 11:47:15 | 000,000,393 | ---- | M] () -- C:\Users\Verena\Desktop\XAMPP Control Panel.lnk [2010.06.17 13:48:11 | 000,027,648 | ---- | M] () -- C:\Users\Verena\Documents\Geburtstag_Tim.doc [2010.06.16 14:29:03 | 000,101,248 | ---- | M] () -- C:\Users\Verena\AppData\Local\GDIPFONTCACHEV1.DAT [2010.06.16 14:28:08 | 000,369,008 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010.06.16 11:55:15 | 000,000,253 | ---- | M] () -- C:\Windows\win.ini [2010.06.16 11:31:35 | 000,000,016 | -H-- | M] () -- C:\Windows\System32\servdat.slm [2010.06.16 11:30:30 | 000,000,219 | ---- | M] () -- C:\Windows\System32\lsprst7.tgz [2010.06.16 11:30:30 | 000,000,205 | ---- | M] () -- C:\Windows\System32\lsprst7.dll [2010.06.16 11:30:30 | 000,000,014 | ---- | M] () -- C:\Windows\System32\ssprs.tgz [2010.06.16 11:28:12 | 000,001,024 | ---- | M] () -- C:\Windows\System32\clauth2.dll [2010.06.16 11:28:12 | 000,001,024 | ---- | M] () -- C:\Windows\System32\clauth1.dll [2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\ssprs.dll [2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\serauth2.dll [2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\serauth1.dll [2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\nsprs.tgz [2010.06.16 11:28:12 | 000,000,000 | ---- | M] () -- C:\Windows\System32\nsprs.dll [2010.06.16 11:27:12 | 000,001,025 | ---- | M] () -- C:\Windows\System32\sysprs7.tgz [2010.06.16 11:27:12 | 000,001,025 | ---- | M] () -- C:\Windows\System32\sysprs7.dll [2010.06.14 15:24:44 | 000,000,039 | ---- | M] () -- C:\Windows\vbaddin.ini ========== Files Created - No Company Name ========== [2010.07.06 14:30:34 | 000,001,972 | ---- | C] () -- C:\Users\Verena\Desktop\HiJackThis.lnk [2010.07.06 12:30:42 | 3215,572,992 | -HS- | C] () -- C:\hiberfil.sys [2010.07.05 12:22:23 | 270,547,880 | ---- | C] () -- C:\Windows\MEMORY.DMP [2010.07.01 11:47:15 | 000,000,393 | ---- | C] () -- C:\Users\Verena\Desktop\XAMPP Control Panel.lnk [2010.06.16 11:28:12 | 000,001,024 | ---- | C] () -- C:\Windows\System32\clauth2.dll [2010.06.16 11:28:12 | 000,001,024 | ---- | C] () -- C:\Windows\System32\clauth1.dll [2010.06.16 11:28:12 | 000,000,014 | ---- | C] () -- C:\Windows\System32\ssprs.tgz [2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\ssprs.dll [2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\serauth2.dll [2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\serauth1.dll [2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\nsprs.tgz [2010.06.16 11:28:12 | 000,000,000 | ---- | C] () -- C:\Windows\System32\nsprs.dll [2010.06.16 11:27:13 | 000,000,219 | ---- | C] () -- C:\Windows\System32\lsprst7.tgz [2010.06.16 11:27:12 | 000,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.tgz [2010.06.16 11:27:12 | 000,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.dll [2010.06.16 11:27:12 | 000,000,205 | ---- | C] () -- C:\Windows\System32\lsprst7.dll [2010.06.16 11:27:12 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\servdat.slm [2010.06.15 13:35:43 | 000,027,648 | ---- | C] () -- C:\Users\Verena\Documents\Geburtstag_Tim.doc [2010.05.13 23:10:14 | 000,741,376 | ---- | C] () -- C:\Windows\System32\drivers\neyrpram.sys [2009.09.17 10:23:12 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2008.11.06 01:00:07 | 000,000,284 | ---- | C] () -- C:\Windows\matlab.ini [2008.11.05 10:01:19 | 000,000,534 | ---- | C] () -- C:\Windows\ODBC.INI [2008.07.08 16:50:18 | 000,000,684 | ---- | C] () -- C:\Windows\HotFixList.ini [2008.07.08 16:31:32 | 000,000,135 | R--- | C] () -- C:\Windows\System32\lngEng.ini [2008.07.08 16:31:32 | 000,000,117 | ---- | C] () -- C:\Windows\System32\lngKor.ini [2008.07.08 14:45:50 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll [2007.02.15 09:51:02 | 000,274,432 | ---- | C] () -- C:\Windows\System32\NDADLL.dll [2006.11.29 10:00:28 | 000,307,200 | ---- | C] () -- C:\Windows\System32\LDBGenWizView.dll [2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll [2006.11.02 12:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006.10.09 03:01:28 | 000,061,440 | ---- | C] () -- C:\Windows\System32\AVSAudioWideStereoDMO.dll [2003.02.20 18:53:42 | 000,005,702 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI [2001.11.14 05:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll ========== Alternate Data Streams ========== @Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:48CF36A1 < End of report > |
06.07.2010, 15:42 | #8 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe OTL EXTRAS Logfile: Code:
ATTFilter OTL Extras logfile created on: 06.07.2010 16:35:47 - Run 1 OTL by OldTimer - Version 3.2.7.1 Folder = C:\Users\Verena\Desktop Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18928) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 62,00% Memory free 6,00 Gb Paging File | 5,00 Gb Available in Paging File | 83,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 144,09 Gb Total Space | 35,22 Gb Free Space | 24,44% Space Free | Partition Type: NTFS Drive D: | 144,00 Gb Total Space | 143,70 Gb Free Space | 99,79% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: VERENA-PC Current User Name: Verena Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" () Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-113378734-2685825776-4182880352-1003] "EnableNotifications" = 0 "EnableNotificationsRef" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{17C9712C-B0FF-4DE2-8825-DACFF07A2A6D}" = lport=445 | protocol=6 | dir=in | app=system | "{1ACC8B81-4A32-4952-B23E-3B83139AA64F}" = lport=138 | protocol=17 | dir=in | app=system | "{20000877-69F7-4346-B4CE-B9E1BB47C55E}" = rport=138 | protocol=17 | dir=out | app=system | "{2677158A-5F0E-4049-969B-0CF2018C79DB}" = rport=445 | protocol=6 | dir=out | app=system | "{3FD0B431-FA3C-48C4-97FD-5484C4111559}" = rport=137 | protocol=17 | dir=out | app=system | "{5A5CACB9-A9DC-4CA0-8C73-6ADEB81F3B58}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{B90197B0-98B8-4132-BB41-BF493DD0CD59}" = lport=139 | protocol=6 | dir=in | app=system | "{C644570E-17B8-4601-A65F-E80EE9425ABE}" = lport=137 | protocol=17 | dir=in | app=system | "{E912E8C0-725B-4AAE-89C4-D664C62E8944}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{FC0AEC55-BED7-4381-B956-96A224A80686}" = rport=139 | protocol=6 | dir=out | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{1C583C8D-F7CA-43F8-93A4-435CC02A320F}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | "{291D306C-48AA-4223-B4A4-5D53D8E45FDD}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{31DCBC26-833A-4C18-9392-CA2E651AB737}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{35A3779F-1D36-4A27-B8DA-0771AF95C0DF}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{3A3291D1-0A9B-4AF1-A82B-3A8D1792CD0D}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | "{488A824F-49E4-4B26-B264-E0A76CBB9250}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{58C5113D-DAED-4A8C-BBDA-64AC31289468}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{5E921802-5CAB-447C-ADDF-357A1B489944}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | "{5F8C8DE1-6B64-4F99-8D3A-0A252E10F3EE}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{605444A3-46C6-4D3D-BFB7-043AD845BB30}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | "{6779FCAE-5815-46CF-89C3-D6A107FAA6AC}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{6A111E58-19FB-4938-8E1F-CBA92F24D251}" = protocol=17 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{6C708175-E552-40D1-A8A6-13CFD9899760}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "{C4201925-B526-429E-A410-76D3A9F6E55C}" = dir=in | app=c:\program files\skype\phone\skype.exe | "{C5E0CE70-5233-480B-B04C-82930B33F6FF}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{DA0FB6EE-453A-44E7-AD3C-E4553E6E4C05}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | "{DF055CF5-5EE1-4BB0-A800-5AC016DBB9D1}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | "{E75CBF35-506F-418D-825D-14AC26E40972}" = dir=in | app=c:\program files\cyberlink\powerdvd\powerdvd.exe | "{F3912D98-47DA-4BFE-B323-AD57CAD00D05}" = protocol=6 | dir=in | app=c:\program files\icq7.2\aolload.exe | "{F4A4C267-ABA5-402E-A1DA-6DC9232380A6}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{FE9A3759-7938-4A11-8F78-7FB9210BA2FB}" = protocol=17 | dir=in | app=c:\program files\icq7.2\icq.exe | "{FF45B251-962B-4EF4-B0FF-6B8404EC51D0}" = protocol=6 | dir=in | app=c:\program files\icq7.2\icq.exe | "{FFE802C9-B147-4651-9BE1-5B48A6CDC045}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe | "TCP Query User{3D4CDFC7-E891-45E1-9D43-E3AD48C7E823}C:\xampp\mysql\bin\mysqld.exe" = protocol=6 | dir=in | app=c:\xampp\mysql\bin\mysqld.exe | "TCP Query User{62C4C1CA-B5E8-4BE5-AC85-424C136E679F}C:\program files\icq6\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6\icq.exe | "TCP Query User{8C9FDD66-2498-48BA-805F-A5AE91C78571}C:\program files\icq6.5\icq.exe" = protocol=6 | dir=in | app=c:\program files\icq6.5\icq.exe | "TCP Query User{D0F21E8F-B8FE-4733-8583-413F2F79258F}C:\program files\packet tracer 5.0\bin\packettracer5.exe" = protocol=6 | dir=in | app=c:\program files\packet tracer 5.0\bin\packettracer5.exe | "UDP Query User{38268769-3F55-4ACB-9A8B-516A2DC381CF}C:\program files\icq6\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6\icq.exe | "UDP Query User{74F80BA2-8848-45A2-AE5B-C470AA099FD3}C:\program files\packet tracer 5.0\bin\packettracer5.exe" = protocol=17 | dir=in | app=c:\program files\packet tracer 5.0\bin\packettracer5.exe | "UDP Query User{986D05A7-8DE5-4B5B-964E-54D977607EAC}C:\program files\icq6.5\icq.exe" = protocol=17 | dir=in | app=c:\program files\icq6.5\icq.exe | "UDP Query User{CA7C2A00-8CF0-4D1B-9374-A0E800EF7C58}C:\xampp\mysql\bin\mysqld.exe" = protocol=17 | dir=in | app=c:\xampp\mysql\bin\mysqld.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{004C5DA2-2051-4D25-94BA-51CF810C91EB}" = LightScribe System Software 1.12.37.1 "{00AF10C1-44BD-4862-9D7F-24E6BA3E87FD}" = imagine digital freedom - Samsung "{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.0.1.6300 "{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32 "{04983D37-2202-4295-94A2-8B547C66133F}" = Atheros WLAN Client "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{07629207-FAA0-4F1A-8092-BF5085BE511F}" = Unterstützungsdateien für das Microsoft SQL Server-Setup (Englisch) "{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour "{0E592C31-09EF-3CA1-A7DE-05D13DFCF791}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - deu "{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}" = Samsung Recovery Solution III "{146E206D-7D2C-493A-B431-1F1D16E822AF}" = MobileMe Control Panel "{17283B95-21A8-4996-97DA-547A48DB266F}" = Easy Display Manager "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite "{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86 "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20 "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime "{32D6A58F-9659-446C-BBFC-E6F2B41F24DC}" = Samsung Magic Doctor "{36BEAD11-8577-49AD-9250-E06A50AE87B0}" = Microsoft SOAP Toolkit 2.0 SP2 "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4EA8EA5D-8E46-4698-9BF7-2F2AD8E1C185}" = Easy Network Manager 3.0 "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies "{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8 "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD "{685707A4-911C-468D-BFC4-64A50E5E3A0C}" = Samsung Update Plus "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{6F730513-8688-4C3C-90A3-6B9792CE2EF3}" = Easy Battery Manager "{71A51B09-E7D3-11DB-A386-005056C00008}" = Vimicro UVC Camera "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6}" = ICQ7.2 "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes "{804F1285-8CBF-408D-8CDC-D4D40003B2E4}" = PlayCamera "{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1" = PDF24 Creator "{82427977-8776-4087-90CA-9F65174D3C4D}" = Nokia Connectivity Cable Driver "{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries "{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_VISPROR_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0407-0000-0000000FF1CE}_WebDesigner_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_VISPROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}_WebDesigner_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_VISPROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}_WebDesigner_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_VISPROR_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0410-0000-0000000FF1CE}_WebDesigner_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{90120000-0026-0000-0000-0000000FF1CE}" = Microsoft Expression Web "{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{9037FDA8-8383-4B6F-859D-D49C3C625225}" = Microsoft Expression Web Service Pack 1 (SP1) "{90120000-0026-0407-0000-0000000FF1CE}" = Microsoft Expression Web MUI (German) "{90120000-0026-0407-0000-0000000FF1CE}_WebDesigner_{0B9EAEAC-F271-45DC-BDCB-06ABEEF19825}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2) "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-0054-0407-0000-0000000FF1CE}" = Microsoft Office Visio MUI (German) 2007 "{90120000-0054-0407-0000-0000000FF1CE}_VISPROR_{60CC0F2D-BFA0-4851-903D-809D876DD87B}" = Microsoft Office Visio 2007 Service Pack 2 (SP2) "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_VISPROR_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-006E-0407-0000-0000000FF1CE}_WebDesigner_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2) "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager "{90A40407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components "{91120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007 "{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2) "{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{91120407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003 "{955597D8-E5E1-474D-B647-60AC44566D24}" = Play AVStation "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components "{AC76BA86-7AD7-1031-7B44-A82000000003}" = Adobe Reader 8.2.3 - Deutsch "{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support "{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer "{B7CB0BF3-791E-44D3-9F04-786E36D51C9D}" = PC Connectivity Solution "{BA5F3E0E-8F3E-47BD-88E4-AD3EB5225F51}" = Intel(R) PROSet/Wireless WiFi-Software "{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}" = User Guide "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint "{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D5A7D7AB-3093-3619-9261-74DB250ECF7B}" = Microsoft Visual C++ 2008 Express Edition with SP1 - DEU "{EF367AA4-070B-493C-9575-85BE59D789C9}" = Easy SpeedUp Manager "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone-Konfigurationsprogramm "504244733D18C8F63FF584AEB290E3904E791693" = Windows-Treiberpaket - Nokia pccsmcfd (08/22/2008 7.0.0.0) "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Agere Systems Soft Modem" = Agere Systems HDA Modem "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v4.60 "FileZilla Client" = FileZilla Client 3.3.2 "InstallShield_{4EA8EA5D-8E46-4698-9BF7-2F2AD8E1C185}" = Easy Network Manager 3.0 "InstallShield_{685707A4-911C-468D-BFC4-64A50E5E3A0C}" = Samsung Update Plus "InstallShield_{955597D8-E5E1-474D-B647-60AC44566D24}" = Play AVStation "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "MatlabR2006b" = MATLAB R2006b "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft Visual C++ 2008 Express Edition with SP1 - DEU" = Microsoft Visual C++ 2008 Express Edition mit SP1 - DEU "Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6) "NVIDIA Drivers" = NVIDIA Drivers "OpenVPN" = OpenVPN 2.1_rc13 "Packet Tracer 5.0_is1" = Packet Tracer 5.0 "ProInst" = Intel PROSet Wireless "SPORT619" = SPORT "SynTPDeinstKey" = Synaptics Pointing Device Driver "TextMaker Viewer" = TextMaker Viewer "VISPROR" = Microsoft Office Visio Professional 2007 "VLC media player" = VLC media player 0.9.6 "WebDesigner" = Microsoft Expression Web "Winload Toolbar" = Winload Toolbar "WinRAR archiver" = WinRAR "xampp" = XAMPP 1.6.6a ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 26.05.2010 12:18:09 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10 Description = Error - 26.05.2010 12:18:14 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 28.05.2010 05:08:55 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10 Description = Error - 28.05.2010 05:09:36 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 28.05.2010 12:23:41 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10 Description = Error - 28.05.2010 12:23:47 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 31.05.2010 05:04:36 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10 Description = Error - 31.05.2010 05:05:39 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 31.05.2010 06:16:26 | Computer Name = Verena-PC | Source = WinMgmt | ID = 10 Description = Error - 31.05.2010 06:16:44 | Computer Name = Verena-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = [ System Events ] Error - 06.07.2010 06:34:15 | Computer Name = Verena-PC | Source = EventLog | ID = 6008 Description = Das System wurde zuvor am 06.07.2010 um 12:32:40 unerwartet heruntergefahren. Error - 06.07.2010 06:34:38 | Computer Name = Verena-PC | Source = Service Control Manager | ID = 7000 Description = Error - 06.07.2010 06:34:42 | Computer Name = Verena-PC | Source = Dhcp | ID = 1002 Description = Die IP-Adresslease 192.168.6.14 für die Netzwerkkarte mit der Netzwerkadresse 00FF4EBAD1E9 wurde durch den DHCP-Server 192.168.6.13 abgelehnt (der DHCP-Server hat eine DHCPNACK-Meldung gesendet). Error - 06.07.2010 06:35:41 | Computer Name = Verena-PC | Source = Microsoft-Windows-LanguagePackSetup | ID = 1001 Description = Error - 06.07.2010 07:55:07 | Computer Name = Verena-PC | Source = Service Control Manager | ID = 7000 Description = Error - 06.07.2010 07:55:07 | Computer Name = Verena-PC | Source = Dhcp | ID = 1002 Description = Die IP-Adresslease 192.168.6.14 für die Netzwerkkarte mit der Netzwerkadresse 00FF4EBAD1E9 wurde durch den DHCP-Server 192.168.6.13 abgelehnt (der DHCP-Server hat eine DHCPNACK-Meldung gesendet). Error - 06.07.2010 07:56:02 | Computer Name = Verena-PC | Source = Microsoft-Windows-LanguagePackSetup | ID = 1001 Description = Error - 06.07.2010 10:30:33 | Computer Name = Verena-PC | Source = Service Control Manager | ID = 7000 Description = Error - 06.07.2010 10:30:39 | Computer Name = Verena-PC | Source = Dhcp | ID = 1002 Description = Die IP-Adresslease 192.168.6.14 für die Netzwerkkarte mit der Netzwerkadresse 00FF4EBAD1E9 wurde durch den DHCP-Server 192.168.6.13 abgelehnt (der DHCP-Server hat eine DHCPNACK-Meldung gesendet). Error - 06.07.2010 10:31:17 | Computer Name = Verena-PC | Source = Microsoft-Windows-LanguagePackSetup | ID = 1001 Description = < End of report > |
06.07.2010, 15:45 | #9 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Also den MPK-Keylogger habe ich mir nicht bewusst installiert. |
08.07.2010, 09:42 | #10 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Wie kann ich den denn wieder runter bekommen? Weil so kann ich den nirgends finden. Bin für jede Hilfe dankbar. |
08.07.2010, 10:32 | #11 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Beende alle Programme, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!) Code:
ATTFilter :OTL O33 - MountPoints2\{0da65834-163f-11df-81a9-0013779efc8e}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found O33 - MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\Shell - "" = AutoRun O33 - MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found O33 - MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\Shell - "" = Autorun O33 - MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\Shell\Open\command - "" = RECYCLER\S-2-4-38-100026351-100008458-100006666-2738.com f:\ O33 - MountPoints2\{ee16fdb2-30fe-11de-9773-0013779efc8e}\Shell\AutoRun\command - "" = F:\wd_windows_tools\setup.exe -- File not found O33 - MountPoints2\{ff559042-da80-11de-89eb-0013779efc8e}\Shell\AutoRun\command - "" = F:\Launcher.exe -- File not found [2010.07.06 16:37:17 | 000,741,376 | ---- | M] () -- C:\Windows\System32\drivers\neyrpram.sys @Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:48CF36A1 :Commands [purity] [resethosts] [emptytemp] Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.
__________________ Logfiles bitte immer in CODE-Tags posten |
08.07.2010, 11:23 | #12 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe All processes killed ========== OTL ========== Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0da65834-163f-11df-81a9-0013779efc8e}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0da65834-163f-11df-81a9-0013779efc8e}\ not found. File F:\Launcher.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48e4eda8-fc71-11de-96cc-0013779efc8e}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{48e4eda8-fc71-11de-96cc-0013779efc8e}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48e4eda8-fc71-11de-96cc-0013779efc8e}\ not found. File G:\LaunchU3.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5d3038f1-ab0e-11dd-a31f-0013779efc8e}\ not found. File C:\RECYCLER\S-2-4-38-100026351-100008458-100006666-2738.com f:\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee16fdb2-30fe-11de-9773-0013779efc8e}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ee16fdb2-30fe-11de-9773-0013779efc8e}\ not found. File F:\wd_windows_tools\setup.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff559042-da80-11de-89eb-0013779efc8e}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ff559042-da80-11de-89eb-0013779efc8e}\ not found. File F:\Launcher.exe not found. File C:\Windows\System32\drivers\neyrpram.sys not found. ADS C:\ProgramData\TEMP:48CF36A1 deleted successfully. ========== COMMANDS ========== C:\Windows\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Public User: Verena ->Temp folder emptied: 799412852 bytes ->Temporary Internet Files folder emptied: 37488978 bytes ->Java cache emptied: 8055893 bytes ->FireFox cache emptied: 86577467 bytes ->Apple Safari cache emptied: 1168326 bytes ->Flash cache emptied: 49777 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 48980035 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 936,00 mb OTL by OldTimer - Version 3.2.7.1 log created on 07082010_121908 Files\Folders moved on Reboot... Registry entries deleted on Reboot... |
08.07.2010, 12:27 | #13 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Ok. Bitte jetzt CF anwenden: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ Logfiles bitte immer in CODE-Tags posten |
09.07.2010, 11:02 | #14 |
| Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Combofix Logfile: Code:
ATTFilter ComboFix 10-07-08.02 - Verena 09.07.2010 11:29:14.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.3066.2038 [GMT 2:00] ausgeführt von:: c:\users\Verena\Desktop\cofi.exe SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\Public\media c:\users\Public\media\index.html c:\users\Public\media\system\css\calendar-jos.css c:\users\Public\media\system\css\index.html c:\users\Public\media\system\css\modal.css c:\users\Public\media\system\css\mootree.css c:\users\Public\media\system\images\closebox.png c:\users\Public\media\system\images\index.html c:\users\Public\media\system\images\mootree.gif c:\users\Public\media\system\images\mootree_loader.gif c:\users\Public\media\system\images\spinner.gif c:\users\Public\media\system\index.html c:\users\Public\media\system\js\calendar-setup.js c:\users\Public\media\system\js\calendar.js c:\users\Public\media\system\js\caption.js c:\users\Public\media\system\js\combobox.js c:\users\Public\media\system\js\index.html c:\users\Public\media\system\js\modal.js c:\users\Public\media\system\js\mootools-uncompressed.js c:\users\Public\media\system\js\mootools.js c:\users\Public\media\system\js\mootree.js c:\users\Public\media\system\js\mootree_packed.js c:\users\Public\media\system\js\openid.js c:\users\Public\media\system\js\swf.js c:\users\Public\media\system\js\switcher.js c:\users\Public\media\system\js\tabs.js c:\users\Public\media\system\js\uploader.js c:\users\Public\media\system\js\validate.js c:\users\Public\media\system\swf\uploader.swf c:\windows\SEC c:\windows\SEC\172100logo.bmp c:\windows\SEC\banner.png c:\windows\SEC\Computer.png c:\windows\SEC\Media _S_ Logo.png c:\windows\SEC\Samsung.png c:\windows\SEC\Samsung2.png c:\windows\SEC\SamsungLogo.png c:\windows\SEC\Wallpapers\wallpaper.jpg c:\windows\SEC\Wallpapers\wallpaper1.jpg c:\windows\SEC\Wallpapers\Wallpaper2.jpg c:\windows\system32\lsprst7.dll c:\windows\system32\nsprs.dll c:\windows\system32\serauth1.dll c:\windows\system32\serauth2.dll c:\windows\system32\ssprs.dll . ((((((((((((((((((((((( Dateien erstellt von 2010-06-09 bis 2010-07-09 )))))))))))))))))))))))))))))) . 2010-07-09 09:34 . 2010-07-09 09:34 -------- d-----w- c:\users\Verena\AppData\Local\temp 2010-07-09 09:34 . 2010-07-09 09:34 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-07-08 13:01 . 2010-07-08 13:01 -------- d-----w- c:\program files\CCleaner 2010-07-08 10:19 . 2010-07-08 10:19 -------- d-----w- C:\_OTL 2010-07-06 13:09 . 2010-07-06 13:09 -------- d-----w- c:\users\Verena\AppData\Roaming\Malwarebytes 2010-07-06 13:08 . 2010-04-29 10:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-07-06 13:08 . 2010-07-06 13:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-07-06 13:08 . 2010-07-06 13:08 -------- d-----w- c:\programdata\Malwarebytes 2010-07-06 13:08 . 2010-04-29 10:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-07-06 12:30 . 2010-07-06 12:30 388096 ----a-r- c:\users\Verena\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-07-01 09:45 . 2010-07-01 09:47 -------- d-----w- C:\xampp 2010-06-29 08:35 . 2010-06-29 08:35 -------- d-----w- c:\users\Verena\AppData\Local\AOL 2010-06-29 08:35 . 2010-06-29 08:36 -------- d-----w- c:\program files\ICQ7.2 2010-06-24 10:12 . 2010-06-24 10:12 -------- d-----w- c:\program files\iPod 2010-06-24 10:12 . 2010-06-24 10:13 -------- d-----w- c:\program files\iTunes 2010-06-24 10:09 . 2010-06-24 10:09 -------- d-----w- c:\program files\Bonjour 2010-06-24 10:06 . 2010-06-24 10:06 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe 2010-06-23 13:13 . 2009-11-08 08:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll 2010-06-23 13:13 . 2009-11-08 08:55 49472 ----a-w- c:\windows\system32\netfxperf.dll 2010-06-23 13:13 . 2009-11-08 08:55 297808 ----a-w- c:\windows\system32\mscoree.dll 2010-06-23 13:13 . 2009-11-08 08:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe 2010-06-23 13:13 . 2009-11-08 08:55 1130824 ----a-w- c:\windows\system32\dfshim.dll 2010-06-23 10:40 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2010-06-23 10:40 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2010-06-16 09:53 . 2010-06-16 09:54 -------- d-----w- c:\program files\SPORT619D 2010-06-16 09:28 . 2010-06-16 09:28 1024 ----a-w- c:\windows\system32\clauth2.dll 2010-06-16 09:28 . 2010-06-16 09:28 1024 ----a-w- c:\windows\system32\clauth1.dll 2010-06-16 09:27 . 2010-06-16 09:27 1025 ----a-w- c:\windows\system32\sysprs7.dll 2010-06-14 09:45 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-09 09:15 . 2008-07-08 12:54 626780 ----a-w- c:\windows\system32\perfh007.dat 2010-07-09 09:15 . 2008-07-08 12:54 126396 ----a-w- c:\windows\system32\perfc007.dat 2010-07-09 09:10 . 2008-07-08 14:39 186460 ----a-w- c:\programdata\nvModes.dat 2010-07-08 13:15 . 2008-07-09 06:09 12 ----a-w- c:\windows\bthservsdp.dat 2010-07-08 12:42 . 2008-11-04 23:45 -------- d-----w- c:\users\Verena\AppData\Roaming\ICQ 2010-06-29 08:36 . 2009-06-15 18:56 -------- d-----w- c:\program files\ICQ6.5 2010-06-29 08:35 . 2008-07-08 14:13 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-06-25 12:20 . 2008-07-08 14:42 -------- d-----w- c:\program files\Microsoft.NET 2010-06-24 10:42 . 2009-02-06 15:40 -------- d-----w- c:\users\Verena\AppData\Roaming\Apple Computer 2010-06-24 10:12 . 2009-02-06 15:37 -------- d-----w- c:\program files\Common Files\Apple 2010-06-16 12:29 . 2008-11-04 17:41 101248 ----a-w- c:\users\Verena\AppData\Local\GDIPFONTCACHEV1.DAT 2010-06-15 08:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-06-14 13:25 . 2008-07-08 14:40 -------- d-----w- c:\programdata\Microsoft Help 2010-05-26 14:47 . 2010-06-14 09:45 289792 ----a-w- c:\windows\system32\atmfd.dll 2010-05-21 12:14 . 2009-10-03 12:31 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-05-14 13:33 . 2010-05-14 13:33 -------- d-----w- c:\program files\Common Files\Java 2010-05-14 13:32 . 2010-05-14 13:33 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-13 21:08 . 2010-05-13 21:08 16 ----a-w- c:\users\Verena\AppData\Roaming\wqhtpi.dat 2010-05-04 05:59 . 2010-06-14 09:45 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-04 05:55 . 2010-06-14 09:45 71680 ----a-w- c:\windows\system32\iesetup.dll 2010-05-04 05:55 . 2010-06-14 09:45 109056 ----a-w- c:\windows\system32\iesysprep.dll 2010-05-04 04:31 . 2010-06-14 09:45 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2010-05-02 05:51 . 2008-12-24 17:48 589 ----a-w- c:\windows\system32\dmlg.dat 2010-05-01 14:13 . 2010-06-14 09:45 2037248 ----a-w- c:\windows\system32\win32k.sys 2010-04-23 14:13 . 2010-05-28 09:16 2048 ----a-w- c:\windows\system32\tzres.dll 2010-04-16 16:43 . 2010-06-23 10:40 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll 2010-04-16 16:43 . 2010-06-23 10:40 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll 2010-04-16 16:43 . 2010-06-23 10:40 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll 2010-04-16 16:43 . 2010-06-23 10:40 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{40c3cc16-7269-4b32-9531-17f2950fb06f}"= "c:\program files\Winload\tbWin1.dll" [2010-04-04 2349080] [HKEY_CLASSES_ROOT\clsid\{40c3cc16-7269-4b32-9531-17f2950fb06f}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40c3cc16-7269-4b32-9531-17f2950fb06f}] 2010-04-04 12:35 2349080 ----a-w- c:\program files\Winload\tbWin1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{40c3cc16-7269-4b32-9531-17f2950fb06f}"= "c:\program files\Winload\tbWin1.dll" [2010-04-04 2349080] [HKEY_CLASSES_ROOT\clsid\{40c3cc16-7269-4b32-9531-17f2950fb06f}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{40C3CC16-7269-4B32-9531-17F2950FB06F}"= "c:\program files\Winload\tbWin1.dll" [2010-04-04 2349080] [HKEY_CLASSES_ROOT\clsid\{40c3cc16-7269-4b32-9531-17f2950fb06f}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-08 13543968] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-08 92704] "RtHDVCpl"="RtHDVCpl.exe" [2008-04-17 6111232] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "PDFPrint"="c:\program files\pdf24\pdf24.exe" [2010-03-10 208528] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-2-12 723496] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):41,21,30,ee,53,a6,ca,01 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-113378734-2685825776-4182880352-1003] "EnableNotificationsRef"=dword:00000001 R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336] S2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\DRIVERS\kmdfmemio.sys [2007-05-23 13312] S3 NETw5v32;Intel(R) Wireless WiFi Link Adaptertreiber für Windows Vista 32-Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-05-20 3663360] S3 VMC302;Vimicro Camera Service VMC302;c:\windows\system32\Drivers\VMC302.sys [2008-04-05 242560] --- Andere Dienste/Treiber im Speicher --- *Deregistered* - neyrpram [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2008-03-17 08:56 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2319825 uInternet Settings,ProxyOverride = *.local IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: {{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\ICQ7.2\ICQ.exe FF - ProfilePath - c:\users\Verena\AppData\Roaming\Mozilla\Firefox\Profiles\ajieacm6.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319825&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - Winload Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2319825&SearchSource=13 FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX Richtlinien ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net Rootkit scan 2010-07-09 11:34 Windows 6.0.6002 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\neyrpram] . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Zeit der Fertigstellung: 2010-07-09 11:36:33 ComboFix-quarantined-files.txt 2010-07-09 09:36 Vor Suchlauf: 31 Verzeichnis(se), 39.650.131.968 Bytes frei Nach Suchlauf: 36 Verzeichnis(se), 39.582.609.408 Bytes frei Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7 - - End Of File - - 2DF114DC0A46B69C9E5741A8698D0B71 |
09.07.2010, 11:19 | #15 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus
__________________ Logfiles bitte immer in CODE-Tags posten |
Themen zu Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe |
angezeigt, antivir, appdata, avira, avira antivir, c:\windows, drivers, frage, gefunde, local, local\temp, löschen, löschen?, quarantäne, refog.keylogger, rkit/bubnix.au, rojaner gefunden, svchost.exe, system, system32, temp, tr/crypt.xpack.ge, tr/crypt.xpack.gen, troja, trojaner, trojaner gefunden, trojaner tr/crypt.xpack.gen, windows |